Security Awareness Blog

Motivating Staff to Join the Awareness Cause: What the Ambassador Pilot Taught Us

AngelaPappasEditors Note: Today's guest post is from Angela Pappas. Angela helps lead the awareness program at Thomson Reuters, a global organization with over 58,000 people. In this series of blogs Angela shares with us how she established their Security Ambassador Program.

About a month ago I wrote a blog about the Information Security Ambassador program at my company, Thomson Reuters. Our program enlists employees from around the world to educate and raise awareness with staff at their locations. In my blog, I promised to follow up with additional information related to lessons learned, success stories, ideas for motivating ambassadors and so forth. So here we are! Since rolling out the pilot in early 2014, we've learned a great deal about what makes this program work for us. The ambassadors helped embed information security messages deeper into the organization in many ways. Here are a few examples:

  • Ambassadors asked the people in their locations to complete the annual required information security eLearning module. Several ambassadors rolled their sleeves up, dug into spreadsheets and reached out (for example, email and face-to-face) to the people in their location who had not completed the eLearning. They made a very specific ask that the employee complete it by a given date. We saw hundreds of staff complete the eLearning because of this approach. To boot, we learned staff in India really appreciate certificates to hang in their work area. So, we created a Handbook Completion Certificate and ambassadors filled in the names and then either presented the certificates in person or sent them over email to employees. This was a huge hit in the India offices!
  • Ambassadors set up and presented to people at their locations on specific topics tied to campaigns. One ambassador in Switzerland put together a fantastic presentation about cyber security. Over 50 people showed up for his in-person presentation! Afterwards he learned a large group of people in an office in France wanted him to present to their site as well. The word traveled fast!
  • Two ambassadors (one from the United States; one from India) collaborated on a cyber security presentation for an office in India because the ambassador from the US was going to be traveling to India. They had over 150 people attend the in-person presentation.
  • Four ambassadors worked with their Human Resources departments to ensure information security content is included in the new employee orientation presentation, and in 2014 three ambassadors raised their hands to present at new employee orientation.

When it comes to motivating the ambassadors, our goal is build a strong working relationship with each one, respond to their questions promptly, listen to their ideas and recognize them for their time and efforts. The approaches we're taking now include:

  • Making them privy to information security-related data they would never learn otherwise
  • Inviting them to information security department meetings where special projects are discussed
  • Asking them for their feedback and implementing their ideas/input accordingly
  • Holding monthly meetings where internal experts speak, as well as external experts. Recently an FBI agent attended a monthly meeting to discuss social engineering and phishing.
  • Providing a certificate for their dedication and service signed by the Chief Information Security Officer
  • Awarding a virtual badge on our internal web site

Last but not least, we're working to fund opportunities for ambassadors to get CISSP or CISM certified. The pilot afforded us a load of lessons learned. To name a couple, we learned:

  • When done correctly, in-person presentations offer a great learning experience for staff no matter their geographical location
  • Each business within our enterprise uses different communication mediums and ambassadors are essential to help navigate those nuisances and insert our messages the ?right' way
  • Staff in different countries appreciate and are motivated by different methods of acknowledgement
  • Ambassadors are inspired to raise information security awareness in different ways, so leverage their strengths and watch them soar

In 2015 we want to continue doing the things that worked well in the pilot in order to increase our reach across the company and the globe. With that in mind, we plan to recruit one ambassador for every location where 200 or more employees sit and increase our ambassador presence from 26 to approximately 98.

Bio: Angela's worked in the IT field 18 years and with Thomson Reuters since 2000. She was a technical writer before moving into various leadership roles related to technical writing, technical training, process improvement and software development teams. In 2009, Angela moved to the information security risk management organization where she managed customer assurance responsibilities. In 2012 Angela assumed her current role as director, training and awareness, where she now focuses her skills on eLearning, communications and marketing, and the ambassador program. Angela is truly inspired when she can leverage her working relationships, effective communication and collaboration skills, and the organizations' core values (trust, partnership, innovation and performance) in order to educate employees, help change their behavior and reduce risk. Angela would love to hear your ideas, stories and questions ? feel free to email her.

 

1 Comments

Posted April 30, 2015 at 6:17 PM | Permalink | Reply

HJohn

I mean no disrespect by saying this, but having Ms. Pappas' photo on the blog does make a scroller stop and look. Very lovely. Just sayin'.
I like the Ambassador concept very much. I often call on my colleagues to be good "stewards" of their knowledge and responsibilities. That's why I agree with rejecting the "you can't patch stupid" label. While the frustrations are understandable, I would imagine certain groups could say the same about us and our lack of proficiency in topics like law, medicine, etc.