Security awareness manager: Is it the career for you?
From managing data protection compliance to threat hunting, the field of cybersecurity offers a wide variety of career paths. If education is your passion and you have a knack for data analysis, a security awareness manager might just be the career for you.
Global cybercrime is on target to cost $10.5 trillion annually in damage, investigation and restoration by 2025 says Cybersecurity Ventures. Social attacks such as phishing and business email compromises cause the majority of data breaches says the 2020 Verizon Data Breach Investigations Report. Organizations know the time is now to become proactive in their defense measures and a critical component of those protection efforts must be employee education. This is the role of the security awareness manager or security awareness consultant.
What does a security awareness manager do and what does it take to thrive in the role? Tiffany Franklin is the manager of cybersecurity education for Optiv and says the position requires wearing multiple hats, working well under pressure and compassion for people.
What does a security awareness manager do?
Maybe you work for an organization that has sent test phishing emails to employees. If you clicked on the links within, chances are good you were enrolled in cybersecurity training so you could better identify sneaky, malicious emails and help the company avoid what could have been the start of a real data breach (See our list of the best security awareness training providers). Or maybe you’ve read news articles about companies who have issued test phishing emails unsuccessfully. The GoDaddy “get your holiday bonus” test email last year is but one insensitive example.
The foundation of a security awareness manager role is creating an ongoing general security awareness training program for employees that supports the company’s cybersecurity technology stack. “A lot of people don’t know not to click on that pizza coupon or open that Excel spreadsheet,” Franklin, a former middle school math teacher explains. “As a cybersecurity awareness manager, it’s our job to help bridge that gap. Because unfortunately, cyber isn’t taught like reading, writing and arithmetic.”
First, designing an education program is audience-dependent. What might work well for a sales team may not be as effective on a front office team, for example. “You have to be creative in how you help them all become more cyber aware and work to change their behavior in a way that fits them. The way you meet each in a meaningful way can be very different.”
This process usually begins with the development of personas, or a description of the various training audiences. Who are they, what’s important to them, what will pique their interest and what do you want that person to learn or do? In phishing emails, that is often paired with current events and localized circumstances. Holly has 10 years of professional experience, lives in the suburbs with a couple of kids and would be interested in signing a petition for area school changes, for example. The content doesn’t always have to be work-related.
Second, security awareness managers must not only master learning management systems and rely on data to drive their next steps, but they also work with nearly every other department in the organization. The position requires close collaboration with c-suite stakeholders who control the budget, human resources and/or the learning development team who rolls out the training, the marketing department who generally controls internal communications and IT and security who hold the efficacy data you need to make go-forward decisions. Larger organizations also have governance, risk management and compliance (GRC) stakeholders if PCI, HIPPA or other compliance measures must be met.
What skills are required for a security awareness manager?
While cybersecurity is technical by nature, the most successful security awareness managers excel at understanding and working with other people. As phishing emails continually trick users into a variety of actions, the human element of cybercrime is increasingly important. It’s the job of the security awareness manager to ensure the organization doesn’t rely solely on technology to combat hackers.
Change is difficult for many people — but it shouldn’t be for someone in this role. Last year is the perfect example. The pandemic fueled countless new phishing schemes as people shifted to work from home. It also created significant ambiguity for organizations as they struggled to make the shift. The security awareness manager must be able to navigate change and modify the training program along the way. This makes strong communication skills imperative, and customer service. Effectively meeting the expectations of your various internal stakeholders is also important, and more challenging during times of turmoil.
“Problem-solving, trouble-shooting [and] generally dealing with users as people are all important skills,” Franklin says.
An appreciation for data and the ability to analyze data are also important. Key performance indicators (KPIs) are used to measure how successful your training program is and will help identify where more effort is needed and how. Should more training be developed? Or would simple conversations be more effective? The data will tell you this, Franklin adds.
Don’t be intimidated
Educating people on cybersecurity may sound like an intimidating career choice, especially considering the ever-expanding risks and rising costs. According to Franklin though, you shouldn’t be intimidated. The always-changing threat landscape also brings challenge and reward, especially for inquisitive people. You learn as you go. This is true for everyone working in the field, at every level.
Franklin likens the importance of security awareness to plumbing. If you think of the plumbing in your house as a security technology and a pipe bursts in an unexpected storm, you need to know how to turn the water off until the professionals arrive to fix whatever is broken. Like plumbers, security awareness managers have to arm people with what to do when the technology fails. Who teaches people not to give information out over the phone or to post on social media that their office card reader is broken today? This is the security awareness manager’s job.
To learn more about what it takes to become a cybersecurity awareness manager, watch our Cyber Work Podcast, How to become a security awareness manager, with Tiffany Franklin.
Cybercrime to Cost the World $10.5 Trillion Annually by 2025, Cybersecurity Ventures
Verizon Business 2020 Data Breach Investigations, Verizon