Mondelēz International is rethinking the way it tackles cybersecurity awareness training for its associates after its once-a-year program simply wasn’t cutting it.
The No. 21 consumer goods company is instead leaning into its snack culture through a series of “bite-sized” training modules developed as part of a three-year partnership with AwareGO. While it wasn’t initially in search of a new learning management system, Nikolay Betov, Mondelez information security governance officer, tells CGT, it wanted to convert the mandate-style of training into something more engaging and easy for employees to connect with.
“With our prior training efforts, we frankly could not see the payback,” Betov says. “We had low engagement among employees and could tell that people weren’t really applying the skills they were being taught, but honestly we had no way of measuring it.”
He notes that associates viewed the training as a dreaded chore. “They didn’t want to talk about it, and they thought it was boring, not something that you would discuss around the water cooler.”
The new modules, meanwhile, are designed so that admins can select pre-designed programs or customize their own, all of which focus on reducing overall cybersecurity risks in easy-to-digest formats.
While Mondelez is still at the beginning of its experiences, the company is already seeing how the training practices are applied in real life. It piloted cybersecurity campaigns based on AwareGO in the APAC region and then followed up with a phishing simulation; when using the new system in tandem with other approaches, the APAC region performed 30% better than the other regions.
The most significant difference of the digestible modules has been the increased engagement and ability to get associates to practice these security training skills.
“Cybersecurity training can be a bit of a dilemma,” Betov notes. “To be successful, you need strong management support to ensure engagement, but messages from the top are not always well received.”
This new technology has instead spurred conversation about the next security moment — benefits that have not only been impactful but also measurable. Feedback from company employees has also been positive, especially given that the training isn’t hindering their productivity.
“We know we need to educate our workforce, but it has to be done in a non-intrusive and engaging way,” he says. “People tend to overestimate the powers of technology — such as email filters and firewalls — and believe they are secure because of it.”
Instead, Mondelez’s message to its employees remains that the security threats are evolving, and while they shouldn’t be distracted from their main roles, they need to maintain the skill of working securely.
Finally, measuring the behavior of the human risk assessment has also been super exciting, says Betov, especially given the possibilities that exist beyond traditional phishing simulations into other threat vectors.
“What we can do together … in terms of opening up as far as beyond the kind of a traditional phishing simulation into other areas of security, that's what I'm really excited about in the future.”