This role sits in the CSO of a major Brussels public transport operator charged with raising phishing awareness across a 10,000-strong workforce. The assignment is to build and run a 12 to 24 month phishing awareness programme, working in a Microsoft 365 environment with Exchange Online and aligning activities to ISO27001 controls and maturity metrics.
The mission
The project is a strategic security awareness programme owned by the CSO and delivered for a large public-sector transport operator. The existing baseline maturity assessment will be refined into a full gap analysis, and the work will produce a documented 12 to 24 month phishing awareness strategy, a catalogue of simulated phishing scenarios, and dashboards that show progress against defined KPIs. The programme targets diverse employee profiles across operations, administration and field teams, and aims to measurably reduce click rates and improve reported phishing incidents.
Day to day you will lead the design and end-to-end execution of phishing campaigns in a Microsoft 365 and Exchange Online environment, configure simulation tooling, and operationalise campaign scheduling and segmentation for up to 10,000 employees. You will partner with internal stakeholders including the CSO and internal communications, deliver regular analytics and maturity dashboards, and run knowledge transfer sessions so the organisation can operate campaigns independently after the engagement.
Your responsibilities
- Define a 12 to 24 month phishing awareness strategy that maps to ISO27001 controls and measurable maturity levels
- Design a catalogue of phishing scenarios and audience segmentations, and validate difficulty levels against real user profiles
- Implement and configure phishing simulations in the Microsoft 365 environment, managing delivery, safety controls and incident handling
- Analyse campaign results and produce clear KPI dashboards and maturity indicators that inform leadership decisions
- Establish a multi-channel internal communications plan with stakeholders to increase reporting and reduce risky behaviour
- Transfer skills through workshops and runbooks so internal teams can plan and operate future campaigns autonomously
Your profile
Essential skills
- Demonstrable experience designing and running phishing awareness programmes for large organisations, ideally for 5,000+ users
- Practical knowledge of Microsoft 365 and Exchange Online configuration for phishing simulation and safe delivery
- Strong analytics and dashboarding capability to define KPIs, measure maturity and report progress to executives
- Experience applying ISO27001 requirements to awareness activities and mapping controls to campaigns
- Proven change management and stakeholder engagement skills to influence behaviour across varied employee groups
- Excellent written and verbal communication, able to translate technical findings into executive-friendly reports