Things you may be judged for in a professional setting: the firmness of your handshake, the amount of eye contact you make, your ability to engage in small talk near the watercooler…and the way you keep your organization secure?
As large breaches become more commonplace and AI gives malicious actors a leg up in crafting their next cyber threat, making sure employees are practicing good security hygiene and integrating secure practices in their work is more important than ever. That’s why many companies are getting creative to ensure they stay one step ahead with cybersecurity issues.
Microsoft is one company that has taken a stab at making cybersecurity more top of mind for its employees. Since last December, security has been designated as a “core priority” for every Microsoft employee. That means security is a component of biannual employee performance reviews and “considered in every employee’s annual bonus and compensation.”
New norm? Some have taken a fancy to the new approach. Deb Arnold, who runs an eponymous boutique consulting firm, said making cybersecurity a topic of discussion during employee reviews may be a good practice for security-focused companies because employees are more likely to pay attention to things they are incentivized to do.
“If leaders want cybersecurity taken seriously, they need to embed that into performance reviews,” Arnold said. “Otherwise, it’s the classic rewarding A, while hoping for B.”
However, Arnold said incentives to encourage security-focused behaviors must be paired with a broader cultural change to be fully effective.
David Murray, CEO of the people platform company Confirm, said he sees the value of considering security as part of performance at work in the current threat landscape.
“When you look at where the world is going, it’s helpful to remind people that we all contribute to safety and security in each of our respective organizations,” Murray said. “So, I am actually supportive of the idea of introducing the concepts to folks that each one of them contributes to security and that a company’s security is only as secure as its weakest link.”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“The employees have to have the knowledge and skills so they know how to act securely,” Arnold said. “They need the right systems and tools so that secure choices are the easy choices.”
David Rice, senior editor at People Managing People, said security is more of a “compliance issue.” While security would be an appropriate topic of discussion for an IT and cybersecurity-focused employee’s performance review, he said integrating it as a norm for other employees may unintentionally leave an employee’s security habits open to interpretation.
“When we think about, ‘How do I perform at my job?’, people will have different ideas about how that gets done, and I don’t know if you want to open that door in security,” Rice said.
Rice added that incentivizing security may result in an “inconsistency” in employee behavior.
“If it’s an expectation and you’ve got to meet it or you’re going to be having a discussion with your boss that’s not so pleasant, that’s different,” Rice said, suggesting that employees are likely to adhere to proper cybersecurity practices if this is expected of them.
The right way. Companies that want to incorporate security into their performance reviews need to do so the right way, according to JLEE & Associates founder and CEO Jimmie Lee. He said employees shouldn’t be evaluated on “ambiguous” security goals and that these targets should be tailored to their specific role.
“Security looks different from every employee, so you have to have a system that’s flexible,” Lee said.