SCM #4: Champions in Action: Real-World Success Stories from Leading Security Programs

Hello again!

Building a Security Champion program is an ongoing journey, one that requires careful planning, continuous engagement, and plenty of real-world insights. Successful programs don’t just happen; they evolve through thoughtful strategies, meaningful rewards, and a strong culture of collaboration. In this edition, we explore how leading companies like AWS and Bankdata have turned their security programs into thriving ecosystems. We’ll also discuss how implementing a rewards structure that goes beyond the basics can keep your champions motivated and engaged for the long haul. And for a bit of fun, don’t miss our themed crossword puzzle to challenge your security champion knowledge! 😁 

Whether you're just getting started or looking to scale, these stories and resources provide actionable insights to help you strengthen your own security initiatives.

😂 Champion Comic Relief

🔦 Resource Spotlight - AWS’s Security Guardian Program

At AWS, security isn’t confined to a single team—it’s embedded across the entire organization. The Security Guardian Program is AWS’s answer to scaling security in a fast-moving, complex environment. By empowering employees at all levels to take on the role of "Security Guardians," AWS distributes security responsibilities, ensuring it’s not just top-down but woven into every team’s daily work. These guardians are trained to identify security risks, mitigate issues, and advocate for best practices within their teams, effectively creating a security mindset across the company.

This decentralized approach not only broadens the scope of security ownership but also fosters a culture where security is everyone’s responsibility. The success of the program lies in its ability to equip non-security staff with the knowledge and tools they need to act as security leaders in their own right—reducing bottlenecks, enhancing responsiveness, and building a more resilient security posture.

Learn more about the AWS Security Guardian Program

📺️ Content Corner

In this week’s Content Corner, we turn focus to Bankdata, an IT service provider in Denmark. During OWASP Global Lisbon, Bankdata’s Security Champion Lead shared insights into how they cultivate an empowered community of champions who act as liaisons between the security team and their peers. In their program, champions are not just participants but leaders who actively drive security initiatives in their respective teams.

At Bankdata, champions receive ongoing training and are involved in key decision-making processes, ensuring they have both the knowledge and authority to influence security outcomes. These champions help embed security into the development lifecycle, working closely with developers and other stakeholders to identify potential risks early and propose actionable solutions. Their influence doesn't just stop at their teams; it ripples throughout the organization, creating a security-conscious culture that aligns with Bankdata's stringent regulatory environment.

🗒️ Katilyst Blog Feature:

Going Beyond Stuff - Rewarding Your Champions 

Giving out branded swag is fun, but the true key to sustaining a Security Champion program lies in recognizing and rewarding your champions in more meaningful ways. In our latest blog post, we discuss strategies for going beyond the usual perks and offering rewards that truly resonate with champions. These can include opportunities for career growth, such as advanced training, mentorship, and leadership roles within the program. Additionally, public recognition at company-wide meetings or features in internal newsletters can go a long way in boosting morale and demonstrating the value of your champions' contributions.

By aligning rewards with champions’ professional development and personal interests, you can ensure that your program doesn’t just feel like an extracurricular activity—but a valued part of their career path.

Read the full article on rewarding champions

🕹️ Game Time

Are you ready to test your Security Champion knowledge? We wanted to bring some fun to this edition of SCN, so we created our first security champion crossword! Most of these questions involve aspects of being a champion, managing a program, or various gamification techniques. If you’re able to answer all 10/10 questions, We’re also providing a couple of helpful resources in case you get stuck:

Security Champion Program Success Guide

The Octalysis Framework - Gamification & Behavioral Science Design

📆 Upcoming Events & Podcasts

• The Synergy Between Threat Modeling & Security Champions

  Katilyst’s Dustin Lehr joins Chris Romeo for this insightful Webinar

  September 10 @ 1pmET

• Empowering Security Champions: Optimizing for Security Excellence

  Dustin Lehr joins Chris Lindsey from mend.io
  September 10 @ 3pmET

• B-Sides Charlotte (Charlotte, NC)
  Katilyst’s Stanley Harris ([email protected]) will be in attendance!
  September 14 & 15

• AppSec Weekly Postcast
  Dustin Lehr will be joining the ASW podcast to discuss Security Champions
  September 16, 2024

• OWASP Global AppSec (San Francisco, CA)
  Meet up with Dustin Lehr ([email protected])
  September 23-27

• ThreatModCon (San Francisco, CA)
  September 27 & 28

• SecureWorld Denver (Denver, CO)

  Meet up with Dustin Lehr
  October 10

Once again, we thank you for taking the time to read this week’s edition of the Security Champion Newsletter! Please be sure to forward this newsletter to anyone in your network who could use help with their security culture initiative. Until next time! 👋