WEBINAR: HOW TO BUILD SUCCESSFUL SECURITY AWARENESS AMBASSADOR PROGRAMS
This webinar is from Habitu8's Mentoring Series. Founders Jason Hoenich and Chad Loder discuss questions and approaches around how to implement a security awareness ambassador program. Based on Jason's personal experience building ambassador programs and Chad's approach as a CISO, lots of valuable discussion results around a trending topic.
Watch now to learn how to start building a security awareness ambassador program, how to recruit volunteers, and how to use acknowledgment as the key motivating factor. I've answered some of the Q&A from the webinar below the video as well!
Stay tuned for our official Guide to Security Awareness Ambassador Programs...
What type of reward should we provide - if we are just starting to recruit ambassadors? Or how do you attract them?
This is a great question, and one I get a lot. I've seen others, and have personally tried, to go the "prize" route. Offering some kind of gift certificate, or cheesy swag item left over from a conference. People don't want junk. This is why I focus on purpose and acknowledgment. Acknowledgment for your potential members is priceless and goes a long way, and can be bottomless. When you "bribe" someone with a gift or prize of some type, it's extrinsic and they become conditioned to do things for the prize rather than being genuinely motivated.
Offering your recruits something more valuable like access to knowledge they don't currently have (skills on a resume?), access to special events, a stronger purpose and connection to their work, and ways to help protect their family and friends can be really powerful. They're helping to build a community which is an innate desire in all of us in some way. Sell the benefit of them participating and not the instant gratification of the prize.
Do ambassadors just acknowledge positive security habits of coworkers or also provide awareness to others?
At first, your ambassadors likely won't have all the skills and knowledge to provide awareness, responsibly. So initially, focus on having them acknowledge positive behaviors like reporting phishing emails/incidents, etc. Simple stuff. Empower them to engage with their community. Once they start making their way through the requirements and responsibilities of the role, they will become awareness contacts too. If you prepare them and provide them the right tools and resources, they can do this quickly.
What do you think about incentives for Ambassadors and what kind work?
I think the right kind of incentives is mandatory. I've always focused on giving them access to knowledge and experiences they normally wouldn't get (think special trainings with hackers, cyber events). Outside of that, I'm a huge fan of having specific, high-end swag items that are earned when they "level up"...more on that later though :D
What kind of tools would we want to give our security ambassadors?
For me, it's the basics. Give them a resource guide that breaks out simple information they can internalize and share with coworkers:
How to report phishing emails & incidents
Overview/FAQ of company Security Policies
One sheet overview of Acceptable Use Policy and how it affects the average employee
If you perform phishing simulations, give a simple statement on what the program is, what the purpose is and that employees won't be "in trouble" if they click a link (it's training, not a test).
Relevant contact info (security awareness, physical security, helpdesk, etc.)
Would it be advantageous to ask leaders to choose their ambassador?
Absolutely. Leadership involvement is key and crucial and often times they have a better idea of their department/team culture than any. You can also be encouraged to ask them to consider being an ambassador initially.
Why is it important to vet the advocates?
I've come across a few relevant instances when discussing the program with my Legal, Corp Comms, and HR liaisons. Notably, you don't know the performance history and background of most folks. Giving their immediate leadership and HR a quick approval can help avoid some future problems with members who may have performance issues. Also, it's good to ensure balance across the environment (you may get several volunteers from a single department). It's just dotting the i's and crossing the t's for me.
How do you scale to an organization of 280,000 people- it has been a struggle to find ambassadors globally given our size and complexity?
This is always a nuanced question and answer and really comes down to a more thorough understanding of the corporate culture as a whole as well as unique to each region/team. You can't use a copy/paste method and so it's really about growing/scaling organically and ensuring you're getting feedback from your existing members on how to improve the experience. You also need a lot of team resources - a single person for 280k users isn't ideal, I've been there. It's hard. So slow and steady (and intentional) wins that race.
Do you have an advocate job description or contract that the team agrees to?
You bet! We will be releasing some free resources for this specifically along with a "how to" guide in the near future - keep an eye out for the announcement.
Do you recommend different Advocate levels? For example, a program where they can move up, learn more about security?
Absolutely, and a great question. I'm not a fan of gamification for awareness, but this is one area where I'm a firm believer in it. I've typically created a member journey of about 4 levels they can progress through. I will be releasing this template very soon (as mentioned earlier).
I love this stuff, and I love helping companies mature their programs. I offer to mentor, so if this is something you'd like to discuss further please hit me up directly at firstname.lastname@example.org