A number of factors have come together to cause me to rethink our approach to security awareness and training. For years we have discussed the need for organizations to have a dedicated Security Awareness Officer. I'm beginning to think this is wrong. We don't need security awareness officers, what we need are more Security Communications Officers. This is why. The number one challenge I'm seeing organizations face around the world is the ability to reach and engage employees. Most organizations already know what they need to teach people. They have a team of highly technical and skilled experts that have a good understanding of the organizations risks and how to mitigate them. Where organizations fail is then having these very same individuals communicate those risks to people. This is the wrong approach.
Not only do most security professional lack any formal training in communications, we as a community are actually taught how NOT to communicate (i.e. loose lips sink ships). In addition, because security professionals are so deeply entrenched with the problem, they often have a hard time understanding how people do not understand even the most fundamental basics of security. Chris and Dan Heath call this problem the "Curse of Knowledge" in their book Made to Stick (which if you haven't read, I highly recommend it). I'm beginning to think a Security Communications Officer is what organizations need. Not only do these individuals have the skills and training in reaching people, they often LACK security expertise, which is what you want. They, just like the very audience we want to reach, do not live and breath security on a daily basis. As a result, these communication officers will have the best understanding of what people do NOT know and how to engage them. So, if you are looking to pump up the volume on your security awareness program, I suggest you stop looking for a Security Awareness Officer and start looking for a Security Communications Officer.
