Celebrate Victories
“Train people well enough so they can leave, treat them well enough so they don't want to.”
—Sir Richard Branson, British entrepreneur
Why Celebrations are Overlooked
Celebrating victories in cybersecurity are uncommon because, in many ways, it is about proving the negative or showcasing what did not happen or has been prevented. Success in managing cybersecurity and digital risk often means nothing happened – no breach or attack occurred, the systems remain available and operational, and no data was lost or unrecoverable. This lack of obvious outcomes can make it challenging to celebrate victories. After all, we don't celebrate the lack of business losses; we celebrate and praise leaders for beating quarterly expectations. Yet cybersecurity teams, like all of us, need recognition to feel valued and appreciated by their organizations. Creating a culture that recognizes and celebrates successes is an important step in creating a high-performing cybersecurity team.
When Board Members Notice
Organizations know they need to celebrate victories to help build morale, increase motivation, and create a positive and proactive culture. The technology and security teams are no different; they need to know their work matters, and each person makes a difference in managing cyber risks. The board can play a crucial role in this by acknowledging and celebrating the successes of the security and technology team. Board participation can be done through formal recognition programs, awards, or simply taking the time to acknowledge and appreciate the team's efforts.
Earlier in my career, I was the CIO of a public company, where security had become a top concern. We were investing and accelerating many programs across the technology and security groups. It was meaningful when one of the board members, who had taken ownership of driving the digital risk agenda, pulled me aside and said, "We all see what you're doing, and we appreciate the long nights and pain that you and the team are feeling... you guys are making us a better company."
The message by the board member was short, powerful, and lingered with me. I ended up sharing this with my entire organization at the CIO all-hands meeting, and just that tiny recognition was felt and reverberated throughout the technology team. Small recognitions by board members communicate to the security and technology team that they are invested in the progress of the security program and care about the organization's well-being. The example I shared helped foster a positive and proactive security culture, where everyone was motivated to improve and protect the organization against cyber threats continuously.
Tips for Celebrating Victories
The board can celebrate victories and show their appreciation in a number of ways. The team should be recognized and celebrated when a new security solution is implemented, and no security incidents occur for a set period of time. Again, a low-tech solution as simple as a "shout-out" at a team meeting, a company-wide email, or even a team-building activity. These small acts of recognition go a long way in motivating the team to continue working towards a common goal.
In addition to individual successes, it is also essential to celebrate organizational victories. When the organization successfully defends against a significant threat or when the security posture improves, this should be celebrated as a collective effort and a demonstration of the organization's commitment to security. Celebrating these victories not only helps to build a positive corporate culture but also helps to foster a sense of unity and strengthens the team's resolve to continue to protect the organization.
Finally, it is important to celebrate successes not just within the IT and security departments but across the entire organization. When the sales team closes a deal with a new client, and the information security team is able to secure the client's data, this is a victory for the entire organization and should be celebrated as such. By creating a culture that celebrates victories across departments, organizations can break down silos and foster collaboration, which is essential in today's interconnected and interdependent business environment.