As security awareness programs mature I'm starting to hear more and more organizations ask "What's Next?". What comes after rolling out interactive online training, Phishing assessments, infographics, lunch-n-learns and speaker events? How do you go beyond the Behavior stage of the Security Awareness Maturity Model and develop a secure culture? Hands down what I see working around the world is Security Ambassador Programs. These are programs where employees throughout your organization volunteer 2-4 hours a month to help communicate your program. They literally become ambassadors (also commonly called Champions, Advocates, or Sentinels). These programs are not as hard as you may think and have tremendous advantages.
- Scale: Instead of just one person communicating a message you literally can have hundreds of "mini-me" awareness officers throughout the organization at a global level.
- Low Cost: Financial cost is minimal, the greatest cost is in time. Specifically you need someone to manage all the different ambassadors.
- Engagement: These ambassadors understand the challenges and cultures of the local groups they are responsible for. As a result, they are often far more effective at engaging and reaching their co-workers then you would ever be. This is especially true of organizations that are highly global, have numerous remote offices, or very diverse cultures or generations.
- Spies: In many ways, you have created your own communications network. Not only are they pushing out information that is critical to your mission, but they are collecting information and sending it back to you. Information such as what are the biggest risks they are seeing in their local office, what topics are the most popular, or metrics on the impact you are having.
The biggest question I always get asked is how do I build such a program? The key to building a robust ambassador program is motivating and enabling your workforce. For motivation, you have some very powerful levers, including
- Recognition: This is one of the most powerful motivators you have. Don't use money as your motivator, use recognition. Examples include awarding ambassadors a certificate, emailing their boss on what a fantastic job they are doing, host an annual lunch for all the ambassadors with the CEO, give them a shirt or coffee mug branded just for ambassadors, or let HR know the great work ambassadors are doing to help their career / promotions.
- Networking: Ambassadors will develop a new network of co-workers throughout the organization they would never normally meet. This network is something they can leverage to help build their career.
- Skills: Who does not want cybersecurity on their resume? Not only are ambassadors developing new skills, but I know of some organizations that use their ambassador program to identify and train new security staff internally.
Finally, we have to enable our ambassadors with the skills and resources they need to be successful.
- Training: Train your ambassadors. I've seen everything from informal monthly webcasts to formal, day long classes. The more you train you your ambassadors the more impact they can have.
- Resources: Provide them materials such as FAQ, key points to cover, PPT slides, posters or infographics. Start them with topics that will engage, like Gaming Online Securely, Phishing or Protecting Your Kids.
- Forum: Provide an online forum for ambassadors to communicate and share ideas with each other. At some point they come up with ideas and start leading the program on their own. Note: the image above is a screenshot of Honeywell's ambassador program forum where an ambassador is sharing a great success story with his fellow ambassadors. Also notice the Honeywell Meerkat, an informal mascot that has proven extremely popular as part of their ambassador program.
Ambassadors are a powerful and proven way to effectively go beyond changing behavior and begin changing culture. Organizations such as Salesforce, Dropbox, Thomson Reuters, Diageo, Honeywell, and Adobe are leading the way. Even change management expert John Kotter highly endorsed Ambassadors based on twenty plus years of research in his 2014 book Accelerate. Want to learn more about building a security ambassador program? Join us for the European Security Awareness Summit this 6/7 Dec in London for a security ambassador workshop or the two day SANS MGT433 course.