Ugh! The "stick" in this case encourages (or demands) minimal compliance from everyone, but not much more. Thus,...
your desire to take security to the next level by focusing on those who are the most secure with a "carrot" or more specifically security reward incentive programs is to be commended!
Here are some thoughts on how to proceed with this approach:
- Make people want to be secure: Motivate them with simple things like recognition, appreciation or small gifts like candy bars when you see good practices in action.
- Reward good practices on the spot: Make it quick, easy and simple. This can be done as you walk around the company during the day or even during structured security observations/assessments.
If you can't give the person the reward directly, then leave a hand-written note or some other way of saying "Thank You."
Consider including information and physical security performance as part of the employee's annual formal review. This then will include the supervisors, as well as the employees, in emphasizing good security is everyone's duty.
- You could also establish a peer nomination process. This could be done quarterly and may include a certificate, temporary use of a premier parking space, possibly some corporate trinket (coffee mug), or even a gift card to a world-renowned coffee shop.
When I was the CISO at the Port of Seattle, I implemented a fun and simple approach for rewarding people for their good ideas and efforts known as the "You Done Good" awards. Yes, the grammar was not perfect, but it was a way to have some fun by giving people a colorful certificate (made on PowerPoint) recognizing them for their efforts and good ideas. The "You Done Good" awards did not need special approvals, since they were from my office, but I was sure to give the recipient's boss a copy of the certificate for the employee's file.
An example "You Done Good" award was given to an employee who simply asked a question about a process thus raising awareness to a security concern that was not being addressed. The point of the award was to compliment the employee's questioning attitude and initiative. On my last day at the Port of Seattle, she still had her award proudly posted inside her cube!
Of note these certificates worked as security evangelists as well; individuals would pin them up in their cubes and other people would ask about the recognition and realize how simple it was to be secure and to follow security rules.
With your program, however, be careful about setting people up for ridicule. Make sure winners are not viewed as the teacher's pet or are subject to embarrassing comments from others.
Also, avoid making the awards trite. For instance, someone using a key card to gain entry to a secure area is not really worthy of an award; however, if you hear someone stop somebody else from piggybacking or from loaning a key card out, then that is worthy of positive recognition and a "Thank you."
Anyway, your idea is a great one, and best of luck implementing it!
Dig Deeper on Information security program management
Related Q&A from Ernie Hayden
Dealing with lawyers is often a challenge. Ernie Hayden offers advice for CISOs dealing with enterprise information security legal issues. Continue Reading
Which will be more likely to further your infosec career: A certification, or an advanced degree? Expert Ernie Hayden weighs in. Continue Reading
Enterprises without a codified risk management plan are much more susceptible to threats. In this expert response from Ernie Hayden, learn how to ... Continue Reading