Your first days as a Security Awareness Officer. The first year.

Your first year as a Security Awareness Officer

In this blog, we discuss duties in the first year as a Security Awareness Officer. In the first part of this blog series, we discussed that a Security Awareness Officer is increasingly an essential part of organizations’ cybersecurity efforts. Because this role is fairly new within the industry, in this three-part blog series we explain what – in our view – are the most important activities for the Security Awareness Officer. We break it down as follows:

Part 1: Your first 30 days as a Security Awareness Officer.

Part 2: Your second and third months as a Security Awareness Officer. 

Part 3: Your first year as a Security Awareness Officer.

Read the blogs about the first 30 days as well as the second and third month via the links above. Below is a brief summary of these blogs.

Summary: Your first days as a Security Awareness Officer

  1. Meet the ‘business’ – A well-functioning security awareness program is widely supported by stakeholders in the business. Therefore, identify key stakeholders and ask many questions during your introduction. Stakeholders carry your message powerfully within their sphere of influence, but only if the goals of the program are well aligned with theirs.

  1. Map risks – With the information from the introductory interviews, you can make a good assessment of cyber risks in business operations. Fuel it with existing information by conducting desk research based on previous security or risk activities. Also check the existing measures.

  1. Set goals – The information gathered in your first 30 days as a Security Awareness Officer will allow you to set priorities. The biggest residual risks to primary business processes are the first topics for the security awareness program. Provide feedback on the risks found to stakeholders.

  1. Create scenarios – Based on the risk information and context you collected earlier, outline the most likely scenarios in which the risk could occur. The behavioral elements from these will later form the subjects of the security awareness program.

  1. Conduct a baseline measurement – Before you can start with building the security awareness program, you need a starting point. That is why it is good to perform a baseline measurement. For example, consider conducting desk research, a phishing simulation or a security survey. Whatever you decide, put together the baseline measurement in consultation with your core team.

  1. Put together a new curriculum – A curriculum (or: learning plan) describes the learning goals you want to achieve per target group, the knowledge they must master and be able to apply, and strategy you choose to achieve it. The curriculum for each target group determines the route between the starting point and the set goals. That route is determined primarily by the people, processes and technology you have (or can get) at your disposal.

  1. Put together a learning plan – To get the target group(s) on board, you will need to explain why security is important, how they can contribute to the goal, and what exactly is expected of them. The more the individuals in the target group can identify with the goal, the higher their participation in the program will be. Work with your Communications Department to put together this strategy.

Key performance indicators

A key success factor for security awareness projects is the extent to which the steering committee (core group and stakeholders) is able to make adjustments. To be able to do that effectively requires information that can be measured against previously established goals. Those goals are in turn derived from the program goals we set earlier, based on the risk inventory with the business stakeholders.

How do you know you chose the right KPIs for the program?

Besides the usual key performance indicators (KPIs) that tell something about the participation in the program by employees of the organization, KPIs that tell to what extent risky behavior changes are more important. These say something about risk, and risk reduction is the goal of any security awareness program.

Digital illustration of someone who is setting up content KPIs for the company she works for.

KPI’s stellen je ook in staat om inhoudelijk in gesprek te gaan met je stakeholders. De traditionele uitdaging in het gesprek tussen ‘de business’ en IT en/of Security, is wederzijdse begripsvorming: technische termen resoneren nu eenmaal niet met de bedrijfskant van de organisatie. Risico vormt daarin de brug. De koppeling tussen risico’s en de doelen en KPI’s van het programma helpt hier.

To be even more specific to your stakeholder, link the risks you identified from each stakeholder in the earlier interviews to the activities of your program – through the corresponding KPIs. Each stakeholder now knows exactly how the program contributes to the reduction of risk in the business process he or she is responsible for.


Finally you are ready. Together with your stakeholders you’re going to implement the curriculum. Of course, you announce the start of the program with great enthusiasm. To do this, use one or more people with ‘influence’ in the organization. Think of the board of directors, or the sponsor of the program. These can also be other persons with a relatively large (social) sphere of influence.

Digital illustration of various influencers with a large sphere of influence within an organization who help the executive achieve his or her goal.

The ‘why’ of the program must be carried by everyone, and you achieve this by using influencers who reinforce your message. Communicate the message through multiple channels, in line with the previously established strategy, to ensure that everyone is reached. For example, use narrowcasting, the intranet or an internal newsletter.

Be flexible

As mentioned earlier, you monitor the program during execution based on the established program goals and associated KPIs. It is also important to keep responding to trends and events. Cybercriminals are constantly changing their approach to fool unsuspecting people. A new cyber weapon, such as for example the use of deep fakes, can still surprise aware and trained employees. Therefore, make sure you have relevant news sources, such as the National Cyber Security Center (NCSC), and participate in groups and forums so that important security news does not escape you.

Alt tekst: Digital illustration of three men who do look like humans, but you can tell that something is wrong. Representation of deepfakes.

Based on current data about the security awareness program, trends and events – in collaboration with the stakeholders – adjust the program content if your risk assessment warrants it. Make sure your approach is always focused on the target group for whom the risk is relevant.

In conclusion

You’ve probably already noticed: a security awareness program can only be successful if it is carried by the organization. That is why the link with risks on important business processes is so important. And next to it, the cooperation with stakeholders responsible for implementing those business processes ensures success in my experience. The content of the program itself is only an outcome in the coming together of those two elements.

Digital illustration of a group of people who are talking about the execution of business processes.

Good luck with your first year as a Security Awareness Officer! If you would like to talk, we are always open to that. Please contact us via our contact form. After all, it’s still people work!

[ People improve security ]