SHRM has partnered with Security Management magazine to bring you relevant articles on key HR topics and strategies.
While the events of September 11, 2001, are engrained in the hearts and minds of people around the world, many may not realize they were the impetus for one of the most wide-ranging security awareness programs ever to be implemented.
Coined by a Manhattan advertising executive, the phrase "See Something, Say Something" would become the tagline of a U.S. Department of Homeland Security awareness campaign. Through various program materials from the U.S. government, the campaign sought to empower everyday citizens to protect their neighbors and communities by recognizing and reporting suspicious behavior.
Today, See Something, Say Something is established throughout much of the United States and even other countries, revealing itself in virtually every public corner, from mass transit systems to sports stadiums.
Much like this campaign, HR professionals should collaborate with their facilities and security departments to establish a security awareness program within their organizations as part of a holistic physical security model. These programs are designed to promote a secure work setting and protect the company's assets.
But whereas See Something, Say Something was born out of a national sense of purpose following a grave tragedy—ultimately garnering significant financial support and public enthusiasm—HR professionals who want to build a security awareness program must do so organically.
Building Blocks
The successful implementation of a security awareness program is, by nature, a complex process that encompasses many aspects of program development, collaboration, communications and branding, all with the goal of instilling and sustaining a security consciousness within the organization.
So how do you use company culture and existing security policies and procedures to organically develop a security awareness program? Examples of program models at General Motors Financial, ESPN and Capital One, established with the help of the author, demonstrate the success of a corporate security awareness model through effective marketing and messaging, employee recognition, leveraging of partnerships, and buy-in from company executives.
Program scope. Clearly defining the scope and purpose of the security awareness program is the first step towards effectively shaping it. At GM Financial, this process began by promoting the concept that security is a shared responsibility, and that each team member, regardless of title or position, had an important role to play in keeping GM Financial facilities safe and secure.
The scope of the program—branded as "Ready.Set.Safe!"—sought to create a culture of awareness and preparedness that transcended the more common security concerns, and included several aspects of emergency preparedness—fire and life safety, active shooter awareness, severe weather response and more—to drive both a heightened readiness for emergent events and a strong safety culture.
Communications and marketing. A successful messaging strategy for a security awareness program is essential, as is providing frequent campaign reminders for employees. This requires leveraging the expertise of the corporate communications and marketing group within the organization. These departments can lend invaluable support towards messaging development and branding components, and they can employ a variety of creative messaging tools to promote security awareness programming in a strategic and effective way.
At GM Financial, a variety of messaging platforms were developed that could be embedded into the natural flow of the employees' workday. This included use of the company intranet (articles, banners and rotating message carousels); digital message display boards throughout employee work areas; static signage at facility entrances, cafeterias and high-traffic areas; and pop-up banners. Portable signs can also be deployed at company events, town halls and other outside events.
Branded giveaway items with useful business applications, such as mousepads or pens, ensure that the Ready.Set.Safe! messaging is within view throughout the day. These giveaways have proven popular at employee wellness fairs and other company events where HR wants to promote security awareness.
Employee Involvement
Raising security awareness among team members often requires a cultural shift in organizational thinking and employee behavior. An effective security awareness program must be supported by an equally effective company security model that team members are confident in.
This confidence must exist within all tiers of the organization—from the executive boardroom to the individual contributor level—for a true security culture to take root. At GM Financial, it is this alignment that enabled an effective and comprehensive security awareness program to become embedded within the organizational mindset.
New hires are exposed to the company's security and safety culture on their first day during orientation, as they are introduced to the Ready.Set.Safe! program. The issuance of the employee photo ID/access badge during the onboarding process gives the corporate security team an additional opportunity to promote a safe facility culture by interfacing directly with the new hire.
A joint launch. At ESPN, a global multimedia sports entertainment programming company where the author served as director of facility security, a similar approach was used to develop and successfully launch its security awareness program, "Community Watch." This program, part of a larger enterprise-wide security awareness effort by parent-organization The Walt Disney Company, is a successful example of a contemporary security awareness platform with clear value proposition throughout the organization. The company's security organization successfully partnered with creative designers, the corporate communications team, human resources and other business units to develop a multifaceted security awareness program.
ESPN sponsored a "Security and Safety Awareness Day" at its headquarters campus, which featured public safety partners from law enforcement, fire and paramedic agencies on hand to promote security and safety best practices. The annual event was attended by hundreds of company employees and received positive feedback.
The information promoted at this event—including fire safety, cybersecurity, severe weather safety, driving safety and several other safety-related topics—could also be used by team members in their homes and personal environments.
Ease of reporting. When security incidents occur, or suspicious activity arises, it must be reported in a timely manner. Providing an easy means by which team members can communicate and report these threats and potential threats is essential. At GM Financial, the global security operations center (GSOC) serves as the central communications hub and primary reporting point for team member security concerns on a 24/7 basis. Working with the telecommunications group, corporate security acquired a unique, easy-to-remember telephone number for employees to use to contact the GSOC. All employees can dial 4-GSOC from their desk phones for direct connection to a GSOC specialist from any U.S.-based GM Financial location. Employees are also encouraged to program the seven-digit GSOC telephone number into their personal phones to contact the GSOC directly, should the need arise, when they are in company parking areas or on company property.
Recognition programs. Acknowledging team members who help promote the security awareness program helps reinforce the importance of a security culture. At Capital One Financial Corp. (where the author served as director of regional security operations for the company's northeast U.S. and Canadian markets), the organization's "Be Safe" program formally recognized team members for their actions and reporting to help protect company assets. These team members were presented with a plaque by the regional director of security and their local business leadership team. The award presentations were published in an article on the company's intranet site, further demonstrating the value placed on workplace safety and security by the company.
One unique program component at ESPN featured an interactive sports-themed contest where employees demonstrated how well they knew their coworkers. Participation in the contest, which was possible via the company's intranet, required the employee to first review a security awareness message. Winners were selected monthly, presented with Community Watch branded giveaway items by the director of security, and featured in the following month's contest, posted as an article link on the company's intranet site.
Company initiatives. The growth and sustainability of any program relies upon leveraging existing security initiatives within the organization. At GM Financial, the corporate security organization also oversees the company's emergency response team. Approximately 900 team members from across the enterprise are trained to serve as volunteer first responders to medical and other workplace emergencies.
These dedicated team members are natural stakeholders of the security awareness program and demonstrate the company's commitment to employee safety. Their work aligns with the "Secure Facility" initiative, the most recently launched component of the Ready.Set.Safe! program.
GM Financial has certain security policies it has chosen to highlight with colorful posters. An anti-piggybacking initiative was established to ensure that unauthorized individuals do not follow employees into the workplace after they introduce their credentials at the door. A billboard-like poster that reminds team members of this campaign marks another examp le where effective communications strategies have been developed and employed.
Another component of GM Financial's security awareness program is the company's active shooter awareness training. Each year, all team members complete a structured learning module via the company's learning management platform. The module includes a video that presents options for consideration during an active shooter event, as well as a knowledge assessment. The learning module is supplemented by awareness messaging material, displayed in common areas such as employee break rooms, and a virtual quick reference guide. Tabletop exercises and train-the-trainer sessions for emergency preparedness coordinators have also been developed. These sessions include awareness tips on how to recognize and report potential workplace violence situations.
Cultural differences. While there are best practices that should be considered when implementing a security awareness program, each company has a unique organizational culture and operating environments that play a central role in determining how the program can be effectively established. Corporations that operate internationally can be presented with additional cultural factors that should be thoughtfully considered before implementing a security awareness program in these environments.
For example, some countries may experience low crime rates within their societies and may view security awareness programming as unnecessary, while others may view the reporting of suspicious behavior to be socially improper for their culture, akin to snitching. It is important that HR and security executives understand and appreciate cultural differences, and that proposed security awareness programming is discussed with business leadership in these operating environments.
When developing messaging materials and translating them, language differences should be considered. Use of phrases that are common or well understood in one language may translate awkwardly into another language, causing confusion or alarm. The company's communications group can help to ensure that messaging is culturally appropriate in its translated form.
Holistic model. Creating and implementing an effective security awareness program in a large corporation requires a holistic approach that must complement the company's security model and align with the company's culture. Colorful posters and creative messaging materials will do little to engender security awareness if they are not supported by the security organization's ability to respond to and address security concerns in a professional, timely, effective manner. The security organization must enjoy the confidence of employees at all levels to ensure that the awareness program achieves credibility and its intended purpose.
Examples of how such programs at GM Financial, ESPN, and Capital One were successfully implemented show that the model works across various types of enterprises. Obtaining executive support and partnership with key business stakeholders will help achieve buy-in for the programming. Creativity should be added into awareness efforts, and the security culture must be engaging for team members, because most will want to participate in an environment that is both enjoyable and purposeful. Fostering an environment where the concept of security is viewed as a shared responsibility is central to achieving the cultural shift, one in which employees view themselves as owners and stakeholders in the security program.
David Aflalo, CPP, is senior vice president of corporate security for GM Financial. He is a member of the ASIS CSO Center for Leadership and Development, where he chaired the Center's mentoring committee. He also serves on the ASIS Banking and Financial Services Council, and is a member of the International Security Management Association (ISMA).
This article is adapted from Security Management magazine with permission from ASIS © 2019. All rights reserved.
An organization run by AI is not a futuristic concept. Such technology is already a part of many workplaces and will continue to shape the labor market and HR. Here's how employers and employees can successfully manage generative AI and other AI-powered systems.