To demonstrate how to overcome these challenges and implement cybersecurity initiatives to a global audience, David Hansen from Brookfield Renewable and Dan Teitsma of Amway participated in the Collaboration and Cultural Relevance: Taking Security Awareness Global panel discussion at Infosec Inspire Cyber Skills Summit. Here are some of the key takeaways and lessons learned these security professionals pass on to their peers facing similar hurdles to make their security training programs culturally relevant for employees worldwide.
Tailoring security awareness for a geographically diverse organization
Both Teitsma and Hansen help to manage cybersecurity awareness programs for stakeholders around the world who live and work in countries that speak different languages and with different work and learning styles. To accomplish their learning objectives, both have to take these differences into account when designing and delivering their programs. For Teitsma, Amway organizes training programs and exercises out of the corporate headquarters, but then works with their 11 operating zones to customize the training to work more effectively within the local environment, including Asia, Latin America and Europe. Training programs are then translated and screened to be more regionalized so they fit better with local norms. For Hansen and Brookfield Renewable, the approach is similar, but implemented in a slightly different fashion. “We have a combination approach. We’re centralized in the sense that we have a 12-member awareness team of individuals from eight different locations globally. That team works together to make content decisions for our new hires and our global mandatory training programs.” The centralized team makes common goals and overall training topics, but then each region makes their own training materials. There are then a combination of regional and global training facilitators delivering and supporting the program in implementation. This way, each location can adapt it to their own audiences in their region.
Finding the balance between global standards and local relevance
Taking it one step further, practitioners in a global environment also need to find a balance between corporate standards and best practices and local relevance. For Hansen, this means again taking advantage of focus groups made up of regional participants to talk through the different types of learning content and delivery methods. In this way, Hansen’s team finds out what they like, what they don’t like, what works well for them or what doesn’t work as well. “Some of that seems to be aligned with cultural differences based on location. But, primarily, it seems to be related to individual differences and learning styles and content preferences,” noted Hansen. “So, it really just reinforces that we need to offer training content over a two- to three-year period, but provide variation in the content, format and delivery. That way it resonates with people in a different way or with people with different learning styles.” The experience with Teitsma’s team is similar, but he adds they also try to take local events and holidays into account when scheduling training and phishing exercises. For example, during the November and December period, their phishing campaigns will take on the form of delivery notices or free holiday-themed trials. For Teitsma, “it’s really what sort of bait you’re going to dangle in front of them to elicit different responses.”
Tools and relationships that enable global training programs
Teitsma and Hansen also shared which tools their organizations use to help create and deliver their security awareness programs. As mentioned before, Hansen’s team pairs their Infosec IQ learning platform with their own training, reaching about 20,000 stakeholders. “This allows us to automate the new employee training with recurring monthly campaigns that automatically kick off each month, including new learners added since the previous month. This also provides the ability to create a training course, create a group and then schedule a campaign to automatically send notifications, track completion and have easy reporting as well.” Both Hansen and Teitsma also work with their internal functional counterparts to combine training or shape the content. This includes partnering with human resources, legal and communications teams to handle joint compliance topics, get support with marketing or tailor programs for specific job-based audiences. This helps both organizations get the executive leadership support at the global and regional levels to encourage everyone to complete the training.
Key take-aways
In wrapping up the session, the two panelists shared their key takeaways for the audience when it comes to implementing and delivering their own security programs on a global scale. For Hansen, it is all about making sure the objectives of your programs and your training are very clear to the stakeholders. This is especially important when your program spans multiple countries and languages. It takes resources to conduct this local customization, but, according to Hansen, “If you don’t train people, they’re not able to recognize risk and you’re always going to have that vulnerability to your business continuity.” As for Teitsma, he recommends making sure that your program has a baseline level of knowledge that every employee needs to meet — no matter their tenure or employment status. With this in place, you can then use it as a way to track performance and ensure that everyone is getting that common baseline from which to grow upon. From there, “you can expand on the topics and make the training be more relevant to the people in that location or job role.” Ultimately, delivering and managing a cybersecurity program on a global scale is all about finding the right balance for your organization, your mission, stakeholders and risk profile. A dance that will be unique for every company and even every region. To rewatch the entire session, you can visit the recording of the panel here.