Background The Trust, Data & Resilience organisation adopts a fast-paced, high-performing and accountable culture that focuses on fostering a robust security culture across the Bank. As part of our mandate to grow trust with clients and regulators, we deliver end-to-end awareness programmes and learning journeys that position the Bank as an industry leader in managing the human aspect of security risk. The Training and Awareness team is responsible for fostering the Bank's security culture. It drives the design, development, deployment and enablement of delivery via awareness communities of practice across the globe based on employee roles and risk types. It does this through immersive and thought-provoking training and awareness initiatives that drive down the human aspect of information and cyber security (ICS) risk. The team's remit spans general employee awareness, role-based training, phishing awareness, communications, assessing behaviour change and awareness risk reporting and policy/regulatory alignment. Main Purpose of Role This is a new role created in response to the maturing Information and Cyber Security (ICS) training and awareness requirements of the Bank.
They will work with the Head of Targeted training and awareness to design Bank-wide and targeted campaigns and content that address specific audiences, high risk users and emerging threats. In particular, they will be responsible for helping design an end to end Phishing programme that drives a world-class culture of secure behaviour. The role will be varied: designing and implementing phishing awareness and testing campaigns targeted at high risk audiences, using data to review before/after status and adjusting campaigns accordingly toensure risk buy down and ensuring correct metrics reporting. They will need to understand how awareness controls align with the appropriate regulations, standards, policies and risks.
Phishing Uplift Programme - Design and deliver quarterly phishing learning journey and awareness campaigns for all employees. Work with the Heads of ICS to develop and deliver engaging targeted phishing awareness campaigns for targeted groups of employees in the Bank. Run targeted phishing surveys or tests. Collaborate with Group HR to design and develop consequence management and recognition programmes for secure behaviour. Review the effectiveness of the campaigns regularly through various metrics. Ensure data-driven insights and analysis are used to make continuous improvements to the programme. Experience in running a phishing simulation test and tooling is required, as is data analysis experience for analysing phishing results, making inferences and root cause analysis.
Targeted Training for High Risk Audiences - In collaboration with the business, identify key high risk audience groups. Design and deliver engaging targeted learning journeys and campaigns for these audiences to drive down risk. Collaborate with agencies to create content that optimises employee UX. Work closely with Group Learning to host content on platforms as required. Review the effectiveness regularly and ensure data-driven insights and analysis are used to make continuous improvements to the programme.
Someone who is passionate about behaviour, culture and the human aspect of cyber security risk
Proven experience of driving down Phishing CTR through company-wide Phishing campaigns and a track record of creating and delivering innovative, impactful global cyber awareness campaigns based on threats and risks
Information Security expertise, in particular, security awareness and preferably cyber policy/cyber risk management
Minimum 8 years' experience in internal/external communications, marketing, cross-cultural communications, training/development, branding and/or corporate writing, in a corporate and/or creative agency environment. Multinational experience is a plus, especially Banking sector
A Degree in Communications, Mass Communications, Marketing Communications or related field preferred but not essential. Extended years of advanced marketing/training/awareness experience may be considered in lieu. A background in cyber risk management with a move to cyber awareness with a minimum of 3 years awareness experience will also be considered in lieu.
Comfortable with technical jargon and proven ability to translate complex policies and technical requirements into plain English and clear call to actions for non-technical people
Impeccable communications skills, advanced business writing/publishing skills essential. Use of social media/digital platforms an advantage. Preferably in the technology space
Preferred: good level of understanding of information and cyber security risk, cyber security policies/standards, cyber culture, cyber risk reporting, risk frameworks such as NIST and how they relate to security awareness
Experience in data analysis, using data for trending and insights
Ability to foster positive relationships with internal and external stakeholders at appropriate level
Ability to manage and prioritise multiple assignments with a proactive mindset