How do I maintain security employee training when faced with a tight budget?
Rad Jones, School of Criminal Justice, Michigan State Univ.; retired U.S. Secret Service; former security manager, Ford Motors.
Sometimes there are training resources available right inside a company. For example, most companies have a department dedicated to handling its insurance needs, which has parallels with risk assessment and asset protection. If you sit down with them you can learn an awful lot. The accounting department can talk about how to develop a budget. The company’s audit staff can be helpful related to asset protection and auditing the company’s security programs.
When training for emergencies, there are resources such as online programs available from FEMA (Federal Emergency Management Association). The information is not just directed to government, but is designed for the business world, too. The Department of Homeland Security has established professional security advisors within each state to help businesses conduct risk assessments and emergency preparedness and response. There are a lot of resources available in the community that tax dollars pay for, such as the public health and emergency management departments.
There are also online resources. Universities such as Michigan State offer information on emergency preparedness, Homeland Security, public/private partnerships, assessing threats and intelligence gathering.
Joe Nelson, former Teradyne CSO and Security Executive Council faculty and director of SEC Live
Difficult budget periods can challenge security leaders to reduce employee training as a simple means to reduce costs. This is unfortunate because these costs can be very productive in saving the company money through loss avoidance. My approach is to reduce — not eliminate — these expenses. I review the security training plan by ranking each activity against the company’s goals and risks.
Once this is completed, the options for delivering the “vital” security employee training can be evaluated. The options can be organized from “no cost” (such as authoring group e-mail messages) to low cost (example: bundling security training into existing compliance or ethics programs). Other methods include using existing in-house technology to make presentations in divisional and staff level business meetings.
By reducing costs, and maintaining security employee training, organizations receive direct support from their security leaders during lean budget times.
Roy B. Cohn, President, Cohn Creative Group
Security awareness training is an effective force multiplier. Even a small investment can yield positive results in reducing threats such as tailgating, social engineering, laptop theft and failure to secure confidential information. There are cost-effective methods to get the security message out. The key is to think of awareness training as an ongoing campaign rather than an isolated one-time event.
Support of top management can help. Periodic e-mails including visible endorsement from management can remind employees of their responsibility in maintaining security.
Off-the-shelf awareness videos from the Security Executive Council and other organizations are a great way to inoculate new employees and begin building a culture of security at the time of employee orientation.
Sponsoring a company-wide security awareness week can include lunch-and-learns, articles in the corporate newsletter, and the awarding of prizes for catchy slogans or other security competitions. Training should be relevant to the individual, with topics such as identity theft, risks of social networking and other hot security topics. Sharing news stories about high-profile security breaches at other companies can promote discussion about how they could have been prevented.
Kerry Nelson, Managing Director, SecureWorld Expo
Facing the economic downturn, many directors and executives confront this question daily. There are simply limits on the funds available for training and the associated traveling expenses. One solution is to redirect what training budget one has from national events to local regional training programs. Regional events can offer equal or better value than national events, without the high travel costs. They are often more focused than national events and can take an in-depth look at the issues and trends surrounding a local community.
In addition, local events limit the time out of the office and keep the security team available if they need to respond. Given that most local events are in some way underwritten by product vendors, you can get the training you and your staff need at a minimum of expense. In order to remain competitive and secure, companies must offer continued training opportunities to their employees, and regional events can provide an affordable solution.
Next Month’s Question: What are the characteristics for a good relationship between Corporate Security and Information Security?