A common challenge with awareness programs for large organizations is no one single awareness officer can effectively communicate to everyone. As a result, larger organizations will sometimes build an ambassador program, these are volunteers that help represent the security awareness team and share best practices, answer simple security questions and can be a conduit between their peers and the security team. Sometimes these ambassadors have some additional training. The idea is these ambassador programs help compliment the awareness program and expand its reach.
Recently I had the thrill of working with an organization that took this concept to a whole new level, where the ambassador program WAS their security awareness program. Individuals were carefully selected throughout the organization to become official security ambassadors. Each one of these individuals received a full day of initial training with planned follow-on training. In addition to training these ambassadors had their own website which provided updated information and resources, forums for internal ambassador communications, and even their own local budgets. In addition, these ambassadors were recognized for their training and efforts with official certificates and plaques. You know a multi-billion dollar organization is serious about its awareness program when both the CIO and CISO are there to personally assist with the ambassador training.
This was amazing to see in action as I saw the power of individuals communicating with their co-workers. These ambassadors understand the challenges their peers face, how to best to communicate to and engage them and change their behaviors. I also learned that while people throughout the organization faced the same common challenges (such as co-workers simply not realizing they are a target) each ambassador would approach and address these issues differently.
I'm really excited about this concept and look forward to seeing how it grows and develops.