With a week until the due date, only one-quarter of employees at a midsize accounting firm have completed the latest cybersecurity training module. This module on avoiding phishing scams at work is something every employee should want to know about and yet, like many security programs, this one is creating very little engagement. Why?
“ Hiring for the right skills in security awareness management roles will strengthen an organization’s overall program and security posture”
Many employees view security training as boring and hard to understand. Creative, fun or engaging are words rarely associated with security awareness training. The problem may not be the subject itself, but how it’s taught and aligned to employee objectives. Finding the right talent with the right skills to lead your training program is critical.
Dedicate security resources
By 2022, 60% of large organizations will have a full-time equivalent (FTE) dedicated to security awareness.
But not all security experts are experts in employee education. Security professionals are traditionally thought of as technology-focused and not often associated with creativity, public speaking and persuasiveness — key abilities needed for learning program leaders.
Hire the right security trainers
So how do you hire the right people who will make security awareness training engaging and effective? Security and risk managers can follow these three steps:
Partner across the organization to improve security training and identify new talent. Don’t overlook one of your most important resources –– your wider organization network. Security leaders can find useful practices through collaboration with corporate teams that have run enterprise-wide training initiatives. They can also ask for one-on-one meetings with senior business leaders to discuss required talents and skills and who in the network might have them.
Hire security awareness talent with learning, development, marketing and communications skills. Using creativity to increase interest and the ability to condense complex material into easy-to-understand training are essential skills needed for successful security awareness leaders.
Consider talent with a strong learning and development background versus a security background. It’s possible to mentor that individual to be successful in a security awareness role. Look for people with expertise in training who understand adult learning styles and behavior modification techniques. Strong program management skills are also essential.
Write a security awareness manager job description that clearly defines the experience and attributes you require. Before you begin writing, clarify:
- Requirements: Outline what the job requires, such as the ability to meet regulations, the human behaviors and risks involved, how to create a program that changes behaviors to achieve business goals and how to measure results. Don’t create a list of “wanted requirements.”
- Skills and experience: List the skills and experience needed, like the ability to simplify, distribute for different audience locations and languages, coordinate teams, manage projects, and understand behavior change and the human element of risk. Also include security-specific skills like a basic grasp of the concepts of cybersecurity. Limit requirements for certifications and focus more on competency development.
- Competencies: List and define the traits needed, such as adaptability, business acumen, outcome-driven and collaborative. This will help you attract a wider range of candidates, especially outside the security and risk management world.
With these areas defined, you can then write a clear job description including the role and responsibilities, candidate criteria and education required.
When you hire security awareness leaders with the right skills who know how to present information in a thought-provoking and engaging manner, employees will learn faster and remember more. And that makes your organization’s security stronger.