Organisations have a duty of care to protect their employees wherever they work. But in the increasingly complex world that we all live in, the ability to deliver a risk-commensurate and cost-efficient security programme that adds real value to a business is extremely challenging, according to IFSEC International 2016 speaker Frank Cannon. He will be speaking on developing an employee security awareness programme in the Security Management Theatre at IFSEC International in London on 23 June. Benefits and challenges of security awareness programmes SourceSecurity.com: In what ways does a good employee security awareness programme add value to a business? Cannon: Simply put, it increases the number of people within an organisation who behave appropriately to safeguard the workforce and protect its property. Through enhanced vigilance and informed awareness, the employees identify and report suspicious conditions or people at the earliest opportunity, so triggering a proportionate response by others. This early notification helps to minimise the negative consequence of crime and thus saves money. SourceSecurity.com: Why is implementing an employee security awareness programme such a challenge? "The location, audience, timeavailable and importance of thesecurity message often dictatehow and when the securityawareness programme is delivered" Cannon: To be effective, a security awareness programme must have the support of senior executives and then resonate with the workforce. It is necessary to identify a series of key security messages that are consistent with the security risks, but that also echo the organisation’s beliefs and vision statement. The pitch, tone and proportionality of the security message must complement the day-to-day working culture of the target audience. There is no one-size-fits-all programme that can be used to create a security culture, but more there’s a need for a cognitive process that requires an informed approach to harness the views of numerous stakeholders. Once initiated, the programme must adapt to the changing work environment and security risks. The challenge is convincing leaders to invest funds based on the likelihood that an undesirable event will have a negative impact on the business and/or convincing the workforce to change their behaviours to minimise the impact of such events. Logistics of security awareness training SourceSecurity.com: If all employees are effectively part of the wider security team, how do you distinguish between their roles and those of security professionals? Cannon: A “team” is a group of people with a common purpose; in this instance, the purpose is to safeguard all those within the team and to protect the property they use or own. Communication is the essence of good teamwork and by encouraging each and every member of the team to observe, listen and communicate, it allows others to take appropriate action to address any fears or concerns. Non-security professional members of staff become the “alarm” or information gatherers, leaving the security practitioners to respond or analyse and plan. SourceSecurity.com: What does a security awareness training programme look like? Cannon: My belief is that “training” is a process to develop skills or practical ability, whereas “education” is the giving and receiving of knowledge or theoretical competence. A security awareness programme is an educational process to help employees observe events or people through a “security lens” and help them recognise an abnormal situation that may place people or property at risk. Initial inductions, promotional courses, trade training, team meetings, periodicalworkshops and quarterly town halls all provide good platforms to engage workforces SourceSecurity.com: What are the main elements of such a programme? Cannon: Prior to the development of a security awareness programme, the security threats and associated risks against the organisation, its workforce or its assets require assessment. You then have to create an integrated security programme with a proportionate blend of physical, technical and procedural elements. The security procedures set out behavioural expectations for employees, so that a pre-determined outcome is achieved. Only then can an employee awareness programme be developed to communicate with the workforce. A programme consists of numerous methods (or tools) to communicate security expectations to active participants. These consist of key messages, each of which amplifies specific issues that, when put together, help to create a security culture. This isn’t a tangible asset or outcome but more a way routine business is carried out. Key messages are developed with the support of stakeholders and should complement an organisation’s culture, beliefs and operating processes. SourceSecurity.com: What format does the training take (classroom/online/reminders/refreshers etc.)? Cannon: Security education is a continually evolving process that takes advantage of opportunities as they appear. Initial induction, promotional courses, trade training, team meetings, periodical workshops and quarterly town halls all provide good platforms to engage the workforce. "By encouraging each and everymember of the team to observe,listen and communicate, it allowsothers to take appropriate actionto address any fears or concerns" The location, audience, time available and importance of the security message often dictate how and when the security awareness programme is delivered. This can range from regular (3 to 5 minute) “security moments” at the start of routine meetings, to a full day workshop involving larger audiences. A tradesperson with little access to a computer may benefit from a “toolbox talk” at the start of the day, whereas an office worker may learn more through an online e-package. For those with time – or for the more important security risks – a workshop or standalone meeting may be the most appropriate forum. Alternatively, a well-designed poster may successfully convey the simpler messages. The critical element of a security awareness programme is that the message being communicated must be relevant, important and personal to each person. He or she must identify with the message and understand a personal benefit for changing an otherwise acceptable behaviour to help increase the levels of protection for themselves, their colleagues or the property they are responsible for. Effective physical and cyber security awareness SourceSecurity.com: Does the security awareness programme include information security as well as conventional physical security? Cannon: If the organisation, its management or the security risk assessment identifies a cyber risk that requires employees to behave in a specific way, then information security can be included in the programme. Anything that adds to the protection of personnel or assets can be included, including health and safety, environmental or community interaction. SourceSecurity.com: How can you measure the effectiveness of such a programme? Cannon: This is challenging and is often why organisations tend not to invest in security awareness programmes. I often say that the success of my programme is when I have leaders or supervisors discussing personal safety or asset protection as part of routine business. An organisation with an effective programme (or security culture) has security as part of its operational planning process, listed within job descriptions and part of its meeting agenda items. Success is when employees are routinely reporting suspicious people or events, where employees are willing to participate in workshops or practice drills, where they change their behaviours based on advice received and where they seek out security awareness materials for use within their own teams. The ultimate goal is to have an incident- and injury-free working environment so that the incident statistics support a downwards trend. The security risk level can change overnight, however, so incident trends are not always a true reflection on the success of a security awareness programme.