Senior Human Security Engineer

About the Role We are seeking a Senior Human Security Engineer to lead the design and execution of programs that protect the organization from social engineering and human-targeted threats. This role focuses on strengthening the human layer of security through training, behavior analytics, process design, and risk reduction strategies. This individual will partner closely with Security, HR, IT, and business units to build scalable programs that reduce susceptibility to phishing, pretexting, and other forms of manipulation. This role is a key part of our organization’s shift toward “human risk management”, treating users as a critical security control rather than a vulnerability. What You’ll Do Social Engineering Defense Strategy Design and evolve a comprehensive human security program focused on mitigating social engineering risks. Identify high-risk user groups and develop targeted risk reduction strategies. Stay current on emerging social engineering tactics (phishing, vishing, smishing, pretexting, deepfake-enabled attacks). Training & Awareness Programs Develop and deliver engaging, role-based security awareness training. Lead ongoing phishing simulation programs and measure behavioral improvement. Create targeted campaigns for: Executives and high-value targets Finance and HR personnel Privileged users Continuously improve training based on metrics and threat trends. Process & Control Design Define and implement human-centric security controls, including: Verification procedures for sensitive requests (fund transfers, credential resets, etc.) Out-of-band validation workflows Standard operating procedures for handling suspicious communications Partner with business teams to embed secure behaviors into daily workflows. Reduce reliance on “user vigilance alone” by introducing process-backed safeguards. Behavioral Risk Measurement & Analytics Develop metrics and dashboards to track: Phishing susceptibility rates Report rates and time-to-report Repeat-risk users or departments Use data to inform leadership and drive program improvements. Integrate human risk signals into broader security monitoring (SIEM/SOAR where applicable). Incident Support (Human Factor Focus) Support investigations of social engineering incidents. Conduct post-incident reviews with a focus on process gaps and behavioral insights. Recommend and implement corrective actions to prevent recurrence. Cross-Functional Collaboration Work with: Security Operations (SOC) on reporting and escalation pathways Identity and Access Management teams on verification controls Communications/HR on policy messaging and adoption Align human security efforts with enterprise security strategy. What You’ll Bring 5–8+ years in cybersecurity, risk management, or security awareness, with focus on human-centered security. Experience designing and managing security awareness and training programs. Strong understanding of social engineering tactics and human attack vectors. Proven ability to translate security risks into practical, user-friendly processes. Experience with phishing simulation platforms and training tools. Strong analytical skills with experience using metrics to drive decision-making. What Will Set You Apart Background in psychology, behavioral science, or human factors (highly valuable). Experience with enterprise awareness platforms. Experience integrating user risk signals into security tooling. Certifications such as: CISSP, CISM Certified Security Awareness Practitioner (CSAP) SANS Security Awareness or Human Risk Management training Deep understanding of human behavior in security contexts Strong communication and storytelling ability Program design and change management expertise Data-driven decision making Influence without authority across business units Reduction in phishing susceptibility and repeat offenders Increased reporting rates and faster reporting times Adoption of secure business processes (e.g., verification workflows) Measurable reduction in successful social engineering incidents Improved executive and high-risk user resilience