Building a security mindset among employees
Accenture's Information Security Behavior Change Team cultivates a smarter security mindset among all employees through innovative learning.
Every enterprise, including Accenture, must operate in a world filled with information technology intrusions, malware and other security risks. It is critical that a global workforce such as Accenture's have an understanding of current and emerging cyber threats, as well as the ongoing actions needed to protect and defend against such intrusions. To address these security priorities and improve employee practices, Accenture recognized the need to provide employees with continual security learning. A behavior change team within Accenture's Information Security group was established to address this need.
Informed by Accenture's security priorities and its ongoing threat intelligence gathering, the behavior change team created an integrated and engaging information security behavioral change program that seamlessly blends awareness communications with learning exercises arming employees with the right knowledge and tools to follow the security best practices and if needed, properly respond to suspected cyber security threats. The objective was to embed appropriate information security behaviors into everything individuals do so that security behaviors are natural and viewed positively rather than being another required "to do."
Global learning program
The result is a comprehensive, holistic and multidisciplinary global learning program that is continually refreshed to keep ahead of the latest security threats. The program combines a steady cadence of communications to generate general awareness and education on operational actions as well as mandatory training and incentivized voluntary learning. It targets all employees, but also includes customized learning tracks for executives, technologists and high-risk groups across Accenture and promoted through both global and local channels. Communications and learning assets are mobile-enabled so that employees can learn on the go.
Awareness communications engage employees through a series of security-related communications delivered through different media, but primarily through video and messages on the employee Portal. Original video content includes behavior-specific guidance delivered through immersive scenarios combined with hands-on exercises that are highly tailored to Accenture's environment. The intent is to strongly engage viewers in the learning.
One example is the "Hacker Land" multi-part dramatic video series complemented by immersive learning assets with hands-on exercises. This Accenture-produced series features a cast of characters in a complex narrative that pits a team of hackers attempting to infiltrate corporate enterprises against a corporate security office charged with detecting and defeating the intrusions. Behavior-specific guidance around recognizing and avoiding social engineering attacks is presented periodically throughout the episodes of this mini-series to blend storytelling with practical instruction around sound information security practices.
Information security learning content focuses on educating employees about proper underlying actions and behaviors in keeping Accenture and client data secure. This objective was addressed by creating unique, self-paced, gamified, immersive, custom-designed digital learning programs that educate, enable and empower employees with the tools and knowledge necessary to use the correct security behaviors. The team developed a comprehensive, voluntary learning curriculum as well as annual required training segments tied to an employee's performance assessment. Learning content is delivered through multiple channels and incentive-based activities.
To help maximize new behavior adoption, the learning assets incorporate innovative approaches and learning technologies, such as interactive use cases, videos, games, online quizzes, and diagnostics. Accenture employees are provided with a summary of their individual results, including their strengths and weaknesses. Based on those results, they are directed to specific resources to improve their security practices.
To ensure relevant and impactful learning activities are being built, the behavior change team conducts biannual surveys of Accenture employees to measure adoption of security behaviors and best practices in order to focus awareness communications and learning activities on any identified gaps. Global and local leadership teams also receive reports and scorecards showing learning participation metrics and behavior survey results.
Change and adoption plans are data driven in order to realize the value on investments in new security technologies, processes, and tools. The behavior change team measures adoption and benchmarks programs rigorously, internally and externally, and adjusts its approaches to maximize the end-user experience and benefits to the business.
"A goal of Accenture's Information Security Behavior Change Team is to cultivate and embed critical security behaviors in everything that we do."
Accenture's information security behavior change program aims to keep Accenture's nearly half a million employees serving clients in more than 120 countries proactively aware of daily security behaviors they can employ to keep Accenture and client information protected.
The program was designed to truly change mindsets. It is a behavior change program encompassing learning, awareness, incentives and other components designed to bring about real and lasting behavioral change among Accenture's employees. And it has. Accenture has experienced positive results in improving employee behavior to create a security mindset in the workplace. Accenture recognizes that an educated workforce can be a valuable asset for identifying vulnerabilities.
"Our people are both our strongest line of defense and our biggest vulnerability."