How do you get employees to care about security? For years, security leaders have been great at conveying the negative consequences of a data breach or security incident – the organization could be attacked, data could be lost, fines levied, employees fired, discipline issued. While this approach conveys the gravity of a potential risk, it often does little to inspire employees to report failures to the security team, to improve their engagement with security, or to advocate for security with peers.

“We keep asking employees to do security work, and when they do a good job, we don’t say anything,” says Masha Sedova, Co-Founder of security awareness training company Elevate Security and former Senior Director of Trust Engagement at Salesforce. “When they don’t do a good job, we just wait until they mess up before we correct and retrain them. We only look for opportunities for negative reinforcement. We’re missing opportunities for positive reinforcement. When I send you a phishing email, do I just wait for you to click on it so I can send you to training, or if you report it, do I send a recognition note to your manager saying ‘You have a security-minded employee, congratulations.’?”