Security Awareness Programs: Now Hear This!

Awareness programs are the cheapest way to prevent costly problems, but the security message can be easy to ignore. CSOs and CISOs share their strategies for spreading the good word.

"Driving programs through the site coordinator is key so that there's [local] ownership. And the mantra of the day for us—what I pushed [at Kraft] and now at Cardinal—is to try to build self-sufficient programs. Give [functional leaders and site management] the information they need so they can make the best decisions," he says.

While CSOs often talk about creating a "culture of security," Halvacs recognizes that the diversity of internal organizations suggests that security programs have to exist in, and be transportable to, many different cultures. "Everybody has a different need and a different spin—whether it's a sales office or whether it's a manufacturing facility or a corporate office," he says.

Awareness programs can reach beyond the enterprise to touch suppliers and other trading partners. "At Kraft we did the same thing with our suppliers and comanufacturers [as we did internally]. We built awareness in baseline [programs] and standards that they had to follow. And we allowed them to plug in to our training and awareness resources," he says. Although imposing internal standards externally can be politically delicate, Halvacs says that "because we were very important customers of theirs, they would basically bend over backward." Again, his strategy was to have Kraft executives in the quality group, as the substantive owners of the supplier relationships, drive the third parties' compliance with global security's standards.

Asked what he thinks the "killer benefit" of awareness benefits is, Halvacs alludes to a core CSO challenge: getting key decision-makers to respond appropriately in a potentially volatile situation. "It's knowing when to pick up the phone when they get in trouble, from the very first, and not screwing something up and shoving it under the rug. [It's getting] the light to come on when they're in the middle of the situation," before it spirals into crisis. "That, I think, is the biggest bang for the buck," he says.

Halvacs says good awareness programs can help drive home to senior management the ROI of proactive security initiatives. He cites background screening and drug testing. "Those are real numbers, you know, because the government says [drug abuse costs a business] anywhere from $10,000 to $12,000 per employee" annually (in health claims, sick time, workers' comp and on-the-job injuries). Adding drug testing to preemployment background screenings can save a business $1 million a year for every 100 high-risk applicants it doesn't hire. "You can really show the ROI, or cost avoidance," Halvacs says.