For many, finding a good security strategy is paramount to business success. For many of us who work as integrators and security vendors, security is a full time job. CEOs from large and even small businesses also have an increasing stake in securing information and the workplace. Given all the clutter and increased fear of vulnerability to hackers and cyber crime, it is refreshing to see a strategy just work – and work well. Google’s new idea is one such strategy. Rather than typical quality control and a reactive approach to patching security vulnerabilities after they are exploited, Google is paying the public at large to be their guinea pigs. That’s right: anyone who finds a qualifying security flaw in one of several products will receive a baseline reward of 500 dollars. For vulnerabilities deemed to be “severe or unusually clever,” participants can receive up to $3,000. The sites tested include some of the largest on the internet, including google.com, youtube.com, and the web browser Google Chrome. Perhaps most importantly, the object of the “war-games” is to detect ways to compromise user privacy. A noteworthy deviation from hacking in the past, which would have been all about accessing private corporate information and Google’s own servers, this new direction takes responsibility for all the knowledge that Google has about people at large.
A fusion of strategy:
This winning strategy combines some of the most successful business practices to date. One practice, perhaps made famous by Southwest airlines, is the notion of paying for performance. For Southwest, this meant giving bonuses to flight attendants and crew if they successfully departed the airport on time. In the case of Google, the sliding pay scale based on severity incentivizes people to work hard and find bigger and more substantial vulnerabilities. Another element encapsulated here stems from the philosophy of Koch industries, the largest privately held corporation in America. It states that giving the right people the right incentives and real authority will result in real productivity and genuine progress. Computer geniuses love what they do. Here Google finds a way to stroke their ego, give them money, and further a goal of privacy and safety in exchange for almost “hiring” the best and the brightest to test their security.
Why you should implement this strategy:
If for no other reason, this strategy works. As the old adage says, two heads are better than one; and in the case of your business or organization, every head is better than a few. Most workers are probably already aware of gaps in security but they are simply apathetic or do not know the best way to report them. Tap into that resource and empower them. Secondly, this strategy is highly scalable. You don’t need to dish out 3000 dollars to everyone who finds something of note, but any business can afford a gift card or small office perks. Further, expand the scale of what counts as a security vulnerability. Google naturally leans toward IT as that is the nature of its business. This can be as easy as checking that locked doors are locked. Did everyone remember to log out of their PC’s and private information? Are the windows closed at the end of the day? You get the idea. Commend and reward those who go the extra mile to report these things, as they can and do make a difference. With security under control, your business will be free to focus on whatever opportunities come along.