Creative Ideas to Build Excitement into Your Security Culture
In this webinar, Esteemed panelists Dana Barca and Kathryn Glynn from Kimberly-Clark, and Kattia Solano from Equifax discussed how their respective companies maintain a global mindset while empowering local teams to execute regionally.
- Dana shared that Kimberly Clark created presentations in seven different languages customized by region for Cybersecurity Awareness Month 2022.
- Katia mentioned Equifax's use of the Security Snapshot Wheel in Costa Rica as well as other games used across South America like "Security Field".
- Living Security helped Kimberly Clarke deliver live sessions using Escape Rooms in multiple languages.
- How to create meaningful, measurable experiences that will have a clear impact
- The importance of knowing your audience (and building experiences for and with them)
- Thinking globally and executing locally (with help from your colleagues)
- How and when to start planning for success (... tick-tock…)
- Specific examples of how creative learning experiences have changed individual behavior and lowered organization risk
- Moderators: Jenny Kinney and Candice Henderson, Living Security
- Dana Barka, BISO, Kimberly-Clark Corporation
- Kathryn Glynn, Sr. Information Security Awareness & Training Lead, Kimberly-Clark Corporation
- Kattia Solano, Security Service Delivery & Enablement Lead, Equifax
Watch this webinar now!
See how your organization can benefit from Living Security.
Here is the webinar transcript.
Moderator: Candice Henderson introduces the speakers.
Hi, my name is Dana Barca. I'm the North American Business Information Security Officer, otherwise known as BISO for Kimberly Clark. We're the powerhouse brand behind Kleenex and Hugs, Viva paper towels, and a host of other products. So we are a manufacturing consumer packaged goods company. I've been here for about six years in March and I am located in Roswell, Georgia.
I'm Kathryn Glynn. I am also from Kimberly Clarke. I actually work for Dana. I am the senior awareness lead at Kimberly Clarke. I have been at Kimberly Clark for just over a year, or right out a year I think. But previously I was at Oshkosh Corporation and I was doing their awareness program. So I have been in this field for about seven years.
My name is Kattia Solano. I am the service delivery and enablement lead in Equifax. I have almost 11 years working here and more than six years working in security awareness, continuous employee engagement and security workforce empowerment. I am based in Costa Rica.
How do you really maintain that global mindset while empowering your teams to execute locally?
Kattia Solano: Sure. definitely one of the most important things we process in 24 countries around the globe. And it is really important to have a framework and also to make sure, which is like the global communication and marketing strategy. So it's really important to make sure, which is going to be global, like in a campaign that we are going to drive to entire countries. But also it's really important to engage with the regional people because they will know how they, we can communicate, how we can engage with those people, which communication channels are going to be used more in Chile or in Australia or in Costa Rica. So that is really important to continue, like also, which is like the risk behaviors that we are going to drive with the campaign and then we'll be able to cascade and make sure we drive it regionally to make sure it is going to engage with those audiences.
Dana Barka: So for Kimberly Clarke, because we have a consumer product, our products are located in I think almost 200 countries at this point. And we have 50,000 end users across 24 languages. It's really, it's a challenging question because when you have that many different audiences to cater to, there are differences by region, by product even. So the way that we've approached it at first when we first built up our security awareness program is that we would centrally locate things like speakers for our events, employee engagement events, but we would invite everybody. That worked for a time, but we noticed we weren't getting much engagement from countries like China or maybe like Indonesia, which was a fairly new country for us.
And so one of our Asia-Pacific BISOs reached out and said, “We have some really amazing people here too and we have some people internally that you can engage with.” So we took them up on that in 2022 for our cybersecurity awareness month. We asked all of our BISOs globally to help us. We created a presentation on like top 10 ways to keep yourself safe online, then we brought in over 30 speakers and tech support people who spoke that same language. We were able to deliver one presentation in seven different languages customized by region. And so we put in numbers like phishing stats and incidents by region so people could realize we are not only paying attention to what kinds of vulnerabilities each region might have, but we were also delivering it locally.
To me that was a new thing that we had done, but we reached hundreds of new people that way who had never participated in a security awareness event. So that's one way to do it if you're not global, because I'm sure there are people in the call who are perhaps more national than global. There's also ways that we did it. We would still have that central speaker and what we would do is have local events. So you could bring in popcorn, do giveaways, we even have a prize will, you can't see it behind me because I have a background. There's a prize wall right behind me. You get a chance to spin the wheel as you're going into the event and then your name would be entered into some type of raffle there. So there's a way to kind of, you know, livestream or broadcast an event, but still make it fun for those local folks. And people do these things so they can get to know each other and learn something new and, you know, check off that training box, but it'll be memorable that way.
Candice Henderson, Moderator: I love that, Dana. Kattia, I know you've done something similar as well at Equifax of having that central point, and having those packages of experiences that can be executed locally. Can you share a little bit more about what that looked like for you not only last October, but throughout the year as well?
Kattia Solano: Yeah, definitely. It is really, really important. As soon as you have a global package, you will be able to have people like the information security officers, also the security champions in Latin America. They're gonna have a key presence. We have more than 300 security champions in Latin America and this is awesome. And they will be one of the people that is going to empower the different events and they will know which are going to the different local games and activities that people might have. And also adjusted. I focus on the risk behaviors that probably they need to address. This is really important. We have in Costa Rica for example, in October, like the security snapshot wheel that is like the fortune wheel that we will be able to drive different questions and team challenges in order to make sure we are adjusted to Costa Rica.
And also we do a similar game in South America, in Chile, Ecuador and Peru that was like the Family Feud, but we call it Security Feud. We just try to make sure the different games are ones that engage our audiences. That's why it's really important to have a centralized location where everybody speaks in their own languages. We have a security awareness page, but in the three languages that we manage. And it's really important also that the speaking series, the games and the different activities and communications are going to drive in their own language. That's why we have a key and high engagement in our audiences around the globe.
And the funny anecdote is Living Security helped us with that this year. Once people learned we were delivering live sessions in the local language, they were like, “What games you got?” And so we were able to use the escape rooms in different languages as well. And even the French team, when they learned we had French Canadian available on the platform, the French team was like, “Oh no, French Canadian and French are totally different.” And they tried it and they were like, “Okay, yeah, we can totally do it.” <Laugh>. It's fun when it's already built into the program.
[We also created] mini videos that we have like we can share. The Cyber Kitchen was really successful and we turned it around in a challenge for teams around the globe. We have a community page where people share their recipes. So also there are different ways we might use the products that we have. We live in security in a creative way.
Candice: What have been some of your biggest challenges or pain points as you look back to maybe last year's strategy. So Dana, as a Business Information Security Officer, you have a unique role. You're able to leverage the network throughout Kimberly Clark. But I know not everyone necessarily has that kind of structure or program. Some do have a champions or ambassadors program. So would love to hear Kathryn, I know that was a key part of the work that you've done over the last few months and years. Would love to understand how your champions and ambassadors program fits into again, your kind of bigger picture strategy of really creating engaging experiences.
Kathryn: So currently Kimberly Clark has what's called a Cyber Heroes program. At first it started off as a way to get the attention of team members who worked in our mills; it had been so hard to get their attention. Dana came up with this idea a few years back where we would have Cyber Heroes and certain people from each location would become these poster people. They really resonate with our team members because they're actual people that are in the mills that they're working alongside.
I think sometimes as awareness people, we forget how much technology is actually in the mills, right? So we don't always target them. It's so easy to target the team members that have email addresses and just send out, you know, that phish simulation. That doesn't mean that these other team members don't have access to a lot of technology that could be really detrimental to the company.
At Oshkosh Corporation, I sold it to leadership as, “I’m gonna spread our message, I'm gonna increase my awareness team headcount, and I'm gonna ask for zero budget.” Every leader’s dream. YYou really gotta create the plan. You gotta create your goals, you know, what's your goal? Is it to spread awareness? Is it to increase participation for your campaigns? Is it to reach that one location that seems to never participate? If you have that location that is the person that you like, that you want an ambassador there.
I had a couple locations that just seemed to never respond to me. I would email, email, nobody would participate, barely did any training, and then all of a sudden I found out I had to send it to a certain respected person at that location, and she would send it to everyone in the company. Anne is our person at this location. And that was just a huge lightning moment to be. That’s my ambassador at that location. I will funnel everything through Anne and she will be my ambassador. She was not in tech. It could be somebody that is just interested in cyber or it could be somebody that's just an admin that everybody respects at that location.
After you have your goals, you do need to make sure that that leader is supporting you. So once you start sending out the message, you may need a little bit more leadership to really push it forward. But if you have your goals laid out perfectly and they're easy to digest, it should be no issue. And then once you have those goals, you start developing your ambassador team and the team, like I said, could be anybody, it could be from each location, could be people that want a tag-team it at multiple locations. I was open for anybody who wanted to be an ambassador. If you wanna help me spread my message, you can do this, but that only works for so long. You need to give them the rewards; they need recognition.
So you need to give them some way to show their leader that they are doing something for the company. At Oshkosh, I would send emails to their boss right around merit time; it was the perfect time to say, “They have been my ambassador for a year and a half, two years. They're excellent. They're going above and beyond.”
And that was just enough for them to stay in my team and then keep going just enough to move forward. Some ambassadors are really goal-oriented, so they might want you to tell them to decrease my click rate by 5% or to send out 10 messages about awareness a quarter. It all depends on your ambassador and you'll learn really quickly what drives people.
In the end you just have to give ambassadors the tools that they need. You're already making these communications, give them to your ambassador, have them help you send it out. It doesn't hurt if team members get multiple of the same emails, you know, if as long as your message is getting across.
Kattia: Definitely one of the most important things related to cybersecurity awareness is that in Latin America, they have a really strong security champions program. They send out local communications asking people to participate, then enroll people to help do different types of activities. It’s also helpful to have security champions in different areas like finance, HR, and IT software development. We really want to have a security champion in each area.
We have engagement leaders in some locations. Those leaders will know how to engage specifically with those audiences. They work closely like the communications team in areas like Australia or India. They know and can recommend relevant speakers, or suggest ice cream to draw people in. We will be able to have almost 90% of the population of India participating because of those leaders. It is really important to partner with key stakeholders. Security is part of our daily lives and we just try to empower everybody, even with your families, we need to try to make sure to have it in our daily lives.
Candice: How do you kind of compete with the other priorities or other messaging that needs to get out there? Kathryn, I would love to kind of hear how you've really gotten creative on leveraging some of those informal channels and what that has looked like.
Kathryn: One of the workarounds that we're actually doing this week is I wanna get out a message to every team member. But I didn't really want to have to go through the whole marketing chat. I didn't want it to wait. And we needed to get this message out, right? So we used our phishing vendor who had an email address in our phishing, you know, it's part of our phishing program, they're already in the system and we just developed it into four different languages and they're sending it out for us. So to me that's like a huge workaround that, you know, we needed to get this message across. I think that it's just one way that you can leverage it.
Another workaround would be having a local representation. So using those admins that I talked about or using that one team member that people always listen to. You know, maybe you don't get to send a message to the entire organization, but maybe you get to send it to an entire location, right? Just by using that one person. So if you get denied by comms, there may be other options out there for you if you just, you know, try to work around it.
Candice: Kattia, one piece that I know you did really well last October was really that social media campaign. I know you leveraged a lot of Living Security content, but I think it's what you did with that content that really had the greatest impact. So if you don't mind digging in a little bit more on Cyber Kitchen and what that looked like to turn that into a true social media campaign.
Kattia: Yeah, definitely one of the main things related like, and which is other different channels' way to engage to our audiences. And one of the things that we love related to Cyber Kitchen is because it was like in a five to seven minute video that the people will be able to work in their Equifax duties. So we created a challenge, the Cyber Kitchen challenge,where they watch four videos we select based on our risk behaviors that we really want to address in October for our campaign. And then we create a community page. And with that community page, the people see the video, but also they can share their own recipe and the best tip that they can share related to cybersecurity with their family.
So this is what's really powerful because the people, they will be able to learn with Cyber Kitchen, but also the people love to cook too and to share their traditional dishes and everything. And also the cyber tips that were really important to making sure that security needs to be in our daily lives. And also in our kitchen too, you know, that we didn't realize that like, oh, my refrigerator probably is going to be a threat if we didn't realize that. And with that we will be able to, the people participate and share pictures and, and in a way that it is going to convert it in a social media page. Other channels that we empower, this specific Cyber Kitchen was Google chats. Sometimes we cannot send every single time a global communication, but we can empower in a regional way or in a, like in a, we have like a Google chats, like a community. And so the people that love cooking, cooking and sharing recipes in the Google chats. People in Latin America and also in Australia share their own traditional things.
Candice: One other topic I do wanna make sure we drill on today while we have this incredible panel is really the topic of metrics and measurement. And again, I think you've each touched on this a little bit, but I think it's worth kind of doubling down on. How do you measure the impact of your programs currently? What are you in particular reporting up to your leadership team? I think more so on the quantitative side, right? What quantitative or KPIs do you maybe have that you're using to kind of measure the impact?
Dana: So I'll start off here and I'm gonna give a, a good list. So if you're taking notes or listening to a recording, I've seen in the chat a lot of people struggling with how to get the security awareness program noticed and get out there. Every CISO is metrics-driven. If your metrics are tight and on point, you will get the attention you need because he's gonna funnel that right up the chain and then let the business make its decision on whether it's important or not. So these are the literal metrics we recorded from 2022. The first one was annual training. We do have support from HR from a compliance perspective to provide annual training every year.
We also publish out the metrics to leadership on exactly where they stand. So they will often start to compete with one another because we have like these regional presidents, if the North American president is 1% behind the Latin American president, he will get on the line to his team and say, we have to beat Latin America. Like they are competitive, it's just their nature. So that's a good one. The next one we started training our mill teams, our frontline workers. That's been interesting. So we've been incorporated into their biannual training from a security perspective, which has never happened before. We have our SharePoint site, so that's our website. That's where we send everybody. We are one of the few teams that has over a hundred thousand visits. I've, you know, pre Kimberly Clarke I've been, I've built corporate websites who would wish to get that kind of traffic.
We drive everything to our website because we want these numbers to be big at the end of the year. It grows every single year. We also do awareness campaigns. In the past year we've had campaigns that had over 50,000 impressions. People start to take notice when you have that many impressions or maybe over 40,000 either way. It's a really big number for social media internally. Every video we publish gets published to Microsoft Stream, which tracks our views.
We also report on our Cybersecurity Awareness Month results, we record exactly how many events in which languages who attended. We can't always get the attendance numbers perfect because if people attend in a conference room it's like 10 people. But since a lot of things have been virtual lately, our numbers have just skyrocketed because we can capture everyone who's attending. We also have, you know, the cyber trivia games, all the games that came through Living Security. We have a gamification program itself that usually our intern runs. So we will record everyone who did cyber jeopardy, everyone who did an escape room. We record everything and that's on top of phishing results, which is our, that's our primary metric that goes all the way up to the board at our organization. And so phishing results are always at the top of the list. So that's what we record. If you are not recording that much or you don't have a program that's as robust as that, start with your Phish and start with your training and that will get you more attention.
Kattia: This is really important because at Equifax, every single employee around the globe has a security scorecard. And with the securities scorecard we train and measure different kinds of behaviors, such as the monthly phishing simulation, compliance training, and the clean desk program. This security scorecard is going to drive different behaviors and each employee, each month they're going to have a score, and in some cases their scores are pretty low.
They can boost their score or improve with these specific activities like with live events and participation, participation or doing any other kind of training or additional training in order to empower the efficient simulation skills or also to, to empower them to make sure to have it on time. So in that case, the security scorecard is really important because it's going to be attached to the employee's performance annually.
Anything we need to drive any behavior that is going to be contained in our security scorecard. So in that case, every single action that we might do, we are going to show to open management that we are reducing the risk and the people are also empowering the security knowledge around the globe.
Candice: What variety of skill sets do you recommend for a core security awareness team in order to be successful?
Kathryn: You need to have like, like my background I have an undergrad in marketing and IT, and then I have a master's in marketing. So you do need to have some marketing, you have to have some creativity on the team. You don't necessarily have to go to school for marketing, but you have to be a creative person to get that attention. But then we also have like this phenomenal intern that uses our tools that we have to the best of her ability. I kid you not, this woman is making videos left and right. She's creating amazing posters, graphics, she's using, you know, tools that she got from school. And then you know, you have to have someone who can present to groups. You wanna be able to spread that message. You want them to buy into your program, you wanna make your program bigger. You want it to be at the front of everyone's agenda. So you really need somebody that's willing to go in front of an audience and then just really sell your program and teach people how to be more secure and how to keep your company information. But you don't need a huge team necessarily if you have the right products and resources that you're using.
Dana: I've seen that question come up in the chat, “How big is your team?” Kathryn is our only dedicated security awareness program lead. Yeah. She's a team of one. However, the way we set it up is she does have a design agency she works with for the bigger design things like Cyber Heroes. She's setting up the ambassador program. Every vendor that we bring in has to understand they're an extension of our team. So she truly is a program lead in that. She owns the overall, but you kind of have to find your team and you may not have a big budget to do it.
Kattia: Yeah. Or try to engage with other teams. Right now we are almost nine people working globally with the different programs, we have an instructional designer that is going to create all the content. But it's really important to also partner with others that I can help you to create and to have different resources, anything to help you out to drive your program through. We leverage an incredible intern program as well.
Candice: Awesome. Well, looks like we're at time. So thank you so much. I learned so much from you guys. I know that our audience did as well. Audience thank you not only for joining, but for all of your amazing engagement and questions. It really helps to keep the conversation going.