Features July/August 2021

A Great Adventure: Working as a Security Awareness Professional in Higher Education

By Ben Woelk, CISSP, CPTC | Associate Fellow, Past STC President

 

I have the most wonderful job in the world.

As I look back on 17 years of work in the Information Security Office at the Rochester Institute of Technology (RIT), I’m amazed at my career trajectory and how much I’ve learned. I’ve been able to take my tech comm skill set, apply it to my daily work in cybersecurity, and use that skill set to make a measurable difference for my community. I’m involved in cybersecurity compliance initiatives (not the most wonderful job part), but the bulk of my work is in cybersecurity training and awareness—which can be truly rewarding as you enable your community to protect themselves from cyberattackers.

Over the course of my career, I’ve achieved a Certified Information Systems Security Professional (CISSP) certification, and have had the opportunity to give presentations, author articles, and even teach workshops about how to do security awareness in a higher education setting. I’m also adjunct faculty, currently teaching classes in Cyber Security Policy and Law, Technical Writing and Editing, and Introverts and Leadership. Yes, I get to impact students in three areas that I’m passionate about. I’ve had quite the leadership journey in these areas, but today we’re talking about my career in cybersecurity.

How Did I Get Here?

I had neither formal training in technical communication nor in cybersecurity. The latter field simply didn’t exist when I was in college. (Yes, we had computers.)

After leaving my doctoral program in history, I began working as a technical communicator through contract houses and alongside my spouse, Marilyn Woelk, at Words by Design. The engagement that had the most impact on me in both learning how to do technical communication and becoming self-directed (stepping up) was my work as a consultant to the Xerox Corporation, where I served as a communications manager for the Client Services Group during a time of rapid technological change. My role was to help manage users through the change.

After my Xerox engagement ended, one of my former Xerox colleagues became RIT’s Information Security Officer. He asked me to join them as a temporary employee to help with security incident-related communications. What started as a six-month engagement turned into a 17-year career.

The role grew over time into developing a security awareness and training program, drafting and managing policies and procedures, consulting with internal customers, managing projects, and an increasing number of compliance requirements. Although I didn’t have a formal technical background in information technology, computer science, or cybersecurity, I was able to grasp the technical complexities of cybersecurity and contextualize them so that my audiences understood them, applied them to their jobs, and reduced risk. I also took advantage of tuition benefits to earn an Advanced Certificate in Technical Information Design.

Every job has its headaches, but I value the ability to influence (and help protect) my community, work with colleagues across the world, and invest in students. I can’t imagine a more fulfilling occupation.

What Are My Key Learnings on this Journey?

Successful security awareness is about changing the culture. This process isn’t quick. We need to build into our communities the ability to make quick, accurate decisions when they need to make a security-related decision. We enable them to easily recognize phishing attempts, practice good security hygiene around passwords, understand how to travel safely, and the like. A key element in forming the right behaviors is to ensure we’re providing a variety of training activities that cover a breadth of threats. It’s not enough to just focus on preventing phishing, or business email compromise attacks. We need to create robust programs that provide a steady breeze that enables users to develop strong roots to recognize and resist attacks (Woelk, 2019 “Wind, Trees, and Security Awareness”).

What’s Different About Working in Higher Education?

Successful security awareness in higher education is about innovation and doing more with less. We work in a challenging environment where everyone is either using or creating the next best thing. We’re also in an industry where mandating training is rare and getting our community members’ attention is challenging, so our messaging has to be concise and attention-getting. We don’t have robust corporate budgets, so we work to create new and innovative programs. The Chronicle of Higher Education featured innovative security awareness work done by Harvard University, Texas A&M University, and the Rochester Institute of Technology in Julianne Basinger’s, “A Campus Culture of Cybersecurity.”

This willingness to build collaborative solutions isn’t unique to higher education, but it’s certainly in the forefront. Through my involvement with EDUCAUSE and its Awareness and Training Working Group, I’ve learned how to apply and create effective security awareness practices, and work with many colleagues at other universities to build solutions that are effective and that are offered freely. The EDUCAUSE Cybersecurity Awareness Resource Library is available to all.

Core Competencies for Success

As part of a research study (Woelk, 2016, “The Successful Security Awareness Professional”) conducted through EDUCAUSE among security awareness practitioners at various colleges and universities, we determined that effective security awareness practitioners should have:

  • An understanding of basic information security concepts, but not to the level required for the CISSP
  • The ability to apply basic technical communication principles, including audience analysis and the ability to manage technical information in ways that allow people to take action
  • The ability to apply basic instructional design principles, including analysis of learning need and systematic development of instruction

As technical communicators, you’ll recognize that these core competencies mirror our skill sets—an ability to learn technical subject matter and contextualize it for our audiences through communications and training materials.

I’ll add the ability to be flexible and adapt to changing priorities. In cybersecurity, it’s rare that we have a week that’s not interrupted by an incident of some type. In higher education, it’s also rare that projects follow a straight line from conception to execution.

For a primer of cybersecurity terms, consult Tonie Flores’s The Language of Cybersecurity.

Consider a career as a security awareness professional. I hope that you find it as rewarding as I have.

BEN WOELK (benwoelkstc@gmail.com) CISSP, CPTC Trainer, is an Associate Fellow and Past President of STC. Ben is the Information Security Office Program Manager (and adjunct faculty) at the Rochester Institute of Technology. He’s developed a highly regarded security awareness program and is a frequent speaker and workshop presenter for higher education.

 

 

References

Basinger, Julianne. 2019. “A Campus Culture of Cybersecurity.” The Chronicle of Higher Education. Accessed 8 May 2021. https://library.educause.edu/resources/2019/3/a-campus-culture-of-cybersecurity.

EDUCAUSE Cybersecurity Awareness Resource Library. Accessed 8 May 2021. https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program/resources/information-security-guide/toolkits/cybersecurity-awareness-resource-library.

Flores, Marie Antonieta. 2018. The Language of Cybersecurity. XML Press.

Woelk, Ben. 2016. “Building a Culture of Digital Self Defense.” EDUCAUSE Review. Accessed 8 May 2021. https://er.educause.edu/blogs/2016/9/building-a-culture-of-digital-self-defense.

Woelk, Ben. 2016. “The Successful Security Awareness Professional: Foundational Skills and Continuing Education Strategies.” Educause. Accessed 8 May 2021. https://library.educause.edu/resources/2016/8/the-successful-security-awareness-professional-foundational-skills-and-continuing-ed-strategies.

Woelk, Ben. 2019. “We’re All Winners–Gamification and Security Awareness.” Slideshare. Accessed 8 May 2021. https://www.slideshare.net/bwoelk/were-all-winnersgamification-and-security-awareness.

Woelk, Ben. 2019. “Wind, Trees, and Security Awareness.” EDUCAUSE Review. Accessed 8 May 2021. https://er.educause.edu/blogs/2019/9/wind-trees-and-security-awareness.

Download the July/August 2021 PDF

2020 PDF Downloads

Ad

Ad

Ad