The Security Awareness Officer leads the company’s security awareness and behavior-change initiatives, building a culture of cybersecurity across all teams. The role develops engaging content, manages phishing simulations, tracks training compliance, and partners with HR, IT, and business leaders to reduce human-related risks and meet regulatory standards (ISO 27001, SOC 2, PCI DSS, PH DPA).

Key Responsibilities:

• Develop and execute the annual Security Awareness Plan aligned with business risks and compliance goals.
• Create and deliver multi-format learning content (videos, infographics, LMS modules, newsletters, events).
• Manage the LMS and ensure timely completion of onboarding and annual refresher trainings.
• Conduct simulated phishing and social engineering campaigns; analyze metrics and provide targeted training.
• Coordinate with HR, IT, and Communications for policy dissemination, campaigns, and compliance tracking.
• Maintain dashboards and KPIs for training completion, phishing trends, and risk reduction; report to leadership.
• Support incident reviews with just-in-time learning and integrate lessons into future programs.

Qualifications:

• Bachelor’s degree in IT, Security, Communications, or related field.
• 3–5+ years’ experience in security awareness, training, or information security.
• Skilled in LMS administration and phishing simulations (KnowBe4, Proofpoint, or similar).
• Excellent communication and storytelling skills; ability to simplify complex concepts.
• Familiarity with Microsoft 365, Entra ID, and security best practices (phishing, MFA, data handling).

Preferred:

• Certifications: SSAP, CompTIA Security+, ISO 27001 Auditor/Implementer, or privacy/L&D credentials.
• Experience in regulated industries (BPO, fintech, healthcare).
• Background in instructional design or adult learning.

Key Metrics:

• ≥95% training completion and policy acknowledgment rates.
• Phishing fail rate <5% with increasing report rates.
• Onboarding completion within 10 days.
• Strong engagement and measurable reduction in user-driven incidents.

First 90 Days:

Audit current training and phishing history, launch awareness campaigns, establish dashboards, and build a Security Champions network.