CSO/Leadership

 

 

https://sm.asisonline.org/Pages/How-to-Foster-A-Safety-Culture.aspxHow to Foster A Safety CultureGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-10-01T04:00:00Z<p>​While the events of September 11, 2001, are engrained in the hearts and minds of people around the world, many may not realize they were the impetus for one of the most wide-ranging security awareness programs ever to be implemented.</p><p>Coined by a Manhattan advertising executive, the phrase "See Something, Say Something" would become the tagline of a U.S. Department of Homeland Security awareness campaign. Through various program materials from the U.S. government, the campaign sought to empower everyday citizens to protect their neighbors and communities by recognizing and reporting suspicious behavior. </p><p>Today, See Something, Say Something is established throughout much of the United States and even other countries, revealing itself in virtually every public corner, from mass transit systems to sports stadiums. </p><p>Much like this campaign, corporate security officers should establish a security awareness program within their organizations as part of a holistic physical security model. These programs are designed to promote a secure work setting and protect the company's assets.</p><p>But whereas See Something, Say Something was born out of a national sense of purpose following a grave tragedy—ultimately garnering significant financial support and public enthusiasm—security executives who want to build a security awareness program must do so organically. ​</p><h4>Building Blocks<img src="/ASIS%20SM%20Callout%20Images/photo1.png" class="ms-rtePosition-2" alt="" style="margin:5px;width:500px;height:269px;" /></h4><p>The successful implementation of a security awareness program is, by nature, a complex process that encompasses many aspects of program development, collaboration, communications, and branding, all with the goal of instilling and sustaining a security consciousness within the organization.  </p><p>So how do security leaders use com­p­any culture and existing security policies and procedures to organically develop a security awareness program? Examples of program models at General Motors Financial Company (GM Financial), ESPN, and Capital One, established with the help of the author, demonstrate the success of a corporate security awareness model through effective marketing and messaging, employee recognition, leveraging of partnerships, and buy-in from company executives. </p><p><strong>Program scope.</strong> Clearly defining the scope and purpose of the security awareness program is the first step towards effectively shaping it. At GM Financial, this process began by promoting the concept that security is a shared responsibility, and that each team member, regardless of title or position, had an important role to play in keeping GM Financial facilities safe and secure. </p><p>The scope of the program—branded as "Ready.Set.Safe!"—sought to create a culture of awareness and preparedness that transcended the more common security concerns, and included several aspects of emergency preparedness—fire and life safety, active shooter awareness, severe weather response, and more—to drive both a heightened readiness for emergent events and a strong safety culture.</p><p><strong>Communications and marketing</strong>. A successful messaging strategy for a security awareness program is essential, as is providing frequent campaign reminders for employees. This requires leveraging the expertise of the corporate communications and marketing group within the organization. These departments can lend invaluable support towards messaging development and branding components, and they can employ a variety of creative messaging tools to promote security awareness programming in a strategic and effective way. </p><p>At GM Financial, a variety of messaging platforms were developed that could be embedded into the natural flow of the employees' workday. This included use of the company intranet (articles, banners, and rotating message carousels); digital message display boards throughout employee work areas; static signage at facility entrances, cafeterias and high-traffic areas; and pop-up banners. Portable signs can also be deployed at company events, town halls, and other outside events. </p><p>Branded giveaway items with useful business applications, such as mousepads or pens, ensure that the Ready.Set.Safe! messaging is within view throughout the day. These giveaways have proven popular at HR fairs and other company events where corporate security representatives want to promote security awareness.​</p><h4><img src="/ASIS%20SM%20Callout%20Images/photo2.png" class="ms-rtePosition-1" alt="" style="margin:5px;width:500px;height:240px;" />Employee Involvement</h4><p>Raising security awareness among team members often requires a cultural shift in organizational thinking and employee behavior. An effective security awareness program must be supported by an equally effective company security model that team members are confident in. </p><p>This confidence must exist within all tiers of the organization—from the executive boardroom to the individual contributor level—for a true security culture to take root. At GM Financial, it is this alignment that enabled an effective and comprehensive security awareness program to become embedded within the organizational mindset. </p><p>New hires are exposed to the company's security and safety culture on their first day during orientation, as corporate security team members present an overview of the department's responsibilities and introduce new employees to the Ready.Set.Safe! program. The issuance of the employee photo ID/access badge during the onboarding process gives the corporate security team an additional opportunity to promote a safe facility culture by interfacing directly with the new hire.</p><p><strong>A joint launch.</strong> At ESPN, a global multimedia sports entertainment programming company where the author served as director of facility security, a similar approach was used to develop and successfully launch its security awareness program, "Community Watch." This program, part of a larger enterprisewide security awareness effort by parent-organization The Walt Disney Company, is a successful example of a contemporary security awareness platform with clear value proposition throughout the organization. The company's security organization successfully partnered with its creative designers, corporate communications team, human resources, and other business units to develop a multifaceted security awareness program. </p><p>ESPN sponsored a "Security and Safety Awareness Day" at its headquarters campus, which featured public safety partners from law enforcement, fire, and paramedic agencies on hand to promote security and safety best practices. The annual event was attended by hundreds of company employees and received positive feedback. </p><p>The information promoted at this event—including fire safety, cybersecurity, severe weather safety, driving safety, and several other safety-related topics—could also be used by team members in their homes and personal environments. </p><p><strong>Ease of reporting. </strong>When security incidents occur, or suspicious activity arises, it must be reported in a timely manner. Providing an easy means by which team members can communicate and report these threats and potential threats is essential. At GM Financial, the global security operations center (GSOC) serves as the central communications hub and primary reporting point for team member security concerns on a 24/7 basis. </p><p>Working with the telecommunications group, corporate security acquired a unique, easy-to-remember telephone number for employees to use to contact the GSOC. All employees can dial 4-GSOC from their desk phones for direct connection to a GSOC specialist from any U.S.-based GM Financial location. Employees are also encouraged to program the seven-digit GSOC telephone number into their personal phones to contact the GSOC directly, should the need arise, when they are in company parking areas or on company property. </p><p><strong>Recognition programs. </strong>Acknowledging team members who help promote the security awareness program helps reinforce the importance of a security culture. At Capital One Financial Corporation (where the author served as director of regional security operations for the company's northeast U.S. and Canadian markets), the organization's "Be Safe" program formally recognized team members for their actions and reporting to help protect company assets. These team members were presented with a plaque by the regional director of security and their local business leadership team. The award presentations were published in an article on the company's intranet site, further demonstrating the value placed on workplace safety and security by the company. </p><p>One unique program component at ESPN featured an interactive sports-themed contest where employees demonstrated how well they knew their coworkers. Participation in the contest, which was possible via the company's intranet, required the employee to first review a security awareness message. Winners were selected monthly, presented with Community Watch branded giveaway items by the director of security, and featured in the following month's contest, posted as an article link on the company's intranet site.</p><p><strong>Company initiatives. </strong>The growth and sustainability of any program relies upon leveraging existing security initiatives within the organization. At GM Financial, the corporate security <img src="/ASIS%20SM%20Callout%20Images/photo3.png" class="ms-rtePosition-2" alt="" style="margin:5px;width:500px;height:213px;" />organization also oversees the company's emergency response team. Approximately 900 team members from across the enterprise are trained to serve as volunteer first responders to medical and other workplace emergencies. </p><p>These dedicated team members are natural stakeholders of the security awareness program and demonstrate the company's commitment to employee safety. Their work aligns with the "Secure Facility" initiative, the most recently launched component of the Ready.Set.Safe! program. </p><p>GM Financial has certain security policies it has chosen to highlight with colorful posters. An anti-piggybacking initiative was established to ensure that unauthorized individuals do not follow employees into the workplace after they introduce their credentials at the door. A billboard-like poster that reminds team members of this campaign marks another examp​le where effective communications strategies have been developed and employed. </p><p>Another component of GM Financial's security awareness program is the company's active shooter awareness training. Each year, all team members complete a structured learning module via the company's learning management platform. The module includes a video that presents options for consideration during an active shooter event, as well as a knowledge assessment. The learning module is supplemented by awareness messaging material, displayed in common areas such as employee break rooms, and a virtual quick reference guide. Tabletop exercises and train-the-trainer sessions for emergency preparedness coordinators have also been developed. These sessions include awareness tips on how to recognize and report potential workplace violence situations. </p><p><strong>Cultural differences. </strong>While there are best practices that should be considered when implementing a security awareness program, each company has a unique organizational culture and operating environments that play a central role in determining how the program can be effectively established. Corporations that operate internationally can be presented with additional cultural factors that should be thoughtfully considered before implementing a security awareness program in these environments. </p><p>For example, some countries may experience low crime rates within their societies and may view security awareness programming as unnecessary, while others may view the reporting of suspicious behavior to be socially improper for their culture, akin to snitching. It is important that senior security executives understand and appreciate cultural differences, and that proposed security awareness programming is discussed with business leadership in these operating environments. </p><p>When developing messaging materials and translating them, language differences should be considered. Use of phrases that are common or well understood in one language may translate awkwardly into another language, causing confusion or alarm. The company's communications group can help to ensure that messaging is culturally appropriate in its translated form.</p><p><strong>Holistic model.</strong> Creating and implementing an effective security awareness program in a large corporation requires a holistic approach that must complement the company's security model and align with the company's culture. Colorful posters and creative messaging materials will do little to engender security awareness if they are not supported by the security organization's ability to respond to and address security concerns in a professional, timely, effective manner. The security organization must enjoy the confidence of employees at all levels to ensure that the awareness program achieves credibility and its intended purpose. </p><p>Examples of how such programs at GM Financial, ESPN, and Capital One were successfully implemented show that the model works across various types of enterprises. Obtaining executive support and partnership with key business stakeholders will help achieve buy-in for the programming. Creativity should be added into awareness efforts, and the security culture must be engaging for team members, because most will want to participate in an environment that is both enjoyable and purposeful. Fostering an environment where the concept of security is viewed as a shared responsibility is central to achieving the cultural shift, one in which employees view themselves as owners and stakeholders in the security program.  </p><p><em><strong>David Aflalo, CPP</strong>, is senior vice president of corporate security for GM Financial. He is a member of the ASIS CSO Center for Leadership and Development, where he chaired the Center's mentoring committee. He also serves on the ASIS Banking and Financial Services Council, and is a member of the International Security Management Association (ISMA).​ ​</em></p>

CSO/Leadership

 

 

https://sm.asisonline.org/Pages/How-to-Foster-A-Safety-Culture.aspx2018-10-01T04:00:00ZHow to Foster A Safety Culture
https://sm.asisonline.org/Pages/An-Investment-in-Employees.aspx2018-10-01T04:00:00ZAn Investment in Employees
https://sm.asisonline.org/Pages/Editors-Note---Code-Talkers.aspx2018-10-01T04:00:00ZCode Talkers
https://sm.asisonline.org/Pages/Employees-Lead,-Managers-Facilitate.aspx2018-09-26T04:00:00ZEmployees Lead, Managers Facilitate
https://sm.asisonline.org/Pages/Microsoft’s-Howard-Wins-Don-A.-Walker-Award.aspx2018-09-25T04:00:00ZMicrosoft’s Howard Wins Don A. Walker Award
https://sm.asisonline.org/Pages/Exceptional-Volunteers-Receive-Top-Award.aspx2018-09-25T04:00:00ZExceptional Volunteers Receive Top Award
https://sm.asisonline.org/Pages/Marquez-Memorial-Honoree-to-be-Recognized.aspx2018-09-24T04:00:00ZMarquez Memorial Honoree to be Recognized
https://sm.asisonline.org/Pages/Artful-Manipulation.aspx2018-09-01T04:00:00ZArtful Manipulation
https://sm.asisonline.org/Pages/Stay.aspx2018-09-01T04:00:00ZStay
https://sm.asisonline.org/Pages/A-World-of-Risk.aspx2018-09-01T04:00:00ZA World of Risk
https://sm.asisonline.org/Pages/Certification-Profile-Tim-Sutton,-CPP.aspx2018-09-01T04:00:00ZCertification Profile: Tim Sutton, CPP
https://sm.asisonline.org/Pages/Book-Review-Adaptive-Business-Continuity.aspx2018-09-01T04:00:00ZBook Review: Adaptive Business Continuity
https://sm.asisonline.org/Pages/Editor's-Note---Failing-to-Plan.aspx2018-08-01T04:00:00ZEditor's Note: Failing to Plan
https://sm.asisonline.org/Pages/Checking-In-and-Coaching-Up.aspx2018-07-01T04:00:00ZPerformance Conversations: Checking In & Coaching Up
https://sm.asisonline.org/Pages/Editor's-Note---In-Sync.aspx2018-07-01T04:00:00ZEditor's Note: In Sync
https://sm.asisonline.org/Pages/Editor's-Note---Dangers.aspx2018-06-01T04:00:00ZEditor's Note: Dangers
https://sm.asisonline.org/Pages/Bully-Bosses-Can-Inflict-More-Damage-with-Negative-References.aspx2018-05-17T04:00:00ZBully Bosses Can Inflict More Damage with Negative References
https://sm.asisonline.org/Pages/The-Science-of-Organizing-Security.aspx2018-05-15T04:00:00ZThe Science of Organizing Security
https://sm.asisonline.org/Pages/How-to-Lead-a-Diverse-Security-Workforce.aspx2018-05-01T04:00:00ZHow to Lead a Diverse Security Workforce
https://sm.asisonline.org/Pages/Certification-Profile---Douglas-Beaver,-CPP.aspx2018-05-01T04:00:00ZCertification Profile: Douglas Beaver, CPP

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Five-Insights-on-ESRM.aspxFive Insights on ESRM<p>​There are five overall concepts that provide guidance about the nature of enterprise security risk management (ESRM). These concepts describe what ESRM is, what it can do for security managers, how security can gain C-suite approval for it, and how to implement a vibrant ESRM program for the enterprise. </p><h4>ESRM Is a Philosophy</h4><p>ESRM is not a standard, nor is it a rigid set of rules to follow. ESRM is a philosophy of managing security. It is based on standard risk management practices, the same ones that guide most of the other business decisions made by the enterprise. It requires partnership with the business leaders in the organization.</p><p>This philosophy gives the security leader the ability to manage security risks. This ability is not based on the latest incident or scare in the news, nor is it based simply on the manager’s own ideas of what is most important to protect. Instead, it is based on a shared understanding of what the business deems critical for risk mitigation, and what level of risk the business is willing to accept in different areas. This ability also requires that the business fully understand why the security risk mitigation tactics have been put in place, and what the impact of not having those mitigations might be. </p><p>The emphasis here is on business. ESRM philosophy recognizes that security risk does not belong to security. It is a business risk, like any other financial, operational, or regulatory risk, and final decisions on managing that risk must belong to the business leaders. That shift in understanding sets a security program up for a greater level of success because security leaders are delivering only what the business needs, and, more important, what the C-suite understands that it needs.​</p><h4>ESRM Is a Process </h4><p>ESRM is not merely an academic philosophy. A general approach for setting up and running a security program can be derived from it. Under that approach, ESRM in action is a cyclical program, and the cycle of risk management is ongoing:</p><p>1. Identify and prioritize the assets of an organization that need to be protected.</p><p>2. Identify and prioritize the security threats that the enterprise and its assets face—both existing and emerging—and the risks associated with those threats.</p><p>3. Take the necessary, appropriate, and realistic steps to protect and mitigate the most serious security threats and risks.</p><p>4. Conduct incident monitoring, incident response, and post–incident review, and apply the lessons learned to advance the program. ​</p><h4>ESRM Aligns with the Business</h4><p>Aligning the security program with business requirements is the most critical component of the ESRM philosophy. This means that the security program must receive governance and guidance from the business. We recommend the formation of a security council to ensure this alignment. </p><p>There are several ways to implement a council. It could be a loose, informal group that provides input as needed, or it could be a board-level initiative that has formal roles, meetings, charters, and documented responsibilities for ensuring security compliance. The council can be a venue for discussing security topics and risk management strategies, and it can host resolution attempts for conflicts in the process. </p><h4>ESRM Covers All Security </h4><p>There is no aspect of security that cannot be managed in alignment with the ESRM philosophy.  Many security professionals already practice much of the ESRM philosophy without thinking of it that way. For example, performing a physical security risk assessment on a facility is equivalent to the ESRM steps of identifying and prioritizing assets and risk. And setting up a crisis management plan can be considered an aspect of ESRM risk mitigation, as well as incident response.</p><p>The critical difference between programs that do these activities as part of a traditional security program versus an ESRM program is the consistency of approach in ESRM. In ESRM, these activities are not performed on an ad hoc basis but consistently across all areas of security risk. They are not applied to one area of the organization and not to another. And, vitally, they are not performed in a vacuum by security and for security, but in full partnership with the business leaders driving the decision making process for all risk mitigation.​</p><h4>ESRM Is Possible</h4><p>Implementing ESRM cannot be done overnight.  It’s an iterative process that allows your security program to evolve over time into a pure risk management approach. For the security manager, the first step to fully understanding the ESRM philosophy is to communicate it to the executives and business leaders in the enterprise.  </p><p>When implemented thoughtfully and practiced consistently, ESRM can completely change the view of the security function in any organization. The old view of security as “the department of no” will shift when business leaders understand that security is a partner in ensuring that the assets and functions of the enterprise most critical to the business are protected in accordance with exactly how much risk the business is willing to tolerate.  </p><p><strong><em>Rachelle Loyear i</em></strong><em>s ESRM Program Manager for G4S and chair of the ASIS Crime Management and Business Continuity Council. </em><strong><em>Brian J. Allen, Esq., CPP,</em></strong><em> is a member of the ASIS ESRM Commission. Allen and Loyear are coauthors of </em>The Manager's Guide to Enterprise Security Risk Management <em>and the forthcoming book </em>Enterprise Security Risk Management: Concepts and Applications.</p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465