The Security Awareness Officer leads the companys security awareness and behavior-change initiatives, building a culture of cybersecurity across all teams. The role develops engaging content, manages phishing simulations, tracks training compliance, and partners with HR, IT, and business leaders to reduce human-related risks and meet regulatory standards (ISO 27001, SOC 2, PCI DSS, PH DPA).
Key Responsibilities
- Develop and execute the annual Security Awareness Plan aligned with business risks and compliance goals.
- Create and deliver multi-format learning content (videos, infographics, LMS modules, newsletters, events).
- Manage the LMS and ensure timely completion of onboarding and annual refresher trainings.
- Conduct simulated phishing and social engineering campaigns; analyze metrics and provide targeted training.
- Coordinate with HR, IT, and Communications for policy dissemination, campaigns, and compliance tracking.
- Maintain dashboards and KPIs for training completion, phishing trends, and risk reduction; report to leadership.
- Support incident reviews with just-in-time learning and integrate lessons into future programs.
Qualifications
- Bachelors degree in IT, Security, Communications, or related field.
- 35+ years experience in security awareness, training, or information security.
- Skilled in LMS administration and phishing simulations (KnowBe4, Proofpoint, or similar).
- Excellent communication and storytelling skills; ability to simplify complex concepts.
- Familiarity with Microsoft 365, Entra ID, and security best practices (phishing, MFA, data handling).
Preferred
- Certifications: SSAP, CompTIA Security+, ISO 27001 Auditor/Implementer, or privacy/L&D credentials.
- Experience in regulated industries (BPO, fintech, healthcare).
- Background in instructional design or adult learning.
Key Metrics
95% training completion and policy acknowledgment rates.Phishing fail rate <5% with increasing report rates.
Onboarding completion within 10 days.Strong engagement and measurable reduction in user-driven incidents.
First 90 Days
Audit current training and phishing history, launch awareness campaigns, establish dashboards, and build a Security Champions network.
