Learn Security Awareness Specialist Skills
After completing this unit, you’ll be able to:
- Describe the responsibilities of a security awareness specialist.
- List key skills of a security awareness specialist.
When company personnel and contractors are aware of security threats and how to defend against them, they are able to protect sensitive data and strengthen the security of their organization. According to a recent article by the World Economic Forum, Why 2020 is a turning point for cybersecurity, ensuring user awareness of cyber threats, training users on data protection policies, and creating a strong cybersecurity culture are all critical to implementing a strong cybersecurity program. Security awareness specialists lead this education and awareness for the organization.
One of the security awareness specialist’s primary responsibilities is to communicate about complex technical issues in layman’s terms. They must ensure that everyone in the company is aware of cyber threats, even employees whose roles do not deal with information technology. For example, they may need to train a salesperson how to recognize and report a phishing email. Security awareness specialists may provide special training to executives in managing their social media presence so as to limit the ability of attackers to use social engineering to launch a spear phishing attack. All of this involves understanding technical impacts and then educating users in a way that translates to their realm of expertise and their day-to-day responsibilities.
Security awareness specialists are responsible for working across the organization with various teams, especially the incident response team. They work to understand and protect against human-related security risks, and also incorporate feedback from incidents into updated training and awareness campaigns to drive security behavior change. For instance, if a recent breach was the result of a misconfigured firewall, the specialist may need to create job-specific training and awareness campaigns about whose responsibility it is to manage firewalls, and what policies apply to configuring them. They also may need to help educate executives within and outside the cybersecurity team on the risk a misconfigured firewall poses to the organization, and changes necessary to combat this risk in the future (for example upgrading to a new technology, or hiring additional staff).
Finally, another responsibility of a security awareness specialist is empowering employees to embed security by design into how they perform their jobs. This means ensuring employees are aware of policies and procedures, have the job specific skills necessary to implement them, and know where to go when an issue occurs. To be successful, the specialist needs to work closely with technology, audit, legal, and business units across the organization to understand security challenges and tailor training to meet specific business and compliance requirements.
What types of skills does a security awareness specialist have? Candidates typically have a college degree and their knowledge and experience may include information security, communication, marketing, and education. Regardless of the candidate’s educational background, it’s helpful to be well-versed in relevant current issues in technology, information security, and cyber threats.
Additionally, working knowledge of relevant cybersecurity policy frameworks such as the International Organization for Standardization (ISO) Information Security Management standards, Control Objectives for Information and Related Technology (COBIT), and National Institute of Standards and Technology (NIST) cybersecurity standards can be advantageous. Sector specific experience or knowledge is also helpful, for example being conversational in financial concepts if applying to work at a bank, or understanding the regulations relevant to critical infrastructure if seeking work in the energy sector.
In addition to technical awareness, security awareness specialists need strong communication, relationship-building, problem-solving, and collaboration skills. Experience or training in social media and community management, stakeholder management, and project management may prove useful in the profession. Professional certifications are not a requirement but can be helpful. These can include the ISO 27001, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and Certified Information Systems Auditor (CISA).
In this module, you've been introduced to the goal of a security awareness program, learned more about the importance of security awareness, and discovered the responsibilities and skills of a security awareness specialist. In the next module, you learn more about how security awareness specialists identify risks and protect the organization. You also learn how they work across teams to detect risks and respond and recover from incidents when they occur. To learn more about the cybersecurity field and read profiles of security practitioners, visit the Cybersecurity Learning Hub on Trailhead.