What Makes a Good Security Awareness Officer?

As more and more organizations are looking to grow and mature their security awareness program, I'm often asked what makes a good security awareness officer. After working with hundreds of organizations, I have seen what does and does not work. Below are key traits I have consistently found to lead to success, regardless of the organization's size, location, or industry.

Technical vs. Nontechnical

First and foremost, a technical security background does not automatically make for a good security awareness officer. In fact, I would argue — and have consistently seen — that a highly technical background may present you with two obstacles:

1. Communication is a key part of any successful security awareness program, and to be honest, I can't think of any industry that traditionally has been worse at communication than information security. If anything, our field is all about not sharing information.
2. People with technical backgrounds (including myself) suffer from what is called the Curse of Knowledge. This theory states that the more of an expert you are at something, the worse you are at communicating it. What you think is easy, you perceive must also be easy for others, which is a form of cognitive bias. Creating long, complex passwords that are unique for every account? What a breeze. Ensuring all your mobile devices are updated, locked down, and have minimized permissions? No sweat. However, for 99 percent of the rest of the world, concepts like these are a daily challenge.

I'm not saying technical people can't make good awareness officers; they can and do (I'm an awareness person and my background is technical). What I'm saying is that being an information security expert does not automatically qualify you as a good security awareness officer. This is why I feel that so many security awareness programs are struggling; the 2016 Security Awareness Report [https://securingthehuman.sans.org/report] identified that over 80 percent of people involved in security awareness have technical backgrounds.

Communication

As I mentioned, communication is one of the most important soft skills that a security awareness officer will need. Time and time again I have seen people with the strongest communication skills develop outstanding awareness programs. Think about it: most organizations know their top human risks and the key behaviors they need to change. The challenge is how they communicate that to their organization. The best awareness officers I have seen have little to no security background, but instead worked in communications, marketing, public relations, or sales. In one case, I know a Fortune 500 company whose awareness officer used to be an English teacher, and she was amazing. An additional advantage with leaders like these is that for many of them, security can be new, confusing, or even scary, just like the people they are trying to reach. As such, they know and understand their audience and can help employees overcome those challenges. One of my favorite sources to learn more about developing communication skills is the book "Made to Stick" by Chip and Dan Heath. It's a fun read that will give you a whole new perspective on communicating ideas successfully.

Collaboration

Another essential soft skill that every security awareness officer should have is the ability to work well with others. If you don't like people, this is not the field for you! In addition to training people and providing outreach on a regular basis, you also need to be able to collaborate with other departments or teams in order to maintain a successful awareness program. Some examples of collaboration include:

1. Working with human resources to better understand your organizational culture and connect with new hires.
2. Collaborating with the marketing, sales, or communications team. They are experts when it comes to engaging people.
3. Reaching out to senior leaders to not only gain their support of your program but also to get them to help promote the program and make sure they exhibit key, secure behaviors.
4. Teaming up with legal/audit to ensure your security awareness program is compliant with required regulations and standards.
5. Teaming up with your learning management system team if you will be rolling out any computer-based training.
6. Working with your target audiences so you can better understand their challenges and how to best engage them.

Summary

Security awareness is one of the most exciting fields to be in. Not only is it an area where you can have the greatest impact to your organization's overall security, it's still relatively new — you can help develop its future. The key thing to understand is that a strong background in security alone will not make you successful — you have to branch out and learn new skills, especially in communication and collaboration.

---

Lance Spitzner is director of the SANS Institute Securing The Human program. Follow @lspitzner on Twitter or visit his Security Awareness Blog.