Manage Learn to apply best practices and optimize your operations.

Best practices for information security reward incentive programs

While employee termination may be necessary in cases of insecure conduct, most employees are more encouraged by the carrot than the stick when it comes to security and compliance.

I'd like to create a rubric by which our enterprise can judge (and then reward) those among our employees who are 'most secure,' i.e., those who most frequently follow security procedures. What sort of things would you suggest the rubric include?
As a former CISO, I will agree that one of the biggest challenges is getting everyone to comply with physical security and cybersecurity policies and procedures. Of course, one of the most common means of encouraging everyone to comply is with the classic policy clause of "…failure to comply could result in discipline up to and including termination and possible referral to law enforcement."

Ugh! The "stick" in this case encourages (or demands) minimal compliance from everyone, but not much more. Thus,...

your desire to take security to the next level by focusing on those who are the most secure with a "carrot" or more specifically security reward incentive programs is to be commended!

Here are some thoughts on how to proceed with this approach:

  • Make people want to be secure: Motivate them with simple things like recognition, appreciation or small gifts like candy bars when you see good practices in action.

  • Reward good practices on the spot: Make it quick, easy and simple. This can be done as you walk around the company during the day or even during structured security observations/assessments.

    If you can't give the person the reward directly, then leave a hand-written note or some other way of saying "Thank You."

    Consider including information and physical security performance as part of the employee's annual formal review. This then will include the supervisors, as well as the employees, in emphasizing good security is everyone's duty.

  • You could also establish a peer nomination process. This could be done quarterly and may include a certificate, temporary use of a premier parking space, possibly some corporate trinket (coffee mug), or even a gift card to a world-renowned coffee shop.

When I was the CISO at the Port of Seattle, I implemented a fun and simple approach for rewarding people for their good ideas and efforts known as the "You Done Good" awards. Yes, the grammar was not perfect, but it was a way to have some fun by giving people a colorful certificate (made on PowerPoint) recognizing them for their efforts and good ideas. The "You Done Good" awards did not need special approvals, since they were from my office, but I was sure to give the recipient's boss a copy of the certificate for the employee's file.

An example "You Done Good" award was given to an employee who simply asked a question about a process thus raising awareness to a security concern that was not being addressed. The point of the award was to compliment the employee's questioning attitude and initiative. On my last day at the Port of Seattle, she still had her award proudly posted inside her cube!

Of note these certificates worked as security evangelists as well; individuals would pin them up in their cubes and other people would ask about the recognition and realize how simple it was to be secure and to follow security rules.

With your program, however, be careful about setting people up for ridicule. Make sure winners are not viewed as the teacher's pet or are subject to embarrassing comments from others.

Also, avoid making the awards trite. For instance, someone using a key card to gain entry to a secure area is not really worthy of an award; however, if you hear someone stop somebody else from piggybacking or from loaning a key card out, then that is worthy of positive recognition and a "Thank you."

Anyway, your idea is a great one, and best of luck implementing it!

This was last published in February 2011

Dig Deeper on Information security program management