Job descriptions

A few years back we published a generic job description for the "Security Awareness and Compliance Manager" role. Now, we've broken it down into three distinct chunks: 

1. We envisage the Security Awareness Manager running the show, managing the security awareness program and team as a whole, interacting personally with management, planning and man-managing the team.
   
   
2. Ideally, one or more Security Awareness Officers help the manager prepare for and perform various awareness activities, deliver the awareness materials and messages, present awareness sessions, interact with workers etc. (more below).
   
   
3. A number of Security Contacts are typically embedded throughout the business, in much the same way as fire wardens and first-aiders. They may only be part timers but still they are a very valuable part of the social network that distributes security awareness far and wide and (just as importantly) provides useful feedback and direction from the business. They make up the information security extended family.

The size and constitution of awareness team required depends on factors such as:

• The nature the organization's industry or business (e.g. the finance world faces different information risks and security challenges, and hence has different awareness needs to, say, retailing or farming or healthcare or government or IT or ...);
• The geographical dispersion of the organization i.e. the absolute number of corporate sites at which security awareness is required, and their geographical or national or cultural diversity (e.g. all in the same country or multinational, compliance-driven or compliance-averse);
• Compliance obligations (e.g. security awareness is an explicit requirement in the privacy, critical infrastructure and ISO27k contexts);
• The maturity and complexity of the awareness program (e.g. at the start, one part-time awareness person might be sufficient to get things off the ground*); 
• The amount of direction, help and support they get from other quarters (e.g.training, IT and risk functions, plus management in general);
• Strategies and policies in this area, demonstrating management's understanding of the value of security awareness*; 
• Whether they will be creating all the awareness materials in-house from scratch or getting a leg-up from an awareness service (such as ours!); 
• and, last but not least, the availability of suitable candidates to fill the positions (this is a narrow specialism within a specialist area facing a significant shortage of qualified people: good luck finding sufficient people with the right mix of skills! You are more likely to grow the team through training and personal development of people who have the right aptitudes to start with).

* There's an obvious conundrum here: if management has little security awareness and no appreciation of the business benefits it brings, they are unlikely to understand the need for and hence support the awareness function, hence their security awareness is unlikely to improve ... except perhaps through skunkworks and maybe prods from other quarters, such as auditors, regulators, information risk and security pros, compliance pro's etc.

The pump needs priming ... and maybe our job descriptions will help.