Creating a Security Ambassador Program: A Culture of Protection


Posted on by Greg McDonough

While efforts are constantly being made to increase the effectiveness of cybersecurity training through approaches like gamification, these programs often fail at creating a culture that works to imbue a sense of ownership in the collective safety and security of an organization. By implementing a security ambassador program, organizations are empowering their employees to take a more active role in ensuring an awareness of the most relevant policies is communicated in a relevant and effective manner. Security ambassadors are individuals chosen to help educate their peers on a variety of cybersecurity concerns. They can provide ground level support to raise the collective level of security throughout an organization with a minimal investment of resources. In RSAC’s webcast  How To Build a Security Awareness Ambassador Program, Lance Spitzner, Director at SANS Security Awareness, explains, “ultimately, our goal is to go beyond behaviors and create a secure culture.”

Empowering and Engaging Ambassadors

Creating an effective security ambassador team is about empowering individuals to effectively raise the level of security among their peers by providing relevant information and promoting best practices among their colleagues. Generally, the most effective ambassadors are those individuals who are comfortable with the business and technical aspects of security while not being members of the leadership or security teams. This ensures that ambassadors view and approach security concerns from the same angle as those whom they are assisting. Ambassadors should have strong social and communication skills that enable them to work well with their peers and those in leadership roles. After choosing security ambassadors, it is important that they are given an avenue for communication to ensure that they are able to collaborate with security awareness teams and that their concerns are received and recognized. Ambassadors should be given feedback in a timely manner that lets them know that their efforts are heard and appreciated. Platforms such as Slack or Teams provide a convenient, yet direct, method for formalized communication.

Making the Program Simple and Fun

In order to make a security ambassador team as effective as possible, it is important to ensure that the goals and expectations for the team are as streamlined as possible. Ambassadors should be given clear objectives on areas where they can direct their efforts. Issues may be related to recently emerging threats or other general areas of concern in which an organization is looking to improve. Regardless of the situation, security ambassadors are not security professionals, and it is important to recognize that their goals should be specific and limited in scope.

While security ambassadors should be chosen for their suitability in helping others, it is important to make the role as fun as possible. Security ambassadors are not typically compensated financially. However, there are usually certain perks that come in the form of awards, certifications, special social gatherings, or even swag. Although these gestures might represent small financial investments, they are vital to making the role feel fun and rewarding for participants. Ultimately, ”almost everyone wants to have an impact,” explains Spitzner. Fun and recognition are just two of the ways that ambassadors are recognized for their contributions.

Managing Resources and Ensuring Continuity

For the most part, a security ambassador program is a small financial investment with the potential for great returns. However, the most significant resource that must be dedicated to creating a security awareness team is time. Security ambassadors must be adequately trained to have at least a rudimentary understanding of the broader goals of the information security team, and they must receive training on the specific issues that they are being asked to recognize and promote to their peers. It is also necessary that ambassadors have a point person who coordinates the specific areas of concern that they are being asked to address, responds to their questions and concerns in a consistent and timely manner, and recognizes their efforts. It is also important to ensure continuity within the program. While it is inevitable that there will be ambassadors who, for whatever reason, are no longer able to execute the tasks required, appointing new ambassadors and keeping messaging and responsibilities consistent will ensure that the program remains effective and viable moving forward.

Contributors
Greg McDonough

Cybersecurity Writer, Freelance

Human Element

security awareness Security Awareness / Training Security Education / Certifications innovation risk management persistence

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs