Forging Allies For Security Awareness | Live Stream Recap

Gabriel Friedlander: Good morning, good afternoon, good evening, depending where you're coming from. This is going to be a really interesting session today. We have an amazing guest, Dustin. I'll let you introduce yourself, but just to give a high level overview of what we're going to talk about today.

We're going to talk about  ambassador programs. We can call it a champion program, but it's really about creating a lot of engagement within the company with the hope to increase the security culture and make everybody care about cybersecurity.

So that's the short version. I'll let Dustin introduce himself and also sort of share what your definition of an ambassador program is. And also, how did you, you know, how did you end up doing this? 

Dustin Lehr: First of all, thank you very much for having me. I'm really looking forward to this discussion and, and getting whatever questions come my way when it comes to this topic.

My favorite topic, frankly. Yeah, so I'm Dustin. I was actually a developer for 13 years, so I spent a lot of time writing code. A lot of time, frankly, heads down, ‘leave me alone, people. I'm trying to do some work’ was sort of my attitude for many years. And then I got into cybersecurity which obviously is a very fascinating field, specifically application security.

And it became very clear to me that my methods needed to change a bit, especially because I got into it as an app sec leader pretty quickly. People take this differently so I'll just say it when you become an app sec person or even a cybersecurity person, you sort of become a salesperson because you're trying to sell security and it comes down to influencing people.

Change is really culture change, right? If all the developers, all of the engineers, all the people across your organization were already doing things in a secure way, it wouldn't need you. So a big part of the challenge here is changing habits and so forth you know, to make people think more securely and and, you know, perform more secure habits at the end of the day.

Anyway, so that's how I got into it. Now, in terms of your question about what is an ambassador program or security champion program, go ahead. 

Gabriel Friedlander: I think you're spot on, but unfortunately I think people are not that like that. You should become a salesperson. And I think that's a gap that we have in the market where security people are not selling their message to everyone.

And that hurts the culture. This is actually something I love. Again, I just wanted to stop here for a second because I think if we can get to a point where security people will understand what you just said, and they will become salespeople, and they will understand that it doesn't naturally come to all employees.

I think that's probably a stepping stone to achieve our goals. 

Dustin Lehr: 100%. I'm happy to index on this a little bit, because I think this is an important point that not a lot of people are thinking about. I do think it's way beyond just technical controls that are needed to make a difference when it comes to your cybersecurity posture. At the end of the day it's a lot about influencing other people.

And when I talk about salespeople, I'm not talking about the bad ones either. Let's be very clear about that. This doesn't mean using the dirty tricks that they use, right? This means pursuing effective ways to sell things, which doesn't include blasting everybody with nonsense emails or whatever, cold calls and so forth that have no context taken into account. Not what I'm talking about. 

I'm talking about effective sales techniques, right? Listening, trying to provide solutions. Trying to see if what you're providing lines up with what they need and what they want and so forth. That's what I'm talking about. I want to specify that because people think salespeople sometimes is like, ‘Oh my gosh, I don't want to be a salesperson.’

They have this negative opinion of them, but I'm talking about the good ones, which we all know, we all have the good ones. Like we've, we've all run across folks that have successfully influenced us or sold us something. And those are the ones I'm talking about. 

Gabriel Friedlander: Yeah. Value selling. You have to provide, you have to fall in love with the problem, be empathetic towards the user, understand their problem and provide them value so they can get better.

So I love that.

 First of all, let's define what an ambassador program is. 

What Is An Ambassador Program, Really?

Dustin Lehr: Security champions or security ambassadors - so the basic idea behind this concept is finding allies across your organization who can help you influence or represent security on their specific teams or within their specific departments.

And these are non security people, right? 

So finding those non security professional allies, working with them a little bit closer, helping educate them, helping them learn what it is, cybersecurity best practices are, and so forth. And then having that good two way communication between them, right?

So the security team learns from them in terms of what are the things that they're seeing their team do and so forth. And then they learn from the security team to better represent security on their teams. That in my mind is the basic definition. 

How Do You Sell Being an Ambassador To Non-Security People?

Gabriel Friedlander: So going back to the sales role that we just spoke about, how do you sell this role to non security people?

They probably would say to me  ‘I know nothing about security. This is something that I don't feel comfortable with.’ So how do you do that? First of all, what do you expect them to do? And second, who is your target audience? And third, how do you get them to bite and actually do something with this?

Dustin Lehr: Yeah, great questions. So in terms of finding people who would be good for this. I don't typically recommend imposing this role on people. I think for the most part, this has to be something that people can self select or volunteer for because otherwise it just doesn't work out. Like any of us can attest to this.

Like, do you like to be told what to do or do you want to have an option to choose to do it? Right. And especially in most cases, these champions are not being paid anything extra. They have more responsibilities, but now they're not necessarily being fully compensated for it. It's going to be very difficult to make somebody get involved, right?

So, what we look for, what I've looked for typically is really that spark of interest at the end of the day, right? You know, you will find people and this kind of goes into this theory of diffusion of innovation that I always talk about all the time, you will find people who are just not interested.

You'll say, ‘Hey, are you interested in becoming a champion? It's really cool. It's going to help your career and all this stuff.’ And they just go, ‘no, that's not for me.’ Don't bother with them. Like, don't try to change someone's mind. 

It kind of goes back to good sales techniques. If you're going down the path as a salesperson of trying to convince people that they need your product, you're probably not going to be very successful, right?

It's gotta be a lot more of spending the time to find people who are already looking for something already looking for your product. And in this case, already looking for an opportunity to get involved in extracurricular type activities, to learn more, maybe they have a specific interest in cybersecurity, whatever that is.

And finding people who are, you know, sort of already pursuing that and working with them at least initially. So that's kind of the expectation in terms of that. 

What Type Of People Are Good For Being A Security Awareness Ambassador?

Now, audience-wise, I would love to go into more detail here, if that's okay, I think. There's a lot of questions around should this person be a leader already?

Should they be highly experienced, you know, a software architect or whatever that is versus maybe an intern or an entry level person? 

What I always say is why would you refuse any help at all? 

Like what's wrong with inviting any of these folks into the program because everyone has something different to offer.

And I think I'm going to speak a little bit generally here. I do think the more experienced people have a lot of respect that they've earned across the organization and in their career in general. That's useful because they could probably better influence other people. Okay. But the people who are younger in their career bring a lot more passion and new ideas and new innovative approaches and that sort of stuff.

So there's this balance here where you can have a benefit from the folks who are involved no matter their experience level at the end of the day. 

Gabriel Friedlander: Yeah. And also for security teams that are always complaining about shortage, you know, maybe by doing this, you will find some people that, you know, you may use as additional resource for whatever you need.

Again, this opens a lot of opportunities for a lot of people. And I think like you said, it can have a variety of different diverse types of people. Not everyone has to be the leader. Sometimes it's the people that everybody listens to and they're not necessarily the leaders in the company.

You know, some people are just naturally influencing others and they don't have any management role. And I think it's also prestige, you know, like, Oh, I'm part of this group, this clique that is respected. 

There are the security folks. So I think that's really good.

How Long Should An Ambassador Stay In The Role? 

Do you think there needs to be a rotation or those people should be the ambassadors from the moment they come in, like forever?

Dustin Lehr: So I think this is where we should start to talk about the fact that not all techniques here or methods of implementing a security champion program are going to work in all cultures. You really have to think about what is the best way? Step back and really think about what you are trying to accomplish with your program.

I've seen a lot of programs that are just sort of winged, you know, like, I don't know, we've got a few people that are in a Slack channel, they do stuff. What I find a lot more effective is being very intentional when you create these types of programs:

What are you trying to accomplish? 

What's your vision?

What does this look like long term? 

How is this going to work operationally and so forth? 

That includes the question of is someone a champion forever? As long as they want to, do they participate for a little while and then they gain the knowledge they need, whatever, and then they roll off and someone else, you know, comes in to replace them?

There's a lot of different ways of doing it, I think in general. My preferred approach goes back to what we were talking about before. Why would you refuse help? To make somebody leave, like, ‘sorry, you know, you've been doing this for a year, go do something else.’ I don't think it's really helping your cause.

A lot of this is about culture change at the end of the day, changing hearts and minds and so forth. I think it starts with the champions. And I think the ideal situation is that this champion program grows. And you invite more and more people into it who are interested and so forth until eventually - which I've never seen this happen quite yet - you just have the whole culture recognizing the value of this and being champions essentially themselves. 

That would be like the ideal end state in my mind. 

What Should We Expect The Impact To Be From A Security Awareness Champions Program?

Gabriel Friedlander: Before we go into how to do it, let's sell the value of this to the audience. What should I expect? What's the outcome of this? Like, how will my organization be different? And I'm not even talking about KPIs just in general, like what do I expect to see difference having having a security awareness champion?

Dustin Lehr: Yeah, it's a great question. I do think it goes back to what you're trying to accomplish with your program, ultimately, so it could vary. 

It's kind of the first thing that I would say but I do think in general, a lot of the common themes are people are not just taking their training for granted, but actually utilizing the things that they're learning.

And there's a lot of ways to measure that. Like you can look at things, let's just use phishing as an example, right? You can look at things like phishing. Like what are the rates that people are reporting phishing or clicking the wrong link on the phishing email, whatever that is, collecting those statistics over time, and then seeing how the implementation of that program has affected those numbers ultimately is a really good way to do it.

I also think there are sort of an A/ B type approach where you can directly compare the way that champions are acting versus the way that non champions are acting. You know, how many more phishing emails do they report versus not, because you can kind of prove softly, there's a bit of a correlation that you have to prove there instead of direct causation, but you could prove and correlate the fact that this type of program is affecting those numbers by doing those, you know, basically statistical analysis approaches and setting up those kinds of A/ B tests and experiments and so forth.

I think that's the best way to do it. A couple other notes if you don't mind-  I do think that it's time consuming to set all this stuff up, but it's also totally worth it. 

And if you can take the time to measure sort of a before and after state, you're going to be able to make a very strong case that your champion program is working.

Gabriel Friedlander: One thing that I've seen with some successful programs is after doing this, I've seen that people start to reach out to the security teams, for example. When they are starting to work proactively, when they are starting a new project, they're starting to sort of ask for advice versus after the fact, they're bringing the security team early on.

So you see that they understand the importance of security. They understand that security can almost act like a helmet and protect them and allow them to move faster without breaking things. And so that's something that I've seen, you know, with very effective programs that people are just so proactive asking questions, raising their hand and are not afraid.

I think that's the key thing. People are not afraid when the security culture and the program works well, because they know that even if they messed up. And they will come to you. You're all in this together and you're going to work to solve this. So that's what I've seen that happens with good programs.

Example of Impact

Dustin Lehr: Yeah. And I've, I've just to expand on that a little bit, I've seen some, in my opinion, crazy things happen when you properly incentivize people to get involved and sort of inspire them to a large degree. This was from my experience at FiveTrans when I built their program. What ended up happening is, we had sort of a leveling system that we had set up, right?

And the biggest reason we did that is because it helps to recognize people's efforts as they progress through the program, as they're learning and getting more involved. And what started to happen was the highest level black belts. It was sort of this karate belt system, right? The highest level being black belts.

They started to go above and beyond and started to do a few things that we thought were amazing. As an example, one of them started a book club to read security books, okay. And, organized it and did the entire thing, invited people to it, set up the bi-monthly meetings that we had and so forth.

Can you imagine a CISO randomly asking a person across the environment to start a security book club. ‘Hey, you start a security book club. That would be really cool.’ They're not going to be interested in that, right?

So to me, something like that shows a level of maturity where people are being rewarded and recognized to the extent that they are.

Inspired to do something like that and you can't find that elsewhere, right? I think this is the way to go about that. 

Who Can Start A Security Awareness Champions Program?

Gabriel Friedlander: So we spoke about the value. Hopefully the audience bought into that. It's a good idea. If we did a good job, I hope they now bought into this.

What do I need to do? Is it, first of all, is it a good fit for me? Am I mature enough to do this as the company? And if yes, what are the first steps that I need to do to, first of all, see if this is a good fit for me, like what are the cheapest MVP activities, let's call it, of a security awareness program ambassador program, just to make sure this is working for us.

Dustin Lehr: Yeah, it's a good point. You, you're kind of speaking to a little bit more of like a grassroots type approach, right? Let's get in there. Let's try this out. I will say that you can start a program like this, no matter your maturity at the end of the day. This really just has to do with building relationships with folks who are not security professionals and helping to educate folks and change the culture.

Ultimately that can happen at a very small startup right now. In terms of maturity of a champion program, I don't think a very small startup is going to need the amount of rigor and deep detail in terms of how the program would work and so forth.

I think that comes with it, and it's sort of necessary at larger companies, right? Like you can't just have a few people around that you're hanging out with and learning from each other and so forth. I think you need more of that structure for a larger company is what I'm trying to say.

Cheapest is kind of the word that you used. I do think those grassroots programs work just fine, especially at smaller companies, right? Where it's like, ‘Hey, I'm just going to get out there and start talking to people about cybersecurity. I'm going to find people who are interested.’

I'm going to continue to kind of work with them. Maybe we meet every month for an hour and we just kind of talk about security stuff. Right. That's a very basic, all the way up to where there's a larger appetite for a larger program, you're going to need more structure. You're going to need to set goals, vision for the program

Like we were talking about before, you're going to need that leadership buy in and you're going to have to do this in a little bit more of a big bang kind of way where, Hey, we've got a new program. Here's how it works, you know, and it takes a lot of time to design. For that and set all that up and get all the communication, right, and marketing, right, and sales methods, right - all that stuff. 

So yeah, so it varies and it's really based on your goals at the end of the day and the size of your company and so forth.


 

Need new Phishing Simulation template ideas? Check out our featured Phishing Email monthly series.

 


 

What Does A Mature Security Awareness Ambassador Program Look Like?

Gabriel Friedlander: I do want people to sort of understand what a mature program looks like.

So if you can paint a picture for people what an up and running program looks like, what are the components that are insid? Use your product, for example but people can sort of like, imagine that they can use other products as well.

Yeah, go ahead. 

Dustin Lehr: Absolutely. Yeah, I appreciate the opportunity. So I will say this. We started this product and services years ago, we've got several happy clients at this point. And really the whole point of Katilyst is helping people with culture change through these security champion type programs.

So we do four different things. One thing we do is we help people design successful programs. If you want to get a little bit more information about the way we go about this-  and what we've made public as well - there's a free website that I released a couple of years ago. It's called the securitychampionsuccessguide.org 

Totally free to use. It's sort of a methodical way to walk through how to create a program from scratch or even take the time to enhance a program. 

So we help people through that we also provide live instructor training. So we were talking about getting together every month and having some sort of discussion around security focused topics and so forth.

We provide talented  instructors to help you through that journey as well. We also help with community management. So to run an active security champion program takes a lot of care and feeding and effort and engagement, right? And a lot of security teams don't necessarily have time for that.

So we actually provide services to help with that engagement as well. You know, posting articles, talking to people about their thoughts, getting more information about their challenges and so forth. And just sort of building up that engagement piece. 

Gabriel Friedlander: Where does this engagement happen? Teams, Slack, email, SharePoint?

Dustin Lehr: Yeah. I mean, Teams and Slack are very popular places. I think one of the default things that most people do when they start a program like this is they have a dedicated channel for the champions. So a lot of the engagement will happen over that channel including reminders and so forth for the upcoming training meetings and that sort of stuff.

It's just kind of like the hub, right where people interact by the water cooler, if you will. 

And then the fourth thing that we do is we actually created a product to help ease the administration and to help with the motivational elements of security champion programs. Think of a belt system.

Like we were talking about before, a lot of folks are using spreadsheets to manage this kind of stuff. What we've done is we've basically automated a lot of that work so that we can auto detect the actions that people are taking across the environment and provide an easy way for people to submit and enter actions that they are taking.

And then we translate that into a motivational sort of reward system that you can set up and customize yourself. So think less that we just sort of prescribe a solution. Here's a belt level system. We don't do that. We allow you to come up with your own system, like a belt level system. We've had some Star Wars themes.

We've also had some very culturally specific themes that people have set up and we provide the ability to set all of that up. It's really cool. 

Gabriel Friedlander: So I've seen stuff like that that works really well. This reward system and motivation system with things unrelated to cyber security like sales and, and other stuff.

I know this works, you know, people are motivated even just by appreciation. It doesn't have to be like money motivation. It's just the fact that you're giving them sort of like a certificate or you're, you know, mentioning them in a company meeting or in an email. So, those point systems. Are really, really motivating and again, not for everyone, but for enough people to make this something that can be really a backbone because people want to see their contribution being appreciated, right?

Like they're doing all of this, but they still want to be like, ‘Hey, I'm putting so much effort into this. Like, does anybody even notice?’ So the fact that you allow people to notice the, you know, the achievers, the ones that contribute especially when it comes to community. So on LinkedIn and other places, it's going to be the likes, the comments.

That's a little bit harder to do internally, even though it is possible, but that recognition that you spoke about, I think is, is very important. 

Dustin Lehr: Yeah. We actually spend a lot of time learning proper techniques for doing all this stuff too because I do think there are very surface level things that you might think of when you think about points and levels and that sort of stuff that may not be effective because you're not going about them in the right way.

You know so we bring a level of depth that's backed by, you know, the behavioral science aspects to it. I'll give you a few examples. So we really think about intrinsic versus extrinsic rewards. You're talking about points and so forth being effective. There could be gotchas there. 

I think that points and levels are only effective if they have other sort of recognition elements or other rewards associated with them as an example, like nobody's going to care about getting a black belt icon - Cool. I earned the little icon. Who cares? - Unless that icon means something like you get recognized your manager knows that it was a lot of work to earn it. There's some sort of mention at all hands. Maybe they get access to something that they didn't get before. Like it has to be something that people care about ultimately.

And you mentioned rewards beyond just material rewards. I have an acronym that I want to share that I always share. And it's SAPS. This comes from the gamification world. It stands for Status, Access, Power, and Stuff - SAPS. It's a good way to brainstorm the fact that there are other things that people care about beyond just stuff beyond even just money. 

Like think about when you get promoted, what do you actually care about? Is it the extra money or is it the status that comes along with it and the recognition and the increase in responsibilities and new challenges and that sort of stuff? I would argue that's why people want to get promoted, not just because of the money.

So providing those different types of rewards, like access to something, maybe somebody gets a lunch with the CTO or something, if they are at a certain level, right now you're tapping into things that people actually care about. 

Gabriel Friedlander: Yeah. You know, it's also similar in social media.

People ask themselves, like, what, what goes viral? Why would people like something? And I usually tell them they will like something less about, you know, showing you that they liked it. It's more about telling their friends, look what I found. So I'm the first to find it, or this applies to me when I like it.

It means something about me. I relate to this and it's a way to show your followers. What do you believe in? What are your values and stuff like that? So all of those are soft things. That just work everywhere, right? It's those type of recognition. 

What Doesn’t Work In A Security Champions Program?

So let's talk a little bit about what doesn't work because, you know, I guess not every program goes smoothly, you know, and works and also what should I expect in terms of result?

Like when should I do a campaign and come back and say, ‘Oh, this is great. I should continue.’ Like, how much do I need to invest in order to see something and what will stop me from being successful? 

Dustin Lehr: There is so much to dive into there. So I think you want to break it down

I do think that we're talking about change here, specifically culture change. It's going to take a while. You need to buckle in and grow some thick skin and realize that you're not going to see results overnight, period. And I do run into this a lot at a leadership level, like, ‘Hey, okay. You've had a champion going for a few weeks. How come our MTTR isn't down and how come, you know, our phishing is still the same as it was?’ It's like, it takes time. 

You have to educate people. You got to work with people and so forth before you start to see changes in habits. It just takes a long time. Now there are a handful of reasons that I have seen security champion programs struggle or even fail. 

'm actually working through bringing more visibility to this in general. I actually have some structure that I've added to it. This is a little bit of a preview because I was going to publish something at some point, but I've got 10 of them.

Maybe I'll give like five or so. 

Having no vision, like we were talking about earlier, Having like, you're just sort of wandering in the woods and you're not really sure why you're doing it. You know, my CISO told me I had to have a champion program. So here you go. Like that, that is not going to set you up for success.

Being intentional with what you're doing, clearly defining it, clearly communicating it to folks and so forth. That's going to increase your chances of succeeding ultimately. 

One mistake I see a lot, frankly, is what I would call negative social proof. So, this concept of social proof is if you see other people doing it, it's going to reinforce you doing it as well.

You show up to a Slack channel or a meeting and it's very active and everybody's talking and everyone's asking questions and so forth. You're going to feel more compelled to do so. I see this so often, even professional speakers do this. They point out the negative.

So someone's speaking to an audience and they ask the audience a question and no one says anything for a little bit. They would have, but for a little bit, and somebody says, or the speaker says, well, you know, tough crowd tonight, or clearly nobody really wants to to ask a question - they point that out.

And what does that do? It creates this negative social proof where now nobody's going to say anything because they don't want to be the one person that's different. And I see this happen a lot where maybe things aren't ideal in terms of attendance or participation to point that out in front of your group.

Your audience is a complete mistake because it's going to reinforce that behavior. Ultimately, like how come we're trying to figure out why nobody shows up to our meetings. Don't say that, right? So that's a pretty big mistake. 

Gabriel Friedlander: I think this has to do with the thing with a lot of technical people where they have the troubleshooter mindset.

So they're trying to troubleshoot the process and they're pointing out everything that doesn't work. They mean well, they want to solve this, but they're doing it in front of the crowd, pointing out all the things that are not working. And then, unlike salespeople and marketers that sometimes are a little bit over their skis and they're pointing out all the good things and sort of like hide the negative sometimes.

That loops back to what we spoke about at the beginning. You need to be a sales and marketing person to do this. 

Dustin Lehr: Exactly. I've got just a few more, I think, and then we can go to the next question. 

Trying to pass all of your security responsibilities onto the security champions is a mistake as well.

I think some people see champion programs as ‘Cool. I can extend my security team. I can just make the champions do what my team should be doing, but we don't have the resources for whatever’. 

Not a good idea. I think that security champions can contribute in very specific ways. And it doesn't involve passing all of the responsibilities off on them.

I'll give you an example. Maybe there's specific knowledge that they have. I'll, I'll go into the sort of tech realm for a second. You know, maybe the security champion is very privy to an upcoming feature design or whatever that is. They understand it very closely. They can give the security team a little bit more information about the app itself, about the feature that's being developed for the security team to do a proper assessment of that feature set and so forth.

That doesn't mean having the champion do that full analysis. It does mean gleaning whatever information we can from the champions perspective so that we could do a better job at security professionals. 

Also, people under invest in a lot of these programs as well.

I don't think people recognize what it takes to be successful in terms of time and budget and so forth. When you do it correctly, the benefits are there. If you sort of half do it, you know, like we've got a champion program, but you don't dedicate resources or time to increasing engagement and that sort of stuff, then, of course, it's going to die.

You know, so don't be surprised. I see this a lot. I tried a champion program. We stuck everyone in Slack. We never talked to them and then it failed. So champion programs are, they just don't work. It's like you didn't invest the effort into making it work ultimately. 

Gabriel Friedlander: So these are great points and I think what I'm hearing as well is either hire a company, for example, yours, or reach out to the different departments like marketing teams, maybe talk to the VP sales and say, ‘Hey, you know, just treat this as a product, but what can I do to sell this internally? I need your expertise.’ 

So tap in to don't just try to do it alone because maybe you're very skilled in cybersecurity. We're talking here about building a community. That doesn't necessarily translate one to one, like you probably have a gap unless you are a full stack security, marketing, sales, management, everything, which I think there are very, very, very few people who have all of that.

So probably you're missing some components. So reach out. So I think this is what I'm hearing, like it's a key thing to do. You have to reach out to those people, ask for help, and get feedback, and keep them involved. And maybe some of them can become ambassadors in your program. That will be even better, because now those ambassadors are helping you to run your ambassador program.

So you're a sort of two birds in one shot, something like that. 

Dustin Lehr: Let me add to that because there's a phrase that I like to use that reinforces exactly what you're saying. 

Weigh in leads to buy in. 

If you allow people to weigh in and share their own contributions or just opinions about the program and so forth, they're going to become invested in its success and would likely get involved themselves as well.

Gabriel Friedlander: Yeah, I don't remember one of the presidents said that I don't remember who it was, but I think he said If you want somebody to love you ask him for a favor because if you ask somebody for a favor and they help you they're automatically in their head like ‘I wouldn't help somebody that I don't like I would only help somebody that I do like’. So they are already liking you just by the fact that they had to do something for you.

So ask people for help and you'll get more friends and help others. Don't forget that. 

Closing Thoughts - Stay Excited, It’s Contagious

Anyways, we are actually over time, but I really enjoyed this. Hopefully the audience as well. Any final thing you want people to walk out with, final thoughts?

Dustin Lehr: I do think this is sort of a theme that came up throughout this entire thing. So I'm going to double down on it, the more excited and involved and committed to the program you are, the more excited and involved and committed to the program, your champions will be as well.

So it's about you. It starts with you. If you're reluctant to do it you're not going to see a lot of success; if you've designed something that's unique and creative and fun and you're excited about it that excitement is going to translate throughout your entire program. So have fun and you'll see great results.