REDUCING RISKS THROUGH COMPENSATION. Has your organization been struggling to achieve its compliance goals? Whether your organization is new to risk management or you’ve been struggling with compliance for some time, making compliance a part of every employee’s compensation plan is a smart strategy. This can get everyone in your organization thinking about information security and make compliance an enterprise-wide priority.
Sounds like a good idea, but not sure how to get started? Begin by incorporating risks into performance goals. Goals can be established on three levels: the individual, the department, and the company as a whole. When employees hit their goals, be prepared to reward them – whether it’s through their bonus checks, or through other creative and motivating rewards, employees should be recognized for making compliance a focus.
On an individual level, start by establishing key performance indicators (KPI’s) based upon identified risks and remediation plans. Once goals are established, the business can evaluate an employee, either quarterly or annually on the progress that the employee has made on important risks and the extent that the risk has been remediated. To further engage the employee, set goals for education in information security. Consider allowing employees the opportunity to earn job-relevant certifications that will boost their awareness in information security, which then translates into security-savvy employees. Consider offering rewards for those who achieve CISSP, CISA and CISM certifications. Employees will appreciate the chance to learn and build their credentials. Information security talent is hard to come by, therefore if we cannot hire people with the required skills, they should be nurtured to acquire them.
At the department level, set goals among the IT and Information Security Departments. For example, if the whole department achieves x% compliance with the chosen standard (NIST, ISO 27002, HIPAA, or PCI, etc.), then the whole department is rewarded for the achievement. When employees are aware of, and involved with the numbers they need to achieve, they will work together to make it happen – particularly if there is a great incentive to do so.
Implementing a goal across an entire company may seem like a daunting task, but consider making information security a company priority. Establish a structured security awareness training program. Ensure all new employees are trained on security. Test employees annually and award prizes to the department with the highest security awareness training scores (aside from IT and Information Security). Let the Finance Department compete alongside the Marketing and Human Resources departments. Throughout the year, institute periodic security awareness campaigns, such as a phishing campaign and track which department does the best. Provide an enticing award to the department that had the overall best score, such as a cash bonus, or extra vacation days.
Whether your organization struggles with getting compliant or not, institutionalizing risk management and information security is a smart way to ensure employees always have security top-of-mind. Get creative in what you offer employees for their help in bringing the company to compliance – from cash to days off, to company outings – your options are endless. The organization will benefit tremendously when its employees are mindful of the organization’s key compliance obligations.