What is really involved?
As cyber threats evolve and data breaches make headlines, many organizations face a challenging mission: “How can we strengthen our information and privacy defenses and ensure that everyone in our organization is aware of the critical role they play?” Welcome to the world of information security ambassadors – the heroes who stand up as protectors of personal corporate data and guarantors of privacy. These ambassadors are a crucial part of successful information security and privacy programs and can make the difference between a robust defense and a vulnerability that can be exploited.
Imagine an ambassador actively involved in creating a vibrant community of colleagues, where knowledge is shared and best practices are disseminated as a valuable commodity. It can be done, really!
In this article, we explore the essential building blocks for a successful ambassador program and the critical choices organizations must make to roll out their program. Discover how to use ambassadors as powerful allies in your fight for information security and privacy, and learn from the choices other organizations have made for you.
The Foundation
Think of establishing a successful ambassador program as building a house. No house without a solid foundation. You don’t just start building at random, but make sure your house stands on strong and reliable pillars.
A sound ambassador program leans on the following four pillars:
1. Organization & community management
To begin with, you will need to shape the program. You get a team together to set up the program. Questions such as who, what and when pass the review, and you will need to take your community management off the shelf. Regular appointments and meetings will also need to be scheduled.
2. Processes & tools
A successful ambassador program is all about clear processes and the right tools. Measure progress and facilitate communication with a system that both allows exchange and captures statistics. Whether it is a specially designed tool (such as the Security Rockstar Program developed by Brooklyn Partners.) or existing channels such as MS Teams, provide a community tool with two-way traffic. Here ambassadors can not only receive information, but also ask questions, make suggestions and share experiences. Encourage active participation through feedback loops and a culture of open communication.
3. Activities for community
To keep ambassador engagement and motivation high, it is important to provide them with clear guidelines and expectations. Define the specific activities and tasks expected of them as ambassadors.
4. Activities in organization
The ultimate goal of any ambassador network, of course, is to get the message widespread within the organization. For that, you will have to put your creativity into high gear. Devise and develop activities that not only excite and challenge, but also spread through the organization like wildfire. This is especially crucial when participation is voluntary and stems from intrinsic motivation. Think immersive digital escaperooms or interactive “nanolearning” experiences, for example.
The Design
The foundation is in place, now you will need to shape the design – or in other words the key choices you make while setting up your ambassador network.
There are four main areas in which you will have to make choices: Focus, Governance, Resources and Measurement. For each domain, there are several directions to choose from. Let’s begin.
Focus
What do you want to use your ambassador network for? What target audience are you using as ambassadors? A permanent group of ambassadors or variety? And do you recruit your ambassadors on a volunteer basis or do you assign them?
Behavior & culture ↔ IB&P / IT wide
Where is your focus? Do you expect ambassadors to be primarily concerned with cultivating a safe culture + behavior within their teams? Or do you want them to implement the full IB&P program and security roadmap? It is essential to make this choice up front, to avoid people signing up for one goal and then being tasked with completely different tasks. We often see organizations initially frame their program in one area, achieve success, and then expect more and more responsibilities from their ambassadors. In the long run, this can backfire because the ambassadors did not sign up for this in the first place, so be careful with this.
Top Down ↔ Bottom Up
Do you choose executives and middle management to take on certain tasks, or do you want to have ambassadors who are among colleagues on the shop floor? It is important to consider the different audiences. It is not so much a matter of right or wrong, but rather of making a choice at the beginning. That way you create support and involve the right colleagues.
What we often see is that when you have a shop floor group that is identified based on their intrinsic motivation, people from higher positions are also eager to participate because they think it’s important.
Fixed group ↔ Rotation
Here you choose between a permanent team of ambassadors or a regular renewal of the group, every six months or every quarter, for example. In this way, you are asking for commitment for a certain period of time rather than an ongoing commitment.
Voluntary notification ↔ Designated
On the one hand, you can designate a group of people as ambassadors, but ideally you are looking for a group of people who want to participate from intrinsic motivation. You want to entice colleagues to volunteer, but how do you get them to do so? We have a clever measurement model for that: the cyber barometer. With this, we measure your organization’s resilience level and can identify specific groups. Through thorough analysis and questionnaire, we identified the group of people who feel most responsible for Information Security and Privacy in no time. But you yourself can quickly discover what social behavior a person exhibits with a simple question. “Do you alert your colleagues in case of a phishing email?” Anyone who answers “yes” to that, as far as we are concerned, is the group voluntary sign-up.
Of course, you can also choose designated ambassadors, for example, based on expertise or availability. But that does greatly affect the choices you make afterward.
Governance
How do you manage the ambassador program, in terms of resources, responsibility and direction?
On the basis of best effort ↔ Resources secured
Roll out the program in coordination with managers, and set the number of hours per week, per month, or per quarter. Do you set certain goals? Are you securing your resources? Or do you let ambassadors determine how and when to shape their ambassador role based on best effort? Thus, they will have to set their own priorities. Practice shows that working on their own initiative works well, but then you have to entice them to actually work on it.
Send ↔ Dialogue
Ideally, there will be two-way traffic between the ambassadors and the organization. In which the program is shaped together and then feedback is returned. Unfortunately, in practice, it still too often ends up just sending. Larger programs, for example, set aside an hour once a month where anyone can dial in, pouring out too much information on the ambassadors. After which nobody really gets moving, which is not bad in itself, but you won’t achieve real behavioral and cultural change with that. It is better to let the ambassadors themselves and together shape the program they roll out and in constant exchange see where one stands as an organization and still wants to go. Choose what you think is important and make sure you have made a clear choice in advance and plan the corresponding activities and resources for it.
Resources and activities
What exactly do you want to measure to capture results?
Result metrics ↔ Community metrics
Traditionally, the most commonly used measure (and thus an indicator of program success) is often the number of people participating in the program. Unfortunately, that metric is super meaningless and does not provide a clear picture of the impact of your ambassador program. Ultimately, you want to know what impact the ambassadors have had on those around them and colleagues.
Only when you can say:
“Hey, we made sure 120 compliments went into the organization making 120 people feel appreciated for their safe work behaviors.”
do you have a cool metric up your sleeve.
The real impact lies in how many people you actually reached in the workplace, not how many participated.
In conclusion
Now it is your turn to take action. Build your foundation, make your design choices and inspire others. Together, we are creating a safer digital world and ensuring that headlines are no longer dominated by data breaches, but by our success stories.
Do you have any questions or want to spar about the possibilities of an ambassador network within your organization? Take
here
contact us here.
PS – Curious about our “Security Rockstar Program”? In a next blog we will explore this in more detail and show how applications from science can contribute to the success of your ambassador network.