SCN #10: Leveling Up Your Security Champions

How Gamification & Human-Centric Approaches Drive Cultural Change

Author

Stanley Harris
February 18, 2025

When it comes to security, tooling alone can’t carry the day. Our true superpower lies in motivating and empowering the people behind those tools. Last month, we kicked off 2025 with 4 Security Resolutions - from building strong foundations to securing top-down support.

Now, it’s time to supercharge that roadmap with gamification techniques, community-driven learning, and real-world champion insights. Get ready to transform “resolutions” into tangible, lasting success!

🏃 Keep the Momentum: Revisiting January’s Roadmap

  • Quick Recap: In our January Newsletter, we introduced four key resolutions:

    1. Establish a Strong Foundation (OWASP Security Champions Guide)

    2. Foster Engagement & Measure Success (Behavioral Science & Gamification)

    3. Turn Developer Pain Points into Strengths (Gartner Article)

    4. Secure Executive Alignment & Scale (A CISO’s Guide)

  • Why It Still Matters: Whether you’re still setting up your program’s core pillars or seeking fresh ways to engage stakeholders, those four steps lay the groundwork. This month, we’ll show you how to level up each resolution with gamified approaches, deeper community building, and trust-centric champion tactics.

🕹️ From Resolutions to Results: Gamifying Your Roadmap

The Human Side of Cybersecurity: Building a Culture of Security

The Human Side of Cybersecurity: Building a Culture of Security

www.bbc.com/storyworks/aws-security-thought-leadership/the-human-side-of-cybersecurity-building-a-culture-of-security

Link to January’s Roadmap:

  • Align AWS/CBA’s success back to the 4-step approach. Notice how they leveraged champion networks for cultural alignment and embedded gamification to keep thousands of employees engaged.

Key Takeaways:

  • Intrinsic vs. Extrinsic Motivation: Make sure your champion achievements yield not just badges or points, but deeper career and skill growth.

  • Scale & Sustain: Aim for a “flywheel effect”: every champion’s success story encourages more devs to join, creating an ever-expanding circle of security leadership.

Challenge to You:

  • Pick One: Is your organization better served by a monthly scoreboard or a peer-based reward system like “security MVP of the month”? Test a method for 30 days and measure whether champion involvement in security tasks increases or stays the same.

💪 Powering Up Culture: Security Champions & Human Connections

Why It Resonates with January’s Resolutions:

  • Resolution #2 (Engagement & Measurement): Dustin delves into real-world success stories about trust-building and motivating dev teams, which is core to sustaining engagement.

  • Resolution #3 (Turning Pain Points into Strengths): By bridging dev-security communication gaps, champions see fewer friction points and more collaboration wins.

Standout Quote:
“People are far more likely to listen to their peers talk about security than an external department.”
Dustin Lehr

What Next?:

  • After watching, pick one existing dev-pipeline challenge (like noisy tooling or unclear triage processes) and brainstorm a champion-led solution. Plan a 15-minute standup next week to share your idea with the devs. Watch how quickly champions gain traction when they’re peers, not distant ‘security police.’

💪 Tactics, Techniques, & Procedures of a Security Champion Program

Why It Evolves Last Month’s Insights:

  • Resolution #1 (Strong Foundation): Explore how AI-based scanning and automated feedback loops can solidify your baseline.

  • Resolution #4 (Executive Buy-In): The video covers leadership vs. management, empowering champions to influence from the bottom up, while top-down sponsors keep momentum alive.

Pro Tip:
Adopt a “hub-and-spoke” champion model:

  • Hub: Your security team offers strategic vision, advanced tooling, and training resources.

  • Spoke: Champions integrate those practices into dev sprints, offering real-time tips, code reviews, and risk prioritization.

Call to Action:
Already have a champion program? Tag your most active champion on LinkedIn this week - give them a public shout-out for all they do. This small show of recognition helps reinforce positive behaviors and showcases real role models within your org.

Keep Building, Keep Playing:

We started the year with 4 key resolutions for champion-based security. February’s spotlight on gamification and human-centric leadership brings those resolutions to life, transforming your dev teams’ mindsets from “necessary chore” to “exciting challenge.”

Join the Conversation:

  • Share a Win: Did you use mini-challenges, peer shout-outs, or improved triage flows? Reply to this email or tag us on LinkedIn with your success story.

  • Upcoming Roundtable: We’re planning Katilyst’s first-ever community meetup (details coming soon). We’re looking for Security Champion program owners to share their experiences, so send us a message if you’re open to a submission!

Final Note

Your champions are the key to bridging everyday AppSec tasks and a robust, future-proof security culture. By weaving in implicit gamification, real connections, and strategic leadership, you can turn January’s resolutions into unstoppable momentum this February.

- The Katilyst Team