Security training programs that work
While security departments in corporations and institutions are largely focused on day-to-day operations, managing risks, and securing personnel and assets, a crucial function of these business units is to ensure that the rest of the organization takes safety and security as seriously as they do.
Experts believe that training for non-security staff, as well as the promotion of a strong security culture, are both a must for any organization that is committed to the safety of its people and assets.
Crafting the message
Brian Claman, managing partner for Brian Claman & Associates, a security consultancy and managed services firm, says security training can be broken down into two categories: awareness training that drives culture and technical training.
Claman says, “A client wants us to give training on what kinds of emergencies can occur in a commercial office space, such as bomb threats, water leaks, protests. But they have no program. So we decide to create awareness training of the things they have to think about. Let them paint a picture in their mind what the threats look like so they can self-assess their ability to deal with it.”
Brendan Monahan is an associate director with Novartis Pharmaceuticals in charge of business continuity and crisis management and chair of the ASIS International Crisis Management and Business Continuity Council. He says, when it comes to delivering training, he has had success with in-person briefings and lectures, as well as short “TED Talk” style video presentations because they are concise and casual in tone.
Monahan says, “I like to start usually with a storytelling approach, give people a baseline that anyone can connect with, rather than diving into anything that’s scary, fear-inducing or anything like that. I prefer to start with something allegorical to get people on the same page. And that connects people to the message you’re trying to tell.”
He explains that many employees may find subject matter like active shooters and workplace violence scary or upsetting, so it’s important to tread lightly with those topics. “Maybe the most important thing for us to remember, as security professionals, is what we do is kind of specialized, and most people don’t do it every day, so we really have to meet people where they are on these topics.”
Monahan also says that when delivering in-person training, it’s helpful to encourage participants to offer their own experiences with the subject matter. That way, “you’re not alone in front of a room, presenting yourself as the only authority on the subject.” He continues, “Especially questions like active shooter training, people have experience of some kind with it, whether it’s a training they had at a previous job that worked or didn’t, whether it’s something they went through themselves or a friend of theirs did.”
Carmela Demkiw, senior director, corporate security services for Rogers Communications, says the key to crafting a strong training program is to make it collaborative and stress accountability. “It has to be that employees understand it’s their business. So that’s the premise we start with: it’s not our job, it’s everybody’s job.”
Demkiw explains that the largest portion of security training at Rogers is dedicated to the retail side of the telco’s operations. “We have things like robbery prevention, opening and closing procedures, situational awareness and conflict resolution.” She says retail employees are also taught strategies for fraud prevention and spotting counterfeit money.
Beyond retail, Demkiw says, “We’ve also just launched an emergency preparedness program that we’ve worked on with our health and safety team, and that’s for all employees across the organization.”
Demkiw says her team also provides toolkits with safety and security information to managers, that “they can discuss in their monthly meetings or team huddles.”
Robert Kilfoyle, director of public safety and emergency management for Toronto’s Humber College, says for college employees, training revolves around conflict, de-escalation and dealing with difficult students, along with more general awareness of emergency preparedness. “We talk about fire alarms and what to do in those types of incidents, active attacker, lockdown and that sort of thing. We’re just transitioning now over to the Run, Hide, Defend model of active attacker response.” He says the plan is to roll out a formal active attacker training program, likely in the spring.
Kilfoyle says his department gets its message across both by attending employee orientations and department meetings, and by posting through an internal web portal for employees. “We often will send out notices or reminders through that.”
Rogers also relies heavily on an internal intranet for mandatory, yearly training, according to Demkiw. “We make sure that any new policies or changes to existing policies are posted on there.” She explains that her department also uses community boards specific to certain company sites to inform people working at those offices of specific concerns. “Whether it’s a parking concern or it’s a tailgating concern, then we make sure that we address that on that community’s board, and they understand, ‘we need to work on this.’”
Keeping staff engaged
Claman says building a security training program and introducing employees to concepts is just the beginning. Teams need to keep staff engaged. “Employees notice when the training is getting stale.”
Claman says a web portal with fresh content can hold employees’ attention, explaining that departments should post security incidents and how they’re dealt with to make the teaching process feel more real and less theoretical. However, the content needs to be consistently updated. This approach applies to in-person training as well, according to Claman. “Talk about actual incidents that have occurred, so employees know what works and what doesn’t for solutions… The training has to be exciting, sexy and relevant to their world.”
Monahan says switching up the delivery of training can be helpful. “Whether it’s incorporating multi-media or gamifying the training, so people have to engage with a video and maybe click on things to expose new content.”
Demkiw says it can be very difficult to keep training interesting. “It’s not a one-time process you put in place. We’re constantly looking for new ways to add training, new ideas that would make it engaging for the employees.” Beyond introducing new concepts, Demkiw says one surefire way to grab employee attention is with prizes. “When we do a lobby launch we always have swag to give away because that makes a difference, it makes people come and listen and hear what you have to say.”
Monahan says whatever method teams use to keep training engaging, it’s important to get feedback and listen to how people are responding to it. “So often we become prescriptive, and we’re not responding to what people are telling us about how they’re internalizing these messages.”
Getting buy-in, showing value
Monahan says, regardless of what your training looks like, getting buy-in from senior leadership and other departments is crucial to any program’s success. “To the extent possible, have them model it for people.”
Monahan also notes that corporate communications is a strong ally that can help get leadership, other departments and everyone else in the organization on the same page. “I like to sit side-by-side with communications and have those people understand what security’s priorities are and reach out to them regularly for help crafting messages and delivering messages. Corporate communications is your friend.”
Demkiw agrees that forming relationships with corporate communications and human resources is key to ensuring security’s message resonates with the rest of the organization. With human resources specifically, “unless you have buy-in from them to help you deliver your message, you’re not going to get anywhere.”
When it comes to the actual message that security is transmitting to the rest of the organization, Monahan says linking it to broader company strategy is helpful. “Every company has a set of corporate values, and it’s more and more popular to drive those messages down to the frontlines of management to make sure we’re synced up with company strategy and that what we’re doing is fully aligned across business units and across leadership levels.”
Demkiw says to get buy-in from other departments, “we want to be able to be seen as helping them deliver their programs. We want to be a business enabler. We don’t want to say no all the time or tell them they can’t do something and that way they know they can come to us when there actually is a problem because we’re making compromises with them and working with them.”
Monahan agrees that security needs to position itself as a positive entity within an organization. “When you’re crafting the message, avoid the themes of fear, uncertainty and doubt. Take a more modern view that we’re partners in the business and the businesses are our clients. We’re going to make this work for you and not the other way around.”
Claman says to win over other departments and leadership, quantifiable metrics that show the value of security training programs are critical. “Identify the threats and risks, quantify the risks, and report on them… You can say employees are safer, but how do you know that? How do you measure that?” He explains that a measurable benefit like a reduction in thefts can help show that a security program is working. “It’s got to be a measure that’s defensible to the company’s CFO.”
Humber’s Kilfoyle says his department tracks the success of their program by measuring calls to service. “As people become more aware of our services, people will use them more.”
To measure the effectiveness of training at Rogers, Demkiw says, “We have weekly updates on the percentage of employees that take our training.”
While metrics can provide a business case for security programs, Monahan says one of the most powerful ways to persuade senior leaders of their importance is to put them through decision-making exercises.
“Take a business through an exercise where they have to make decisions and respond to a notional incident, like a crisis management exercise… When you put a leader in a position where they have to pretend to make decisions they never want to make, it becomes real and it helps them separate the theory from the practice,” he says.