Having worked with many security awareness managers in the past years, a day in the life can look different for many. Some managers only focus on security awareness, while others have many other tasks to manage. Some have to reach hundreds of people, while others only have twenty.
But, either way, we commonly conduct similar daily tasks: fielding calls, questions, and requests, planning and creating course content, and sending out training reminders. In our 26th live Cyber Security Awareness Forum, we reviewed the daily tasks and challenges of the average cyber security awareness manager. Meet the panel:
Michelle L (ML) – Michelle is the Director at Risu Consulting a consultancy that helps startups to create meaningful and simple security education strategies. She has 20 years of experience in creating engaging and meaningful training.
Fletus Poston (FP) – A security champion, Fletus is a Senior Manager of Security Operations at CrashPlan®. CrashPlan® provides peace of mind through secure, scalable, straightforward endpoint data backup for any organization.
For just $325 USD, you can run a 6 week, automated program for gamified phishing awareness training and challenges. (Limited time offer. Normally valued at $999 USD)
Use Promo Code: 6WEEKS
Erin Gallagher (EG) – Erin is the Cyber Security Lead at Fastly and has been working in the security awareness field for 5 years. Erin has helped build programs for companies ranging from 1,200 employees to 500,000.
Ryan Healey-Ogden (RH) – Ryan is Click Armor’s Director of Business Development, he holds a passion for security awareness, education, and technology and how it relates to people.
And myself, Scott Wright (SW), CEO of Click Armor, the sponsor for this session. Now, let’s get to our discussion on a day in the life of a security awareness manager:
Don’t have time to watch the whole panel? Get exactly what you need with these security bites:
EG: All the things Scott previously listed are true, but I do see myself as much more of the wonderful bridge in between the organization and the security team. And we do get to be the fun people. We do get to be creative. But we also do answer those questions, but hopefully we mitigate them in the most appropriate and positive way possible.
A huge part of my job is not just to get to know my business, but it’s also to get to know my peers and to get to know the different departments within security. Then, I’m able to communicate out what they need people to hear and I can communicate it in a way that the business is going to understand. I honestly would sum up being a security awareness manager best as that bridge that I mentioned first.
SW: Outreaching to teams is something you might call fun as well. You get to go out and talk to managers or groups of people and find out about what special risks their team might be seeing that you didn’t realize happened. You get to find out what’s going on in their world and get closer to them. And then figure out what special treatment they need or find out if they have ideas about what kind of things would work better for them.
The other fun things are choosing the next course content. What should people be trained on? Do they need foundational training for phishing or social engineering or some other use case?
ML: One of the biggest problems we’ve got in the sector in this role is that we do all the things that we just listed. And that’s too much because for most people, if they’re managing, you’re enabling work by definition, you’re no longer doing the work as such. You are leading that team. But that isn’t really possible in security awareness because you’re often a team of one or two. You’re doing huge amounts of work that a typical person would say, “Oh, that’s too much.”
So, I think it’s good to be aware that there is too much work to do. Be aware of the burnout that we can experience in this role and define what the role is to you.
RH: We can fatigue our employees. But, that’s where the teamwork aspect then comes into play of having the operations manager working with the awareness manager. Then, make sure that there isn’t an abundance of notifications, alerts, and warnings going out for security because yes, there is a certain point where you just turn off your notifications or stop paying attention because you get so many – and that could be at a very bad time.
EG: It can also be fatigue on our team’s side. In a company I previously worked for, someone just picked up the awareness tasks because they were volun-told to do it. And they just got so fed up with the amount of people clicking on phishing simulations that they just sent out a phishing simulation that said, “this is a phishing simulation, don’t click on it.” And still 25 people clicked on it.
So there is a point where it’s just: we’re done, they’re done, and it’s our fault that we kind of got to that point.
EG: It’s at the point where you decided that you really want to see human behavior change. Because as I said in my bio, I’m really passionate about keeping the human connection in security, and you’re not going to see that valuable change to an organization, you’re not going to see that reduction of risk, you’re not going to see that increase in engagement unless you have a dedicated person that has the time to go build those relationships with the organization. So if that’s where you’re at with your organization and you really want to see meaningful change, that’s the point you decide to have a security awareness person.
FP: This is a very tricky question, because you say “dedicated”. Because at first it is probably going to be a coordinator or it’s going to be an analyst who’s partnering with the sister organization. Until your organization gets large enough that it justifies a 40 hour week, from a budgetary point of view and from a headcount point of view. Then once you decide to hire one, you have to figure out where you want to place them.
So I’m going to say it depends, because it really depends on the size of your organization and the budget that you have.
RH: In my opinion, if someone who has a startup was going to ask me when to hire a security awareness manager, I would say as soon as you possibly can – just wear multiple hats. Everyone already wears multiple hats when you’re in a startup and you’re a young organization. So when you sit down and look at your roadmap, security awareness manager should be in that right off the top. So whoever is taking care of IT or security as a whole, why not start from the ground up and build that security culture from the get-go?
FP: Come find your security operations teams and just get to know them. Ask them to include you in conversations. Make friends with marketing, make friends with comms, make friends with your legal team, because there’s going to be a partnership. You need security champions and they can be part of your security champions. You can work with their leadership team to say, “Hey, can Lindsey be part of this effort? Can Mark be part of this effort?” And you get buy-in as development opportunities to let them see the other side from all these lines of business.
So garnering support is just building a network inside of your own organization, both in security and in the lines of businesses, as well as asking for executives to give top down comms and support and kudos.
EG: On top of what Fletus just said, in a broader sense, just overall visibility. It is about reaching out to your teams and saying hey and introducing yourself. Make sure what you say shows the value add and what you’re bringing to the table. It doesn’t have to be metrics necessarily. It could just be, “Here are my ideas and here’s why we think it’s going to be effective.”
But visibility in general is super important to just get your face, get your name out into your organization. So get your face out, do more stuff. It might sound really silly, but I just saw a Zumba class for my company and there are now 15 people that know who I am and can see what department I’m in and what made me want to come and have a conversation with me about it. And that’s it’s not just necessarily support from your senior leadership, but you can start at the bottom. You can start at any level. The more support you have, the more people that are preaching what you have to say. Just get your face out there. Just get your word out there. Be the most visible you can be.
RH: Become your own champion and then inspire others to follow suit. Try and touch as many cross-functional teams as possible. If you get someone from marketing, you get someone from finance in your corner, it’s going to go a long way.
—-
Becoming a security awareness manager can seem overwhelming and as you heard from our panel: there will be a lot to do! But, if you continue to build a network within your organization, lean on your security operations team for help, and identify your “why” your daily schedule will become a lot lighter.
Whether you’re a brand new or experienced security awareness manager, we are here to support you. Hear the rest of the advice and stories from this amazing panel by watching the full episode on our YouTube.
Click Armor is the first highly interactive security awareness platform, with engaging foundational courses and 3-minute weekly challenges that employees love. We offer content on everything from security basics, phishing and social engineering to passwords and privacy.
Even if your organization already has a solution, there’s a high likelihood that some employees are still not engaging and are exposing your systems and information to cyberthreats. Click Armor offers a special “remediation” package that complements existing solutions that don’t offer any relevant content for people who need a different method of awareness training.
Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.