Evaluating the staff’s secure behavior

$0Performance management is a critical, albeit less than thrilling part of any employee development program. Many of us spend countless hours codifying the activities of our staff and the many successes and challenges they have faced over the past year. Mature companies split the focus between goal-oriented and behavior-oriented measurements. It is common to comment on an employee's level of teamwork, or their success in creativity and innovation. Examples are often cited and suggestions for improvement are offered. So where is the security behavior?$0$0We often speak of security as a value-add and a competitive differentiator. Segments of our profession are dedicated to the quantitative justification of our existence. This is coupled with the fact that most security awareness programs highlight the employee obligation and how they are the front line of defense for their organization. Why then do we not see a more formal process in place to measure these desired behaviors as part of the annual review process. Imagine an employee end-of-year review that lists "protecting the company" as one of the five default target behaviors. This will encourage the employee to take this role seriously and equally motivate managers to remain conscious of these actions, if for no other reason than the need to fill out the end-of-year form.$0$0Perhaps this is too radical a concept. Security has been built on centuries of punitive actions for less than desired results. Sticks are easier to use, so why waste time with carrots. But I would argue that true security cultures are created via a transparent process that offers equal parts of praise and punishment. What better way to "convert" an employee than with money in their pocket.$0$0Of course, it cannot be all about picking a good password and getting a treat. In most cases, the penalty portion needs escalation as well. If we are going to give employees a more favorable annual review and compensation adjustment due to strong security practices, then the employees that fail to meet these objectives should be dealt with in an appropriate fashion. This does not need to be solely in the form of weaker increases to base pay or bonus. Other options include a financial penalty for losing a laptop. Or loss of access privileges due to poor handling of sensitive systems. Naturally, HR and legal departments will play a big role in shaping what can and cannot be done to employees that put a company at unnecessary risk, but even minor shaming can have a major effect.$0$0Next time you hear a security professional lament about the poor actions of one of their employees, I suggest you cut them off and ask, "What do you offer to promote secure behavior?" In most cases, you will probably get a blank stare. In which case I ask them to keep the whine in the glass.$0

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.