Editors Note: Today's guest post is from Angela Pappas. Angela helps lead the awareness program at Thomson Reuters, a global organization with over 58,000 people. In this series of blogs Angela shares with us how she established their Security Ambassador Program.
Since the inception of my role in 2012 as a part of the information security training and awareness group at Thomson Reuters, it's often felt overwhelming to think of creative ways to educate every last employee about the role they play to help safeguard our assets, to keep us operationally effective and to ensure our reputation stays intact. Thomson Reuters employees approximately 58,000 staff and contractors in over 100 countries. Our size and international presence makes it very challenging for me and my colleague to adequately reach all employees with information security messages.
I bet you can relate, right? So what's an organization to do? What steps can we take to help bridge this gap and reduce our risk? For a year or so I put on my thinking cap to try to solve this issue and then it hit me! What if we enlisted the help of employees from all over the world to be a franchise of the information security organization at their office location? They could act as our eyes and ears on the ground in offices where the ?human firewall' may not otherwise be educated. I gathered my thoughts and then pitched the idea to my manager; he agreed it had strong potential. So, we drafted a job description (previous experience not necessary!), a list of the types of activities an ambassador might do and finally a document to describe the strategy, approach, "wiffm" (what's in it for the ambassador), next steps and so forth. We presented all of this to the CISO and he was eager to get the ideas up and running.
From there and with very little pomp and circumstance, we socialized the concept of an information security ambassador pilot group on our intranet. Two days later we had a total of 23 interested employees—eager staff from all different parts of the world. I was pleasantly surprised and a whole lot excited. We moved swiftly to engage the employees and get them (and their managers) on a call to share the details and ensure their engagement. Our CISO handled the presentation because he wanted the employees to know he fully supported the pilot. The interested employees were eager to immediately participate. As a part of the pilot program, many have done face-to-face presentations, new employee orientation sessions and lunch-n-learns. While others have ensured our key messages were included in their department newsletters, emails and team meetings. The way each person has participated has been different based on their location and culture, as well as their department function and responsibilities.
In the next series of blogs I will cover in more detail lessons learned, metrics, success stories, how we motivated ambassadors to participate and our plans for scaling the pilot program.
Bio: Angela's worked in the IT field 18 years and with Thomson Reuters since 2000. She was a technical writer before moving into various leadership roles related to technical writing, technical training, process improvement and software development teams. In 2009, Angela moved to the information security risk management organization where she managed customer assurance responsibilities. In 2012 Angela assumed her current role as director, training and awareness, where she now focuses her skills on eLearning, communications and marketing, and the ambassador program. Angela is truly inspired when she can leverage her working relationships, effective communication and collaboration skills, and the organizations' core values (trust, partnership, innovation and performance) in order to educate employees, help change their behavior and reduce risk. Angela would love to hear your ideas, stories and questions — feel free to email her.