How is performance in information security measured and rewarded? In theory, the mechanism should be straightforward. At the beginning of the fiscal year, employees agree performance or project goals with their manager. These are evaluated at the end of the year. As ever, things are rarely so simple in information security.
Measuring Performance
Performance management in an organization can try to measure objective contribution of an individual or a team, or focus on relative contribution, as is the norm in so-called stack ranking schemes. These are based on the theory that given a sufficiently large group, performance will follow a Gaussian distribution, and top performers can be identified not just on absolute performance but on relative performance within a team.
Even if a company does not explicitly follow a stack ranking scheme, it may be implied because of factors such as a limited budget for bonus payments. Stack ranking schemes have long been criticized for being disconnected from actual performance and potentially toxic by introducing unnecessary competition and negatively affecting motivation. Major companies, such as Microsoft, have lately removed them.
By its very nature, security is a team effort. A well-functioning security organization is completely unspectacular. It will live by certain metrics but may have little actual control over their root causes. As the saying goes, the sound of security’s success is silence, making it hard to measure performance in the absence of major problems or outside project-based metrics for change initiatives. Moreover, security has little room for heroes, and it can be next to impossible to try to attribute success to individual contribution. This makes a strong point for team-based performance measurement and an equally strong case against stack ranking.
Push comes to shove for roles implementing checks and balances, such as CISOs and auditors. Putting them under the same performance scheme as the department they are supposed to control represents a clear conflict of interest. The not uncommon practice to put the security role under the CIO is emblematic of this situation. Where the CISO and his team are part of the IT organization, pressure not to rock the boat may be high.
Incentives and Rewards
On the upside, variable, incentive-based compensation schemes are intended to generate a payment structure that rewards contribution, as opposed to static factors such as seniority or time of employment. They provide a way for sharing risk and the reward of running a business with the employees, and help adjusting personnel expense in times of tight cash flow.
However, there is a downside when it comes to knowledge workers, including security professionals. Their performance will depend on organizational factors, such as empowerment, as well as personal factors like skill, resourcefulness and creativity. As far as incentives are concerned, research suggests that extrinsic motivational factors – the carrot-and-stick approach – have little or no effect in increasing knowledge workers’ performance and may actually impair it.
Therefore, a performance and compensation system that focuses on financial (or equivalent) rewards at the expense of addressing other job satisfaction factors may not be the best choice for a security department. Arguably, a case can be made for at least limiting the use of incentives.
- Companies should consider the benefits of a flat, but competitive salary structure for roles implementing checks and balances. This doesn’t mean that these employees should be disadvantaged; their total payouts should be comparable to what incentivized employees receive on average. Compensation can also still be tied to company performance in general.
- For individuals, negotiating a flat salary structure may not always be an option. Companies may be suspicious of their motives and reluctant to set a precedent. However, security professionals should never put themselves in a position where they expect or depend on a payout or other form of reward.
- As a profession, we should start thinking about best practices in employment conditions for security staff.
Goals and objectives need to be taken seriously. You agreed to them, and you need to deliver on them. As security professionals, and as a knowledge worker, you may want to consider mentally neutralizing any rewards aspect, though. Don’t nurture any expectations, and put professionalism before incentives and try mentally blocking out rewards. Evaluate job offers based on base salary only.
On the whole, you will need to decide what works for you, your personal motivation and your personal integrity. In security, it can be your job to put your job on the line. More than skills and knowledge, integrity is your professional capital, and part and parcel of what it means to be a security professional.
Further Reading
1. “RSA Animate - Drive: The surprising truth about what motivates us” https://www.youtube.com/watch?v=u6XAPnuFjJc
2. “'Stack ranking' employee eval practice falls out of favor” http://www.computerworld.com/article/2486003/it-management/-stack-ranking--employee-eval-practice-falls-out-of-favor.html, with reference to the recent abandoning of a stack ranking scheme at Microsoft
3. “Financial incentives and bonus schemes can spell disaster for business” http://www.theguardian.com/sustainable-business/financial-incentives-bonus-schemes-lloyds-fine
About the Author
Peter Berlich, CISA, CISM, CISSP-ISSMP, MBA is a management consultant and trainer at Birchtree Consulting (http://www.birchtree.ch/)