Monster Energy Wins CSO Award by Turning “Get S$!t Done” Business Culture Into: “Get S$!t Done Right”

Reframing the business problem: from GSD fast, to GSD right

Monster Energy is built on a competitive, high-velocity culture defined by its mantra: Get S$!t Done (GSD). That mindset fuels innovation and growth—but it also creates cyber risk when attackers exploit urgency, trust, and momentum.

Despite strong technical controls and traditional security awareness efforts, phishing remained a human risk problem. Employees were still clicking malicious links and exposing credentials. Rather than trying to slow the company down, Monster chose a different approach: redefine what winning looks like.

The result was the CSO Award-winning Get S$!t Done Right program—a cyber mindset cultural reset designed to make vigilance part of Monster’s daily workflows, not an impediment.

“Training alone doesn’t solve the problem. There has to be a security first mindset or, as we’ve coined, the 'cyber mindset,' and we were able to build and scale that fast with Hoxhunt’s capabilities.” — John Strait--SVP, Global Information Technology Infrastructure

This shift mattered because Monster treated human risk not as a training compliance issue, but as a mindset and performance problem: how to help employees move fast but safely, pausing long enough to question, report, and protect the business.

‍

Building a CSO Award-winning program that feels unmistakably Monster

The innovation recognized by the CSO Awards centered around building gamification into cultural design.

Working with Hoxhunt, Monster built a multi-platform cyber mindset engine that combined:

• AI-driven adaptive phishing simulations
• Personalized micro-trainings
• Leaderboards and competitions
• Executive storytelling and internal media through GSD TV
• Seasonal campaigns such as December’s 12 Days of Phishmas, with Hoxhunt
• Creative engagement features like Phish-a-Friend
• The Cyber Mindset Championship Belt, inspired by UFC title belts

Monster selected Hoxhunt because it could support the company’s competitive nature while helping create the right behavioral outcomes. Then the team asked a different question: not just how to roll out a platform, but how to make it Monster.

The belt became the clearest symbol of that transformation. More than symbolic flair, it represented aspiration, mastery, and identity. Separate belts for end users and IT reinforced both individual excellence and team accountability. Winning required more than leaderboard points alone: successful phishing outcomes, reporting behavior, proactive spam escalation, and sustained engagement all mattered.

“We looked at Hoxhunt and said, OK, well, how can we make this Monster? Hoxhunt helped us achieve three goals: reduce phishing attack clicks; increase cyber education; and ultimately, create competitive advantage in our employees. It all came together when I saw one of our UFC belts and told my CIO, ‘let’s make that the ultimate Monster symbol of cyber mindset.'” — John Strait

By making cyber excellence something public, physical, and competitive, Monster turned security into something employees wanted to talk about, improve at, and win.

Teaching caution without killing momentum

The biggest challenge was cultural. Monster’s business thrives on aggressive pace, decisive action, and execution. Traditional security training often asks employees to slow down in a way that conflicts with that operating model.

Monster did not try to “solve” that culture by suppressing it. Instead, the team reframed it. The goal was not to eliminate speed, but to insert intentional pause into risky moments and redefine excellence as smart, vigilant execution—not just speedy activity.

Employees were not punished for mistakes. They received immediate feedback through adaptive simulations and micro-learnings. Being wrong became part of learning, not a mark of failure. Leadership participation made the shift credible: executives competed publicly, embraced phishing simulations, and normalized visible learning.

“The competitive nature of the Hoxhunt training gets them to pay attention to the details, to the micro trainings, and that gives them that extra second to pause and think.” — John Strait

That mindset shift showed up in how employees engaged. Cybersecurity became a conversation—at work, across teams, and beyond formal training moments. That was the point: move cyber from background compliance into daily identity and behavior.

One of Monster’s executives was recently approached by an employee in a movie theater who recognized the brand on a jacket the executive’s family member was wearing and, after learning he was an IT executive, asked with a smile, “Are you the one behind all those Hoxhunt phishing tests?” They then had a pleasant conversation about the phishing training.

When John learned of the interaction, he knew cybersecurity had moved beyond training into everyday awareness and conversation.

“I’ll take moments like that over a two-point gain in a statistic any day.” — John Strait

Results: measurable risk reduction and visible behavior change

The program produced measurable business results across multiple human-driven cyber risks, while improving operational efficiency and reinforcing long-term behavior change.

Key outcomes included:

• 91% drop in user-driven security incidents: from about five per day to fewer than three per week
• 4X drop in failure rates
• Failure rates dropped from 16–18% with legacy SAT, to 4% with Hoxhunt
• Credential-harvesting simulations fell to about 4% credential submission rates
• The 12 Days of Phishmas December awareness campaign achieved a 2.1% failure rate, lower than Monster’s annual average
• Reports of malicious websites increased by about 15%
• Employee threat reports to the SOC soared
• Account lockouts decreased by 30–40%
• Help desk tickets related to phishing and credential resets declined
• SOC effectiveness improved through fewer escalations and faster resolution

Just as important, qualitative signals reinforced the numbers. Employees discussed phishing tests in parking lots, theaters, and team meetings. Executives competed for leaderboard positions and championship belts. Department heads requested harder simulations, including AI phishing and “Spicy Mode,” instead of asking for less testing.

“The conversations people spontaneously have about cybersecurity are as important as the microlearnings.” — John Strait

Monster’s team also observed a dramatic uptick in more complex AI-generated phishing and conversational attacks. Because the program was adaptive and ongoing, it helped the organization keep pace with evolving threats rather than rely on static content.

“Get S$!t Done is a great concept. Get S$!t Done Right is even better. Hoxhunt helped us make our cyber culture world class, while retaining our Monster business culture DNA.” — John Strait

‍

‍