The carrot and the stick
How do you incentivize people to participate in your security program? Are you using a carrot or a stick? Security rewards and recognition are crucial for the success of your security belt program.
A security belt program is a level-based, achievement-oriented security educational experience. By creating a program with multiple levels, you provide your learners with the opportunity to make their way through the “journey.” Learners achieve something at each step. To incentivize people to participate in your security belt program, you must think about different security rewards and recognition that will encourage your desired response.
If you have a mandatory and compliance-based approach, you may be able to shake the stick at your learners and get them to comply. At Security Journey, we think about our programs from the perspective of the carrot instead of the stick. The carrot is providing substantial security rewards and recognition so that learning about security and improving skills draws people into the program. People see one prize as personal career advancement. Another prize is learning new skills that could help them get their next job, or a leadership position.
Security rewards and recognition philosophy
Let’s consider your program philosophy on rewards and recognition. Your program philosophy takes a cue from your organizational philosophy. If there are existing HR programs to reward people, then it is in your best interest to plug into those. Let the HR team do the heavy lifting on your behalf. Most people will say they are not recognized enough for the good things they do. Your philosophy of rewards and recognition can become a real driver for the program.
If you want to change security culture, you need to lead with a strong approach to security rewards and recognition. Below is a non-ordered list of reward/recognition approaches we’ve had success with and have heard about from other successful programs:
Emails to employees and their managers
When I ran a Fortune 500 security training and education program, I used email as a mechanism to recognize. After a team member would complete a belt in the Security Ninja Program, I would send what appeared to be a personalized email to the individual. I would also CC: the manager. In this first message, I would highlight the cool thing the team member achieved. I would also give them a call to action to continue their journey with the next belt. I cc’d the manager to ensure they realized how cool it was that their employee completed something.
The second email went to only the manager. In this message, I asked the manager to reward the team member with a case award (consistent with our HR team’s policies) for their achievement.
Advice: Use email as one channel for recognizing achievement, but not the only avenue.
My experience was a few years ago, and with the onset of Teams and Slack into the corporate world, my new advice is to add a mechanism to recognize people on your messaging platform of choice.
When I think of this type of messaging, I don’t miss the opportunity to plug the achievement and also plug the program. Advertise the program. People need to hear about the cool things that the program can provide them.
Advice: Message on achievement events and advertise the program within the achievement message.
Cash rewards inexpensive, and they offer the employee the opportunity to receive recognition and do whatever they want with the gift (versus locking them into a gift card).
I’ve seen some push back on cash rewards while saying things like “security should just be part of the job.” I agree, but this is an article about the carrot and not the stick. We use the carrot to bring folks along and win them over, not the stick where we hit them on the head and say you must do this.
When you consider the cost of exploiting a single vulnerability in production (maybe $100K, perhaps more than $1M??), individual $100 rewards are minuscule in comparison.
Advice: Money talks. People like money. It’s cheap in the long run. If you prevent one vulnerability from making it into production, you have paid for the program and then some.
Public recognition/security conference announcements
If you have some form of a public event in your company, whether it’s a security conference or a business unit all hands, ask for time on the schedule for your Executive to recognize those that have had outstanding achievements in the security belt program.
Advice: Make these recognition events unique, for higher belts.
Some cultures receive printed certificates as valuable, and others could care less. At the higher levels within a belt program, we find that people everywhere want to show off their achievement.
Advice: Make the certificates available, but don’t mail them to everybody, because many will not appreciate them (or the effort it takes to send them).
If you work in a lanyard culture, then adopt a series of lanyards that match your security belt program levels.
Advice: Utilize lanyards to turn security learners into walking program billboards.
Who doesn’t like a cool t-shirt? Nobody. Who will wear a slightly cool corporate t-shirt? Not many. If you make t-shirts, make them unique and make them fresh. Engage a graphic designer to take an idea and make it into a shirt that will be the talk of the town instead of the “shirt people use to paint in.”
Advice: Embrace the t-shirt culture but make it fresh.
Laptop stickers adorn all of our laptops here at Security Journey. Engage your graphic designer again to create some cool stickers. Think about the person that is sticking the sticker on their laptop, and ensure you aren’t using too much space on the sticker for your message, hence detracting from the cool factor.
Advice: Just like with t-shirts, you must create a cool sticker, or no one will place it on their laptop.
Hopefully, you’ve taken away some ideas that you can put into action to incentivize your learners within your security belt program. Feel free to reach out. At Security Journey, we could talk about this type of stuff all day and every day.