Security Awareness Ambassador Program Strategy Guide

Introduction

You’ve run a successful, behavior-changing security awareness training program, but now you’re wondering: How do I change company-wide culture regarding security for good? The best way to create lasting impact is by creating a memorable, meaningful ambassador program to keep the message alive and top of mind.

As cybercriminals get more aggressive—and creative—it’s important to remember that security is about more than installing technological safeguards and hiring the best CISO and security professionals. Security awareness is about people and making sure people know what the best behaviors are for combating cybercriminals.

In this e-book, we’ll provide you with everything you need to conceptualize, create, and launch your Security Awareness Ambassador Program so you can prove ROI, build trust, and expand your overall security awareness program.

Download a PDF version of this guide by filling out this form, or keep scrolling to read.

Habitu8_SecurityAwareness_Ebook_v3-Cover.png

Chapter 1

What Is Security Awareness?

According to the National Institute of Standards and Technology, “Failure to give attention to the area of security training puts an enterprise at great risk because security of agency resources is as much a human issue as it is a technology issue.”

Security awareness is an approach to training that protects companies and their data by creating immediate and permanent changes in employees’ behavior through:

  • Creating a culture of security with a secure-minded workforce

  • Educating employees on risky habits and the right security behavior

  • Strengthening the human element of security risk

Changing people’s attitudes, values, and beliefs through a security-minded culture shift goes hand in hand with changing behaviors, according to John P. Kotter in his book Leading Change. According to Kotter, “Culture change happens only after you have successfully altered people's actions, after the new behaviors produce some group benefit for a period of time, and after people see the connections between the new actions and the performance improvement.”

"Spending on security awareness training for employees is predicted to reach $10 billion by 2027"

- Gartner

Creating a culture of security and providing employees with the right education, tools, and empowerment will enable your staffers to always do the right thing, including:

  • Avoiding clicking on a phishing scam email

  • Not exposing passwords to cybercriminals

  • Not using unsecured internet connections to conduct sensitive business

  • Not ending up on a CSO list of Top 10 Most Expensive Security Disasters

Chapter 2

What Is an Ambassador Program?

Security professionals are incredibly busy manning the security fort, and awareness often—and unfortunately—takes a back seat. In fact, only 7 percent of security professionals are dedicated full-time to awareness, according to a SANS survey of security professionals, and more than 80 percent of professionals who responded to the survey said they only dedicate 50 percent or less of their time to awareness.

With an ambassador program, instead of having to champion and market the program yourself, you can enlist the help of eager employees across departments to spend just a few hours each month on outreach and awareness. These ambassadors will be responsible for engaging with their coworkers about the larger security awareness program and its purpose and goals, as well as:

  • Serving as the point of contact for security questions

  • Surveying employees about security topics

  • Coordinating lunch-and-learns and other educational gatherings

  • Distributing educational assets (videos, fact sheets, infographics)

  • Engaging employees on security topics via Slack or an intra-office chat system

  • Providing feedback and metrics to the security awareness program manager

  • Participating in regular ambassador forums, trainings, and activities

As a security professional, once you’ve gotten the buy-in from your company to run a security awareness program, it’s important to show a return on the investment—both financially and through actual, measurable behavior change. Ambassadors can help you achieve these goals more efficiently and effectively, which means you’ll be able to prove ROI, get more funding for your awareness programs, and be an all-around hero.

Chapter 3

Benefits of an Ambassador Program

The benefits of running an ambassador program are probably obvious. Not only does a program like this let the security team stick to what they do best, but it also empowers the workforce to take an active part in building a culture of security. But wait, there’s more!

Low Cost (or No Cost)

Most ambassador programs are operated as an extension of the larger security awareness program, which means you don’t have to ask for extra cash. In some cases, however, ambassador programs get a small budget to fund rewards and incentives. Whether you’re asking for a budget to incentivize your ambassadors or the employees who actively participate in the program, think small.

"The predicted cost of ransomware attacks by 2019 is $11.5 billion"

Scale Seamlessly

Instead of one person—we’re looking at you—doing all of the work to keep security awareness at the forefront of everyone’s mind, you’ve got a team of people ready and willing to educate employees and build interest. And the best part of an ambassador program is that your ambassadors are embedded in the day-to-day of their department, so they’re more effective at reaching employees than you’ll ever be as that security guy who keeps running phishing simulations.

Not only do peers listen better to their actual peers, but they trust them more, too. Also, depending on the size and culture of your company, an ambassador program might be the only way you can easily reach your entire workforce. For example, if your organization has remote workers, a global workforce with many locations, or diverse cultures and generation gaps, enlisting people who just “get” their coworkers as ambassadors is the best, most effective way for your security awareness program to succeed.

Gain Trust

Think of it this way: With a team of well-trained, enthusiastic ambassadors, you get embedded “social connectors” who can provide honest feedback that employees might not feel comfortable delivering straight to you otherwise. Over time, you’ll start to gain trust, the security-minded culture will thrive, and you’ll gain more buy-in for security awareness efforts—and that, friends, is priceless.

Chapter 4

8 Steps for Setting Up Your Ambassador Program

Now that you’re sold on creating an ambassador program, you’re probably wondering how the heck you get started. Follow these eight steps, and you’ll have ambassador program gold.

1. Tackle Responsibilities

Before diving in, decide who is going to manage the ambassador program. In most cases, this will be the same person who is in charge of running the larger security awareness program, which is usually a senior-level manager within the information security or risk teams. (Chances are, if you’re reading this, this person is you. Hey! How’s it going? Let’s talk.)

Then, take a high-level look at who else should be pulled in and what their roles will be. For example, you might involve someone on the marketing or advertising teams to create posters, infographics, or other educational materials that your ambassadors will need to post or share with the company. Then, you may need someone from compliance to ensure your materials are hitting the right notes. You also might need to involve someone from the PR team if you’re going to offer company swag incentives, or tap someone from HR if you want to offer PTO or time off as a “thanks” for participation.

2. Secure Buy-In from Senior Leadership

If you’re already running a security awareness program, you’ve probably already gotten buy-in and support from your CISO and the C-suite. However, it’s still important to get support from senior leadership specifically for the ambassador program, because they’ll have a vested interest in watching how it impacts ROI and employee habits and behaviors.

Your CISO should be a champion of your ambassador program, and it’s likely that the CTO and CIO will want to be involved in some way with the program, too. Establish clear lines of communication with these stakeholders so everyone is on the same page about goals, pitfalls, successes, metrics, and more.

3. Know Your Objective and Goals

You know the goals of your security awareness program (change risky habits and behaviors), but you need to have specific goals for your ambassador program, too. Whether your goals are strategic or behavioral, lay out what you want your ambassadors to achieve and how that fits into the larger awareness program. Potential ambassadors will want to know exactly what their roles are, so keep your goals clear, compelling, and measurable.

4. Decide on Incentives

Before you can decide whether you’ll need any additional funds for your ambassador program, you need to decide how you’re going to incentivize employees to participate. People don’t need crazy gamification or major rewards to participate in security awareness—playing a meaningful role and being more engaged in the office can actually be a huge incentive for employees. In fact, according to a study by Globoforce, meaningful work is the single largest contributor to a positive employee experience. Something as simple as a free cup of liquid energy at the coffee shop around the corner can do the trick to incentivize participants.

"1.7x higher job satisfaction among employees who derive meaning and satisfaction from their work; employees who are engaged are also three times more likely to stay with their current company"

Also, be sure to pull in relevant departments in the discussion and consider polling your colleagues informally to see what would encourage them to participate in an ambassador program.

5. Define the Budget

We’ve said it before, and we’ll say it again: You can run your ambassador program with no added costs. However, if you’ve opted for incentives such as swag or paid time off, make sure you organize your budget and work with the right departments to cover any and all costs. Did we mention that you can run your ambassador program without extra funds? You can. We promise.

6. Make Success Measurable

Before launching your ambassador program, you have to be able to measure success, because success metrics prove ROI and will allow you to get more money to build up the overall security awareness program, which is the end game here. If your overall goal is to decrease the amount of repeat responders, then focus on proving that numbers have gone down after implementing the ambassador program. This will easily prove ROI and legitimize the greater security awareness program and gain buy-in for expanding the program.

Here are some metrics to consider using to assess your program’s success:

Quantitative

Qualitative

# of ambassadors

Survey results

# of employees the ambassadors connect with

Success stories

# of communications the ambassadors complete

Feedback

% decrease in repeat responders after ambassador program launch

 

 

7. Find Motivated and Qualified Participants

Once you’ve firmed up your goals, incentives, budget, and metrics for success, it’s time to recruit your ambassadors. This is a huge step, and we’ll break down recruitment in the next few pages.

8. Train, Communicate with, and Empower Ambassadors

Your ambassadors will only be as good as their training, so whether you create a day-long group session, one-on-one meetings, or self-guided webinars, make sure your ambassadors have the training they need to know what they’re doing, when they’re doing it, and why they’re doing it.

As part of their onboarding training, give them access to assets such as posters, videos, infographics, and fact sheets that can help them stay on message to have the greatest impact. Then, create or leverage an existing communication platform where ambassadors can engage with the entire ambassador team and provide valuable feedback. Having a solid communication channel such as Slack from the get-go means questions can be asked and answered quickly in a group setting so everyone can stay on the same page and on message. It also gives your ambassadors a place to share feedback, frustrations, and all the GIFs.

Chapter 5

How to Recruit Ambassadors

Now that you’ve got the what and why (the when and where are now and wherever your employees are), you need the who. Finding ambassadors doesn’t have to be hard, and we guarantee you won’t have to pull any teeth. All you need is to know the right type of people to look for, how to make it worth their while, and how to reward them.

Create an Ambassador Qualification Checklist

Although you might think you’ll be happy with whatever warm bodies come your way, there is an ideal type of employee who will make the most sense as your ambassador. Your ideal ambassador should have most—if not all—of the following characteristics:

  • Interest in cybersecurity (they don’t need to be an expert)

  • Ability to devote 2 to 4 hours per month, plus extra time for training and special initiatives

  • Eagerness, enthusiasm, and excitement about being an ambassador

  • Strong communication skills in a variety of mediums

  • Ability to commit to being actively engaged with the program (e.g., providing feedback, engaging with other ambassadors, consistent)

  • Ability to obtain approval from their supervisor to participate in the program

Make It Interesting and Worth Their While

Whatever you do, when you’re recruiting you have to market the program as being worth your employees’ time and efforts. Beyond incentives, two of the best things about being an ambassador are the networking and resume-building opportunities.

Pro tip: Master the art of “security marketing.” Use marketing techniques to recruit ambassadors. Then, encourage your ambassadors to use same marketing methods to get the word out through posters, internal chat platforms, and more.

Because you want ambassadors across different departments and teams, the networking potential can be very appealing for employees. In fact, a really effective way of selling the program is to let recruits know that they can add their specialized security awareness training to their resume, which can open them up to new opportunities.

For example, let’s say you’ve heard that Anna in marketing geeks out about security and has always wondered what it would be like to be on the IT team. As an ambassador, Anna will have the opportunity to mingle with other employees throughout the company, both during ambassador training and in her role as an active ambassador. The next time you see her, say, “I’m starting a security awareness ambassador program. Are you interested? You never know, Anna—being a member of the security awareness ambassador program could be the stepping stone to a future as a security employee.” Cue a twinkle in the eye and hopeful thoughts!

"86% of Millennials say career training and development would encourage them to stay with their current employer"

- Bridge by Instructure, Inc.

Pull Them In with the Promise of Glory (and Swag)

Although the perks of resume building and networking will work for some potential recruits, others need to know their efforts will be immediately and regularly recognized. Remind employees about the other benefits they’ll be able to enjoy as part of the ambassador program. Although some ambassadors will need nothing more than verbal (preferably public) recognition for their efforts as part of the program, others will need tangible incentives.

Here are some suggested rewards to mention to entice employees to become ambassadors:

  • A framed certificate of ambassadorship! It’s the simple things.

  • Positive feedback sent to the ambassador’s supervisor or human resources to influence career guidance and advancement opportunities.

  • An additional day of PTO or getting to bounce at noon on a Friday.

  • Free lunch or coffee with the CEO or CISO. Honestly, people will bend over backwards for a free sandwich.

  • Branded swag. Think coffee mugs, shirts, frisbees, PopSockets—you get the idea.

But also remind potential recruits that being a part of the program is about more than incentives and recognition—it’s about helping their coworkers make the business better and more secure, which means a more secure bottom line, which means the potential for growth and opportunity for everyone at the company.

Chapter 6

Pro Tips and Expert Advice

 

Name that Program!

Sometimes, when creating a new initiative or program, the name becomes the first thing on everyone’s mind. The result is security ambassador programs called “Sorcerers of Security” or “Security Ninjas,” which, let’s be honest, don’t say much and are just asking for mockery.  

Use words like champions, officers, or advocates, and make sure that people know who the ambassadors are and what they do. If you want to take the clever, educational route, try something like “The White Shirts: Advocates for the White Hats” and watch the questions about what a “white hat” is roll in.

Make the Experience a Priority

Once you set up your program and get rolling, don’t forget about the user experience. Your ambassadors are taking on a huge and important role on behalf of the security awareness program, and they need to feel appreciated, valued, and like an integral part of the overall program. Continue engaging your ambassadors and taking feedback about their experience and how it could be even better.

Don’t Overdo It on Tasks

Having a team of ambassadors on call to help support the security awareness program might compel you to throw everything at them at once, but don’t. You need to pace tasks and responsibilities in a sensible, manageable way, or else you’ll overwhelm your ambassadors and probably see some drop off. Also, make it easy and logical for ambassadors to mature through the program by creating a timeline or benchmarks at 30, 90, and 120 days. Before you know it, you’ll be able to designate the ambassador team leads and the program will be running itself.

Know the Pitfalls of Gamification

We’re all about incentivizing, but if you’re considering gamifying the security awareness program—whether for all employees or just your ambassadors—be careful. Gamification can be incredibly powerful and effective, but doing it wrong is worse than not having gaming components at all.

Chapter 7

Conclusion

More often than not, both executives and employees think security awareness training is all about jumping through hoops and going through the motions just to achieve compliance, but it’s about so much more than that. Don’t just go through the motions or just change behaviors—change culture.

Building an ambassador program gives you the team you need to promote your security awareness efforts company-wide in a meaningful, effective way without straining your already overstretched security team. Once your team gets rolling, you’ll be able to prove ROI, expand your larger security awareness program, and secure your company’s data and bottom line for good.

About Habitu8

Habitu8 was founded by two guys who’d seen the worst of what security awareness training has to offer. Jason is an industry-recognized security awareness expert who has created video training programs for The Walt Disney Company and Sony Pictures, and Chad is a respected chief information security officer (CISO) and cofounder of Rapid7.

With Jason’s industry expertise and Chad’s understanding of neuroscience and how we interact in our daily lives with a digital world, Habitu8 was founded in 2017 to help companies redefine what an effective security awareness program looks like. Basically, Habitu8 is on a mission to get rid of boring, mind-numbing training programs and replace them with engaging video training that changes behaviors for good. All it takes is teaching employees how to replace bad habits with good ones—and we’re really good at that.

Let Habitu8 help your company create effective security awareness programs using our engaging training videos and proven strategy.

 

close chapters modal

Download a PDF version of this guide by filling out this form

Simply fill out this form to receive a PDF version of our guide.

Habitu8_SecurityAwareness_Ebook_v3-Cover