Creating an Ambassador Program to strengthen your security culture sounds great but how do you get started? Wizer's Founder, Gabriel Friedlander visits with Director of Infosec Nandita Bery as she shares her lessons learned from a decade of building best-in-class security awareness and ambassador programs for companies of all sizes.
traditional Cybersecurity awareness programs vs ambassador programs
Traditional security awareness training is the standard content creation around annual training everyone is required to take, whether it's regulatory and compliance related or specifically geared to awareness of phishing and scams. The content is sent out / presented, typically some type of quiz is issued and you check it off and go on your merry way.
An ambassador program, however, is interactive. It involves identifying employees who've taken an interest in security awareness and elevating them to be mouthpieces to the rest of the organization. Whereas traditional security awareness training is more of a "passive push methodology" on generalized topics, having ambassadors allow for a two-way flow of ideas and engagement.
"The ambassador program is a poll; you're getting them to come to you for information, you're getting them to come to you for topics and specific relevance...with ambassador programs, you can focus on a group."
Ambassador programs allow training to take a deep dive for specific departments or groups of employees. For example, an ambassador in the finance department can help guide a training program tailored to the specific attacks their department faces more than other departments, such as sophisticated social engineering attacks. These tactics need to be trained differently regarding social engineering in finance which differs from the general employee's awareness of social engineering.
Another advantage of utilizing an ambassador program is gaining improvement in human risk behavior. As Nandita states, "With ambassador programs, you make them part of your security posture."
Getting Buy-In from Management
We all understand that without support from leadership, nothing moves (or at least not very far nor for very long). It's important to have executive support to make sure that it's supported by the company. Additionally, the more support you have from upper management lends a certain weight of importance and encouragement to ambassadors who do join. After all, they are taking on a little more work in their role than expected of them and if they know that this focus is important to the executive team, it tends to help them be more involved along with giving them a sense of meaningful contribution to the company as well as the potential for recognition.
Nandita observed getting buy-in is much easier today than it was when she started a decade ago. Human risk is a growing topic of interest as well as the understanding that managing that risk through programs such as an ambassador program for security awareness is one of the pillars that contribute to an organization's overall security posture, along with the tooling and monitoring.
She recommends noting the metrics, behaviors, and challenges within your organization and presenting those to the CISO, CIO, or CTO while demonstrating the financial or qualitative damage these behaviors are causing. In her experience, it's typically only taken a couple of slides outlining the risks and rewards to get buy-in for a small budget. With that budget, she's found that a little bit of SWAG can go a long way for individuals participating as ambassadors, giving them a sense of exclusivity and bragging rights.
Rolling out the program
Size - Regarding the question of size, Nandita recommends for smaller organizations ~1000+ aim for 1% of the overall population as a goal for building up your ambassador program.
For organizations that are considered mid to large, then anywhere between 1%-3% should be adequate.
Where to start? - She recommends the best way to start is by identifying the channel that most employees are going to for information within the company - Yammer, Slack, Microsoft Teams, etc. And then determine the type of program you want to have, and how that would look - get a general direction to start, even if you don't have it all fleshed out, yet. You can always iterate as you go - which is essential regardless of the ever-changing world of security awareness.
Get the word out - Make some noise and make it exciting - announce the program along with the value proposition for those who get involved. Create buzz that these ambassadors will 'learn the latest and greatest in security, they'll be on the cutting edge, in the front of the pack learning and leading others. Let them know the benefits of what they will get out of participating as an ambassador. In short, you need to 'sell' the program and if you're uncertain how to do so, consider finding a teammate in the marketing and communications team to help.
Have a plan - It should go without saying, but before you make the announcement you're starting an ambassador program, establish at least some parameters first.
Nandita shared a few ideas she's done in the past with the three different programs she's helped to establish and/or advance in introducing the program:
- Create a special title for the ambassadors who are involved - this gives a sense of identity and acknowledgment
- Establish if there be levels for different ambassadors, or will everyone have the same level of responsibility and tasks
- Can anyone be an ambassador or is there some exclusivity involved? Nandita found that including some barriers to entry kept the participants more interested and involved.
- Lay out the time commitment involved - for her, she found that one to two hours a month is reasonable for most
- Detail to them what they will get out of it - as in most marketing messages, there's always the element of WIIFM (What's In It For Me). As they are taking away time and resources from their main job assignments, it's important to let them know why it's worth it to join. Plus, you'll be sure to get ambassadors who are on board with that and will minimize churn.
Kick it off - The kick-off needs to be exciting to demonstrate to the volunteers it will be interesting and valuable. If possible, involve upper leadership such as the CTO, CIO, or even CEO to join, even if just for the first few minutes, to lend their support to the initiative.
Regular engagements - Out of the one to two hours allotted monthly for the ambassadors, Nandita recommends the most important requirement for the ambassadors do keep is to attend the monthly 45-minute session that informs, trains, and updates on the latest trending topics, any major breaches, or concerns relevant to the company. The first 30 minutes are for sharing the information and the last 15 are open for the ambassadors to engage and ask questions.
"So the monthly talk keeps them engaged, keeps them involved, and has you having somebody out in the field, in other departments and groups, staying updated and talking to other employees about what's happening. It becomes water cooler talk, it becomes information and they spread it for you. So the monthly talk is important."
Equip and mobilize - Along with the mandatory monthly session, it's important to provide a variety of materials the ambassadors can use to share with their teammates. Consider resources such as infographics or cheat sheets and ask if they would consider sharing them in an upcoming staff meeting.
But it shouldn't be a one-way street, also get feedback from the ambassadors on what they want to learn about; what is important to them in their specific roles/departments that would be helpful, and create material around that as well. This helps give ownership to the individuals helping and makes their contributions more tangible.
Nandita and her team commit to being available for presenting to different departments every month but then they also ask the ambassadors to commit to doing their own presentation once or twice during the year. And of course, they also ask for help during cybersecurity awareness month in October.
Maintain the feedback loop - Beyond the monthly meetups for the ambassador team, it's important to provide other channels for feedback as not everyone is comfortable speaking up in a group setting. Slack channel dedicated to the team as well as ensuring they know they can reach out directly allows them to give more informal and on-the-spot input. Reassuring the participants that you are available to discuss any ideas or programs they feel their department needs goes a long way in building trust. Nandita also suggests anonymous surveys for updates, queries, and concerns work well, too.
Bringing it home - One of their program's biggest 'selling points' is being a resource to program participants with a channel to answer home security concerns as well. When asked about it, Nandita shared, "We encourage it...and that's fine because all of that is related - whether it's home or at work. And if they understand the concept, then they go home and they understand their router and they understand turning off their SSID broadcaster, changing, making the password stronger, they understand coming to work, and not bypassing controls."
Recognition - Recognition can come in many forms and is critical to let the ambassadors know you value their contributions. While SWAG is a fun one, many budgets don't allow for it, but recognition isn't limited to giveaways. It can be as small as doing a shout-out highlighting them to the rest of the company on internal channels. This achieves both recognition while also raising awareness to their colleagues that security isn't limited to just the security team.
Something Nandita is excited about in her organization is involving the CEO calling out their top ambassador at the yearly town hall meeting. Not only does it give considerable recognition to the individual and the program but it also sends the message that cybersecurity is important to the executive team as well which has its ripple effect.
Branding the program - With awareness of any kind, whether it's for social responsibility or a charitable cause, branding helps to establish identity and context. Collaborating with the communications and/or marketing teams can help a lot in this area to generate ideas around a name for the program as well as a logo or emblem. Not only is it fun if you can get SWAG, but it also helps when ambassadors distribute flyers and other assets helping signal to other employees to take note. Additionally, it naturally aids in marketing the ambassador program itself which makes others curious as to what is going on and how can they join.
Administrative overhead - Between planning and maintaining an ambassador program, Nandita estimates somewhere between 5-10 hours of work a month is needed, depending on where in the process one is - is it ramping up or in maintenance mode, including keeping in touch with ambassadors throughout the month.
Teamwork makes the dream work - In sourcing speakers for monthly talks to the different departments, Nandita stresses looking internally first through leveraging your own company's security and IT teams. "We find that the pen testing team are a wealth of information and they have really interesting, scary stories and everybody wants to hear their stories. For the Intel Team and Incident Response Team, it's an opportunity for them to get out from behind their desks and talk to the people that they are monitoring and tracking and do a nice two-way dialogue. It's also great for the employees to be reminded of the monitoring going on, that their systems are being protected, and looked at and booked."
Additionally, she suggests looking to vendors your company works with to tap into as resources for speakers.
Measuring the Impact - The basics of measuring the success of a security awareness program, especially when starting, include the typical tracking of reporting - reporting incidents and reporting phishing. When you see the trend increase, that's a great indicator. But once you start adding other elements such as discussed with the ambassador program, it gets a little more tricky. In that instance, Nandita finds a simple survey of the ambassadors is the best source.
One other added benefit she has seen is the more the security team is involved as part of the overall awareness program, the more departments initiate requests from the security team to assist them to ensure a project is secure from the start. When this happens, it's also a metric to use when you notice the trend going up, which is a huge win.
Resources Recommended by Nandita:
Looking for awareness training that is short, relevant, and engaging? Check out Wizer’s free security awareness video library.