As we get ready to enter into 2018 one of the things I'm so excited to see is more and more organizations investing in managing their human risk, to include hiring what many call Security Awareness Officer, Security Communications Officer or a position related to Security Training or Culture. To be honest, I'm far less concerned about the position title and far more concerned about the individual's skills and abilities. The problem is organizations requiring their security awareness officers to have a technical or security background. Not only is a security/technical background immaterial, it is actually a hinderance. The more technical you are, the greater your security depth and knowledge, the more likely you will assume others are like you in their knowledge and ability. The term is called Curse of Knowledge which is a fancy way of saying the more of an expert you are at something, the worst you are at communicating it. Most organization's have security teams packed with technical experts, they know the problems inside and out. The problem comes when these same technical experts are expected to communicate and manage their organization's human risk. The issue then becomes not a lack of technical expertise, but a desperate lack of soft skills. Human Resources, if you want to hire someone for your awareness role, this is what you need.
People Skills: Simply put, this means you like people. Yes, you have to actually enjoy working with and talking to people on a daily basis. You have to engage and collaborate, you have to understand terms like emotion and culture, and you have to want to work with others. Security is packed with career paths where you can be highly successful and effective and not like people, this is not one of them.
Communication / Marketing Skills: A key part of managing human risk is engaging your workforce. To engage, you have to communicate in their terms. You have to sell WHY cyber security is important, then communicate the expected behaviors in a simple to understand format that anyone can follow.
Collaboration Skills: You will be working with a huge number of groups, to include Human Resources, Audit, Legal, Marketing and Communications, Leadership, Project Management, Accounts Payable, LMS and Help Desk teams and numerous other groups. This is why time and not budget is so important to successful awareness programs. You will spend most of your time interacting and coordinating the efforts of others, not working with technology.
As we have repeatedly learned from the BJ Fogg Behavior Model, behavior ultimately comes down to motivation and ability. And no where does this require a technical background. So HR, if you want to find someone to lead your awareness program, go find people with Communications, Marketing, Teaching, Sales or Public Relations background. One of the best awareness officers I ever saw was an English manager. And the fact that they do not have a technical background is not limitation but a HUGE advantage. If they don't understand what you are communicating about cybersecurity, how do you expert your workforce to?