Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training
Can't find what you are looking for?

Let us help.

Contact us
Resources
SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

CISO Network

Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations
Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk with an expert
Talk with an expert

Job Description for Security Awareness Officer

Organizations around the world are beginning to address the human when securing their organization. The days of just compliance focused training are..

Authored byLance Spitzner
Lance Spitzner

guy on lock files

Organizations around the world are beginning to address the human when securing their organization. The days of just compliance focused training are gone, we need to also effectively change behavior. To achieve that, you need the right person in charge. Below is an attempt to describe what the job description of a security awareness officer could look like.

Security Awareness Officer

This individual is overall responsible for our security awareness and education program. Ultimately this person’s job is to reduce risk to our organization by ensuring all employees, staff and contractors know, understand and follow our security requirements and behave in a secure manner.

Our Security Awareness Program Requirements

  1. Ensure that our security awareness program meets all industry regulations, standards, and compliance requirements.
  2. Ensure that our security awareness program communicates our security policies and requirements so that people know, understand and can follow them.
  3. Identify the top human risks to our organization and the behaviors we need to change to mitigate those risks. Develop and maintain a security awareness program that effectively changes these behaviors so our employees act in a secure manner, reducing the most risk to our organization.
  4. Create a positive program that engages employees, to include focusing on changing behaviors both at home and at work. Ultimately we want our employees to demonstrate the same secure behaviors regardless of where they are or the devices they are using.
  5. Structure and maintain this program to be long term, so ultimately we are not changing just behaviors but culture.
  6. Create a metrics framework that can effectively measure these requirements.

Skills and Experience

  1. Ability to form complex ‘communications / messages’ in a simple, clear and concise manner to the various communities within our organization. This can include different cultures, nationalities, international locations and languages.
  2. Project management experience, the ability to plan, manage and maintain a complex, organization wide program over the longer term.
  3. Display practical knowledge of different message distribution techniques to ensure end user communities understand and continually apply the required behavioral change necessary to reduce the ‘human factors’ risk.
  4. Ability to communicate with and coordinate the activities of others.
  5. Understanding of the concepts of information risks and the different elements that make up risk. In addition have at a minimum a basic understanding of the different concepts of information security.

After writing this description, I noticed how often the word 'communication' is in the description, far more then the word 'security' is. Perhaps instead of calling it "Security Awareness Officer" we should say "Security Communications Officer". What would you word differently, what do you think is missing or should be changed? Post your feedback in the comments area.

Meet the expert

Lance Spitzner
Lance Spitzner

Lance Spitzner

Senior Instructor

Lance revolutionized cyber defense by founding the Honeynet Project. Over the past 25 years, he has helped 350+ organizations worldwide build resilient security cultures, transforming human risk management into a cornerstone of modern cybersecurity.

Read more about Lance Spitzner
Job Description for Security Awareness Officer