Security Awareness Blog

Motivating Staff to Join the Awareness Cause

AngelaPappasEditors Note: Today's guest post is from Angela Pappas. Angela helps lead the awareness program at Thomson Reuters, a global organization with over 58,000 people. In this series of blogs Angela shares with us how she established their Security Ambassador Program.

Since the inception of my role in 2012 as a part of the information security training and awareness group at Thomson Reuters, it's often felt overwhelming to think of creative ways to educate every last employee about the role they play to help safeguard our assets, to keep us operationally effective and to ensure our reputation stays intact. Thomson Reuters employees approximately 58,000 staff and contractors in over 100 countries. Our size and international presence makes it very challenging for me and my colleague to adequately reach all employees with information security messages.

I bet you can relate, right? So what's an organization to do? What steps can we take to help bridge this gap and reduce our risk? For a year or so I put on my thinking cap to try to solve this issue and then it hit me! What if we enlisted the help of employees from all over the world to be a franchise of the information security organization at their office location? They could act as our eyes and ears on the ground in offices where the ?human firewall' may not otherwise be educated. I gathered my thoughts and then pitched the idea to my manager; he agreed it had strong potential. So, we drafted a job description (previous experience not necessary!), a list of the types of activities an ambassador might do and finally a document to describe the strategy, approach, "wiffm" (what's in it for the ambassador), next steps and so forth. We presented all of this to the CISO and he was eager to get the ideas up and running.

From there and with very little pomp and circumstance, we socialized the concept of an information security ambassador pilot group on our intranet. Two days later we had a total of 23 interested employees?eager staff from all different parts of the world. I was pleasantly surprised and a whole lot excited. We moved swiftly to engage the employees and get them (and their managers) on a call to share the details and ensure their engagement. Our CISO handled the presentation because he wanted the employees to know he fully supported the pilot. The interested employees were eager to immediately participate. As a part of the pilot program, many have done face-to-face presentations, new employee orientation sessions and lunch-n-learns. While others have ensured our key messages were included in their department newsletters, emails and team meetings. The way each person has participated has been different based on their location and culture, as well as their department function and responsibilities.

In the next series of blogs I will cover in more detail lessons learned, metrics, success stories, how we motivated ambassadors to participate and our plans for scaling the pilot program.

Bio: Angela's worked in the IT field 18 years and with Thomson Reuters since 2000. She was a technical writer before moving into various leadership roles related to technical writing, technical training, process improvement and software development teams. In 2009, Angela moved to the information security risk management organization where she managed customer assurance responsibilities. In 2012 Angela assumed her current role as director, training and awareness, where she now focuses her skills on eLearning, communications and marketing, and the ambassador program. Angela is truly inspired when she can leverage her working relationships, effective communication and collaboration skills, and the organizations' core values (trust, partnership, innovation and performance) in order to educate employees, help change their behavior and reduce risk. Angela would love to hear your ideas, stories and questions ? feel free to email her.

 

6 Comments

Posted March 31, 2015 at 2:11 PM | Permalink | Reply

Michael

This is a great idea!''especially when resources (paid-positions) are not readily available. Further, if someone has actually volunteered to get involved, versus having to do it as part of their job, then they are probably more enthusiastic to boot!''I really look forward to the next installments of this, so I can start drafting my master plan!

Posted April 1, 2015 at 11:17 AM | Permalink | Reply

lspitzner

Michael, I too am very excited about this series from Angela, Ambassador programs are an area I'm seeing orgs get tremendous ROI on. John Kotter's latest book "Accelerate" actually talks about the very same concept. Finally, John Diageo will be talking about Ambassador programs at the EU Security Awareness Summit ''" http://www.securingthehuman.org/events.

Posted March 31, 2015 at 2:23 PM | Permalink | Reply

Michael

To add to my previous comment, I would be interested to hear Angela's thoughts on this article on this blog''
http://www.securingthehuman.org/blog/2015/03/10/what-you-actually-need-is-a-security-communications-officer
Specifically, the want for NON-technical folks in roles of InfoSec Comms. Officers vs. Technical InfoSec Awareness Officers. Granted, this seems to be pointing to a paid role instead of a volunteer, however it is the intended mindset that I am mostly asking/curious about.
Thanks!

Posted April 1, 2015 at 10:14 PM | Permalink | Reply

Angela Pappas

Hello Michael ''" thank you for your comments. You are completely right ''" our ambassadors want to be in the program and are eager to assist. This makes all the difference because they made the choice; it wasn't made for them. Result: higher levels of engagement and motivation.
I read Lance's article blog about security communications officers a few weeks ago. I think we need people with strong communication, project management, and ''people' skills in this type of role WITH a solid understanding of technology. Note I didn't say a person who is technical. I don't consider myself ''technical' per say even though I've been in IT a long time. What do I mean by that? Well, I understand just enough to be able to explain some of it (e.g., encryption, two-factor authentication, what's happening behind the scenes of a phishing email, etc.), but I am not an expert (and I dont want to be). I rely on the technical experts in the organization for many things and for the collective wisdom of the team.
I instead prefer to leverage my strengths and the things that inspire me, that is, my communication and collaboration skills, business relationships and knowledge, project management experiences, and our culture (aka, how we get things done around here) in order to do my job. Add in a few sprinkles of my understanding of technology and its been a good foundation for solid results and success.
What was your take on the blog?

Posted April 13, 2015 at 7:34 AM | Permalink | Reply

Muhammad Hamad

This is an absolutely great idea. But what would be your approach in countries or regions where there needs to be a cultural change? Where people are a little reluctant to get on the bandwagon, and maybe even not consider Information security an important aspect of business.

Posted April 15, 2015 at 11:11 AM | Permalink | Reply

lspitzner

Each region often faces their own unique challenges, I've worked extensively in the middle-east and Asia where people often view security as a ''western' problem. One idea is to simply ask people, what motivates them, what are they interested in. Another idea is to reach out to those who are interested in security and find out why. Then see if you can apply that to others in the organization. Culture plays a huge role.