Security Awareness Blog

Job Description for Security Awareness Officer

Organizations around the world are beginning to address the human when securing their organization. The days of just compliance focused training are gone, we need to also effectively change behavior. To achieve that, you need the right person in charge. Below is an attempt to describe what the job description of a security awareness officer could look like.

Security Awareness Officer

This individual is overall responsible for our security awareness and education program. Ultimately this person's job is to reduce risk to our organization by ensuring all employees, staff and contractors know, understand and follow our security requirements and behave in a secure manner.

Our Security Awareness Program Requirements

  1. Ensure that our security awareness program meets all industry regulations, standards, and compliance requirements.
  2. Ensure that our security awareness program communicates our security policies and requirements so that people know, understand and can follow them.
  3. Identify the top human risks to our organization and the behaviors we need to change to mitigate those risks. Develop and maintain a security awareness program that effectively changes these behaviors so our employees act in a secure manner, reducing the most risk to our organization.
  4. Create a positive program that engages employees, to include focusing on changing behaviors both at home and at work. Ultimately we want our employees to demonstrate the same secure behaviors regardless of where they are or the devices they are using.
  5. Structure and maintain this program to be long term, so ultimately we are not changing just behaviors but culture.
  6. Create a metrics framework that can effectively measure these requirements.

Skills and Experience

  1. Ability to form complex ?communications / messages' in a simple, clear and concise manner to the various communities within our organization. This can include different cultures, nationalities, international locations and languages.
  2. Project management experience, the ability to plan, manage and maintain a complex, organization wide program over the longer term.
  3. Display practical knowledge of different message distribution techniques to ensure end user communities understand and continually apply the required behavioral change necessary to reduce the ?human factors' risk.
  4. Ability to communicate with and coordinate the activities of others.
  5. Understanding of the concepts of information risks and the different elements that make up risk. In addition have at a minimum a basic understanding of the different concepts of information security.

After writing this description, I noticed how often the word 'communication' is in the description, far more then the word 'security' is. Perhaps instead of calling it "Security Awareness Officer" we should say "Security Communications Officer". What would you word differently, what do you think is missing or should be changed? Post your feedback in the comments area.

 

1 Comments

Posted March 22, 2014 at 11:25 AM | Permalink | Reply

Jay

I think in Skills and Experience that a solid (preferably deep) understanding of the business side of the industry that the program is going to be engaging the end users in is critical.
Any awareness program need to be targeted to how information security impacts users in their day to day jobs. The Awareness program needs to be able to understand and focus on whats important to users in their jobs and how being aware of the risks around their data will improve their day to day work. Only then will end users actually engage with the program.
Without that engagement you will always run the risk of the program ending up being a series of pushed communications from InfoSec on how things are bad with no two way street established. Only with clear simple communications and an understanding of how improving InfoSec knowledge and awareness will impact the end user will the program will be effective.