What are your main responsibilities?
My role as an Internal Security Consultant focuses on designing and managing the company’s Security Awareness programme, as well as providing support in areas such as physical and employee security, and security for travel and events. In addition, I also work as a Business Resilience Officer within the Business Resilience department, where I support various business units by acting as a direct point of contact for security-related matters. Beyond these defined responsibilities, I offer support wherever it is needed. Thanks to a diverse combination of experience, creativity and pragmatism, I am able to contribute to a wide variety of tasks, projects and issues across the organisation.
How does an Internal Security Consultant collaborate with other departments to ensure internal security?
Although collaboration varies depending on the issue, working closely with other departments is part of my day-to-day work. In particular, managing the Security Awareness programme brings me into contact with numerous teams and stakeholders across the company. After all, security is, above all, a collective effort. You cannot implement effective processes or plan meaningful awareness initiatives in isolation, without fully understanding the target audience. Gathering feedback, seeking professional input and collaborating across departments such as IT, Legal, HR and Business are key elements that enable me to carry out my work successfully.
What types of internal risks do you usually identify, and how do you help manage or mitigate them?
Security is a shared responsibility, and I am fortunate to work alongside many highly qualified colleagues in different areas, who help identify and manage risks within their respective fields. In my case, I focus on the human and physical aspects of internal security. Close collaboration with the relevant departments, together with the Enterprise Security Risk Management team, is essential to ensure that risks are assessed and mitigated appropriately, effectively and proportionately.
How important are prevention and employee awareness in internal security work?
Employee awareness is one of the most critical elements of internal security. In many ways, employees are both the first and last line of defence for an organisation. Everyday decisions can directly influence the company’s security posture, whether it be falling for a targeted phishing email, using new AI tools with confidential information, allowing unauthorised persons access to company premises, or disclosing sensitive information during a fraudulent call (vishing). With the rise of AI-assisted attacks, increasingly sophisticated social engineering and highly convincing communications, identifying all potential threats is becoming ever more complex. Therefore, helping employees recognise these risks, know where to find support and strengthen their security skills is key to effective prevention.
What tools, methodologies or frameworks does an Internal Security Consultant use?
Again, security is a team effort: together with specialists from different areas, my team supports the identification and management of risks in those areas. However, in my role in particular, prevention is key, as I mainly focus on the human and physical aspects. For example, data leaks could lead to legal fines and reputational damage, stolen credentials could result in compromised systems and networks, and successful phishing attacks can lead to unauthorized system access, financial transfers, or the disclosure of confidential information; these are just a few examples of common risks associated with employee awareness and the overall security culture in a company. Communication, training, workshops, and simulated phishing campaigns help to increase security awareness, reduce the likelihood of risks, and even prevent certain incidents.
In the physical domain, offices, data centers, stores, and other facilities also involve a variety of risks, such as fires that could cause data loss or threaten employees’ health, environmental events like floods or lightning that could damage infrastructure or technology and reduce service availability, or unauthorized access (for example, tailgating), which could lead to system access or further attacks. Therefore, conducting physical risk assessments in our facilities is a way of evaluating their status based on various legal, industry, and internal requirements, and close collaboration with the affected department and our Enterprise Security Risk Management team helps ensure the proper assessment and mitigation of identified risks.
How does this role contribute to strengthening the security culture and information protection within the organisation?
Through my involvement in the Security Awareness programme and my role as a key stakeholder in security training and communication for employees, my team and I actively contribute to strengthening the security culture and information protection within the organisation. Together with my colleagues in Business Resilience, I also see myself as an information security ambassador, aiming to make security more accessible and to help employees better understand the risks in a clear and approachable way.
