Do you think rewarding or recognizing individuals for secure behavior is an effective strategy? How is this tactic applied at your organization?
Sort By:
Oldest
VP of Information Security in IT Services2 months ago
Yes, praising or acknowledging people for their safe behavior is a successful method. At my previous and current workplaces, we established a point system that allows employees to get financial incentives based on the number of points earned for excellent, secure behavior. This good transformation spread to many other sections of the business and abroad, helping us earn additional allies as we began deploying our cybersecurity plan.CTO2 months ago
This is an area we are looking at as we speak. Our phishing simulation and cyber training platform grades all staff based on their interactions. Positive scores for identifying our weekly phishing emails and reporting them, negative scores for clicking on the wrong links. Positive scores for completing our monthly training modules, negative scores for not doing the training or failing the training assessment.We have the bulk of our workforce doing the right thing, and most staff are graded A to A+, with a very small cohort B or below. For those that fall below a D grade they are automatically enrolled in mandatory retraining, with their management notified accordingly.
We are now looking at taking this a step further and incorporating this into our performance management and KPI process, where staff are motivated to achieve a minimum standard by demonstrating the right behaviours. We will also publish a league table for each team monthly, so that their managers know where each individual in their team is placed and use this as a mechanism to drive the adoption of the behaviours we are looking for.
So, not quite a reward and recognition system, but a way we can continue to get the message across to our staff on the importance of good cyber practices. As we all know it only takes one individual to do the wrong thing, so the more we uplift the standard across the board the less likely we are to encounter poor behaviour.
Associate Vice President, Information Technology & CISO in Education2 months ago
I believe that rewarding or recognizing individuals for secure behavior is an effective strategy. At the college, we allocate a significant portion of our budget for Cybersecurity Awareness Month in October. We offer educational opportunities, awareness events, and even campus tours to raise awareness about cybersecurity. We also have a recognition program called the CC coins program, which is a digital currency that we award to staff for various achievements, including excellence in cybersecurity. These coins can be redeemed for physical prizes or school swag.I'd like to add that rewards don't necessarily have to be monetary. For example, we run phishing campaigns and there's a sense of competition among our Vice Presidents to identify phishing emails. We even made a custom shirt for the person who identified the most phishing emails. Recognition can be just as effective as a reward.
CISO/CPO & Adjunct Law Professor in Finance (non-banking)2 months ago
While we don't currently reward or recognize individuals for secure behavior in my organization, I do see the value in this approach. The challenge lies in determining how to effectively reward people without disincentivizing others. For example, how would we reward people for not clicking on phishing emails? It's a great idea in theory, but operationalizing it can be tricky.CISO in Banking2 months ago
Our organization has a tradition of recognizing individuals for their contributions, not just in cybersecurity. We have a program called Apple Way where we share stories about individuals or groups who have done something remarkable to help our members or the credit union stay safe. We vote on these nominees and the winners are formally recognized. They also receive points which can be redeemed for various items.