Habitu8 Webinar Outline: Building a Successful Security Awareness Ambassador Program with Jason Hoenich, Founder

This webinar aired on March 27, 2018. Jason’s notes are as follows:

A. Ambassador definition: A community of trusted employees who acknowledge positive security habits of coworkers. They are empowered and supported directly by the security awareness program’s resources and guidance. 

B. Why ambassador programs work: We all have a coffee shop, pizza place, dentist, doctor, record store, shipping center, or service provider that we go to consistently because we trust it—and so does the rest of our neighborhood or community for the following reasons:

  • Relationship: We’ve developed a personal relationship with the employees there in some way.
  • Trust: The brand earned our trust for providing reliable information, service, or product.
  • Direct support: We can get direct support from the brand in some way.

C. Building and designing your program

 1. Determine your “why”: What is the purpose of your program? Some answers might include to:

  • Support the goals of a security awareness program
  • Help with training completion
  • Improve event attendance
  • Help with feedback on a securities program

2. Spend time designing with intention:

  • Research (human resources, legal, corporate communication)
  • Pitch to your advisory board
    • Don’t use term volunteers
    • Establish a process to approve members
    • Suggest potential “early adopters”
    • Extend GRC/infosec teams regionally

D. Establish your brand: This is the core of the (potential) user experience. An expected, uninteresting approach here can turn people off. However, a unique name that creates interest can set your program apart and help drive success. This is where marketing teams or an agency partner can add tremendous value.

  1. Common program names aren’t as interesting. Internally, call it what it is—an ambassador program—but get creative for your audience. An example might be calling the ambassadors “champions.”
  2. Make it different to avoid any negative or technical connotations; after all, this is a program for general users.
  3. Think through the potential swag and application of the brand. For example, if it’s a long-term goal is to host events, and you want the members to be there to support and help, they’ll want to be identifiable with branded shirts. 

E. Outline the member journey

1. What will the first interaction with you look like?

  • Recruitment: How will they first hear about it?
  • Email announcement 
  • Referrals and word of  mouth

2. Welcome kit (see example): A great brand will have a great welcome kit that delivers expectations for the user.

  • Make it a big deal
  • Utilize corporate communication, marketing teams, or an agency (depending on budget)
  • Core elements include:
    • Package/box/bag/packet containing
    • Entry swag item if available (shirt?)
    • One-sheet, designed pamphlet with answers for what to report (e.g., incident definition: phishing, lost devices, unintentional recipients), how to report (phishing vs. incidents)
    • Fun, relevant social currency such as metrics around social media security stats, phishing stats, research infographics, and so on
    • Game element suggestion: "Lock before you walk" sash (see levels document)

3. What will ambassadors’ first six months look like?

  • What requirement will they have to meet to start?

4. What will be ambassadors’ key responsibilities?

  • Announce
    • Introduce themselves to floor/dept/team during all-hands meeting or event 
    • Email intro
  • Acknowledge
    • Coworkers who report incidents and phishing emails, exhibit positive security behaviors (establish short list)
  • Acquire
    • Ambassadors should be continually learning cyber security best practices:
      • Cybersecurity 101 live training
        • Take (from you)
        • Host it (with you)
        • Deliver it (without you)

F. What will ambassadors do, how will they progress?

1. Level progression tasks, gamification element. Keeps members progressing and active and engaged. 

  • Complete certain tasks to advance.
  • Each level involves and supports acknowledgment. 
  • Each advancement earns a unique, higher-quality swag item or award or experience

G. Ooch: Ooching is the opposite of jumping in headfirst into something. Ooching is conducting “small experiments to test one’s hypothesis” (from Chip and Dan Heath’s book Decisive: How to Make Better Choices in Life and Work).

1. Start small, fail fast: Ideal ambassador program ooching would be 5-10 initial members (if your program is large enough). If smaller, start with 2-3 members. If you will only have one member, then you are the beta tester.

2. Test what works: It will take a series of testing to see what works and what doesn’t within your corporate culture. Start simple, excel at the basics (acknowledgment).

3. Collect feedback: Ask questions of your members/testers. Find out what they think could be helpful for their needs based on the goals you’ve outlined.

4. Adapt the program as needed.

H. How do you actually begin recruiting?

  1. 48% surveyed customers respond that first impression is key.
  2. Identify early adopters.
  3. Determine who reports the most phishing emails or incidents.
  4. Understand who consistently responds or reads newsletters/emails.
  5. Identify who has significant social trust.
  6. Note advisory board members, local regional infosec people/liaisons.
  7. Use classified ads—do things out of the ordinary to see whose interest you pique. For example, post a mystery ad on intranet site: “Infosec team recruiting members for top secret program”; participation is limited and must be approved.

I. Why do you focus on acknowledgment instead of prizes?

  1. When surveyed, 72% said they wanted a thank you. 
  2. 86% who did not receive a response to a complaint stated they wanted one.
  3. It’s the easiest (and most affordable) way to change someone’s mood, opinion, and so on.
  4. It is not only focusing on acknowledgment of your coworkers, but also focusing on the initial journey/experience of the ambassador program members themselves. They will need a lot of communication, guidance, and encouragement at first until they begin to see the benefit of what you’re asking them to do. They are the heroes. Give them a hero story.
  5. You’re establishing your program intention of focusing on acknowledgment to help build a culture of security by using positive reinforcement versus a “hey, I did the wrong thing” approach.

Download Free Outline to Ambassador Program Levels