Several years ago I helped the information protection program at a large organization with getting supplies and prizes for the awareness program on an extremely limited budget. Having some type of prizes and/or recognition for awareness activities and contests is a very good motivator to get your folks involved, and to raise their awareness of important information security, privacy and compliance issues in the process!
So, with little money I started thinking about all the ways and sources for obtaining prizes for awareness events and compeititions. Here are three sources I found to be very good, and that you may find to be fruitful as well.
1. Your organization’s vendors, and vendors who want your business.
I contacted the vendors the organization used. I considered all of them and not just the IT or information security vendors.
I usually did not contact them directly, but through liaisons with the acquisitions and sourcing department. I targeted those vendors that looked like they could have some good prizes (e.g., the cafeteria supplier, the book publishers the library used, the cleaning supplies companies, the IT software and hardware companies, etc.).
Through the acquisitions and sourcing department I contacted them. Basically I said, look, we’re paying you a ton of money for your products/services; what can you give us that would be something our employees would find of value? This wouldn’t work for all types of organizations, but it worked well for this particular organization.
I have also asked potential vendors to throw in items or services as part of our contract. For example, one vendor had an information security technology guru on their payroll who had written a book that could be very useful to the IT research and development (R&D) team. I asked them to throw in 20 copies of his book if we did the deal, and they did. The IT R&D team members then each got a book after participating in training along with an awareness activity to have them identify buggy and unsecure code.
It is important to note that this type of creative funding will not work within many types of organizations! You must talk with your sourcing department, along with your legal counsel, to determine if obtaining prizes and other items of this type, in this way, is acceptable, and legal for your organization.
You must also ensure this is acceptable under your organization’s ethics policy. For some types of organizations you cannot accept items such as this if they are worth more than $50, $25, or even less. However, in other types of organizations, these types of items are perfectly fine. Much depends upon your industry, the countries in which you do business, and whether you are a government agency, educational institution, a non-profit, or an organization with publicly traded stock.
2. Your marketing areas.
Check with your marketing department and related areas. In many organizations marketing areas have all sorts of goodies they’ve created for vendor shows, customer promotions, and so on. They often have leftovers, such as jackets, t-shirts, golf balls, pens, mugs, gift certificates, umbrellas, first-aid kits, iPods, and other fun stuff, that they stick in the closet, or even throw away.
Ask them if you can have their leftovers! They often have some pretty great stuff that employees will appreciate.
3. Local businesses.
Another source I used was local businesses. Nearby restauarants would often donate gift certificates to try and get employees to start visiting their establishments on a regular basis. Clothing stores also were pretty good to offer gift certificates, along with sports stores. Also consider any movie theaters in your area, along with electronics stores, such as Radio Shack, record stores, fitness stores, and so on. Virtually any business nearby is a potential contributor of neat, fun and/or useful prizes for your awareness program.
The same precautions for #1 also apply to this option.
NOTE: You need to discuss each of these with your sourcing area and legal counsel before actually doing! There may be restrictions on “gifts” such as these within your organization.
The bottom line is, it never hurts to ask. Talk with your acquisitions/sourcing area and legal counsel about it. If you go through the proper channels and you can make the contacts, the worst that can happen is that they will say “no.” However, you will never know if you don’t ask. And I bet you will be pleasantly surprised to find several that say “yes! we have something that you can have!”
Tags: awareness and training, Information Security, IT compliance, policies and procedures, privacy, privacy training, risk management, security training