Challenge
Our client, a leading fashion retailer, was aware that its organization was at risk and their employees and contractors needed to improve upon general security practices. With threat data from the Incident Management team as well as to satisfy auditing requirements, the Governance and Compliance (G&C) team was tasked with developing a company-wide Security Awareness training program.
If successful, the program would raise awareness of the critical nature of solid security practices, deliver clear guidance on how to implement these practices, and provide the ability to scale to the large global employee and contractor base. A successful program would report a 90+% completion rate, as well as an increase of potential threats reported to the Incident Management team with fewer threats introduced by employee actions.
If successful, the program would raise awareness of the critical nature of solid security practices, deliver clear guidance on how to implement these practices, and scale to the global employee and contractor base.
Approach
Kalles Group (KG) was brought in to partner with the G&C team to build the solution. Without an existing security training program in place, the team would need to start from the ground up by conducting analysis, presenting options to management, receiving approval, and then building the solution.
To begin, the team reached out in key areas such as Incident Management and various IT groups to uncover current threats and practices, as well as identify and prioritize the core group of security tasks and best practices all employees and contractor would need to
know about and implement.
It became clear early on that developing the training program in-house would be both costly and time consuming, and the level of expertise required would add additional length to the project. Therefore, the decision was made to take advantage of existing resources and to outsource the delivery aspect of the project to a qualified third-party. RFPs (request for proposals) were sent out to qualified providers and the team conducted careful analysis to identify a core set of eligible programs which were presented to key stakeholders for selection.
Solution
A Security Awareness training program was packaged and presented to management for review and approval. The program would take a multi-pronged approach:
- 20 minutes of required Security Awareness training provided online each quarter, four times a year
- Skills and information would be supplemented with posters in every building in high-traffic areas such as elevators, cafeterias, and lobbies
- The company Intranet site would also reinforce the content with scrolling tips and articles that would be refreshed at various intervals
- Monthly brown bag presentations would be held with industry security experts on various security topics
- Security podcasts would be developed in-house to further support ongoing learning and retention
Results
Initially, the Security Awareness training program was rolled out to the Technology, Human Resources and Finance groups. The following month it was expanded to all corporate employees, and finally, to retail stores.
The program was delivered on-time and within budget. The organization was able to show auditors and assessors that a consistent and ongoing training program that raised awareness of security best practices was in place and required for all employees and contractors. In addition to satisfying auditing requirements, measures were put into place to track employee and contractor attendance, potential threat reports, and the number and type of recorded incidents.
The G&C and Kalles Group team partnered to build an effective long-term training solution which would help to reduce security risks and threats to the organization going forward.
As employees share the value of the training they have received, training attendance has increased by more than 50% and fewer courses have been cancelled due to low attendance.