guy on lock files

Organizations around the world are beginning  to address the human when securing their organization.  The days of just compliance focused training are gone, we need to also effectively change behavior.  To achieve that, you need the right person in charge.  Below is an attempt to describe what the job description of a security awareness officer could look like.

Security Awareness Officer

This individual is overall responsible for our security awareness and education program.  Ultimately this person’s job is to reduce risk to our organization by ensuring all employees, staff and contractors know, understand and follow our security requirements and behave in a secure manner.

Our Security Awareness Program Requirements

  1. Ensure that our security awareness program meets all industry regulations, standards, and compliance requirements.
  2. Ensure that our security awareness program communicates our security policies and requirements so that people know, understand and can follow them.
  3. Identify the top human risks to our organization and the behaviors we need to change to mitigate those risks. Develop and maintain a security awareness program that effectively changes these behaviors so our employees act in a secure manner, reducing the most risk to our organization.
  4. Create a positive program that engages employees, to include focusing on changing behaviors both at home and at work.  Ultimately we want our employees to demonstrate the same secure behaviors regardless of where they are or the devices they are using.
  5. Structure and maintain this program to be long term, so ultimately we are not changing just behaviors but culture.
  6.  Create a metrics framework that can effectively measure these requirements.

Skills and Experience

  1. Ability to form complex ‘communications / messages’ in a simple, clear and concise manner to the various communities within our organization.  This can include different cultures, nationalities, international locations and languages.
  2. Project management experience, the ability to plan, manage and maintain a complex, organization wide program over the longer term.
  3. Display practical knowledge of different message distribution techniques to ensure end user communities understand and continually apply the required behavioral change necessary to reduce the ‘human factors’ risk.
  4. Ability to communicate with and coordinate the activities of others.
  5. Understanding of the concepts of information risks and the different elements that make up risk.  In addition have at a minimum a basic understanding of the different concepts of information security.

After writing this description, I noticed how often the word 'communication' is in the description, far more then the word 'security' is.  Perhaps instead of calling it "Security Awareness Officer" we should say "Security Communications Officer". What would you word differently, what do you think is missing or should be changed?  Post your feedback in the comments area.  

About the Author
Thumbnail

Lance Spitzner

Director, SANS Security Awareness
Lance Spitzner has over 20 years of security experience in cyber threat research, system defense and awareness and training. He helped pioneer the fields of deception and cyber intelligence with his creation honeynets and founding of the Honeynet Project. In addition, Lance has published three security books, consulted in over 25 countries and helped over 350 organizations build programs to manage their human risk. Lance is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. Before working in information security, Mr. Spitzner served as an armor officer in the Army's Rapid Deployment Force and