2. What are Security Champions?
A major challenge facing software-focused organizations today is how to effectively incorporate good cyber security
practices into everyday habits without sacrificing business deliverables.
Software security experts are typically limited in number and cannot be everywhere at once. A common practice in
high-functioning organizations is to recruit Security Champions.
Security Champions are individuals in an organization who have agreed to spend a portion of their time helping
address software security by learning the skills to help their teams proactively find and address security risk.
The Champions act as a liaison between the security team and their own team, helping to translate and interpret
security best practices into the context of their team’s software development practices.
Challenge:
How can we motivate the Champions to increase the software
security maturity of their team?
3. Business Metrics (Security Maturity)
1. # of Security Habits Followed by Team (Prevent Issues)
• The Security Champion drives adoption of security best practice habits during their team’s software development
lifecycle (SDLC), such as performing Threat Modeling during design.
2. (Decrease) Avg # Security Issues per Developer (Fix Issues)
• The Security Champion encourages their team to fix known security issues discovered from a variety of sources: source
code analysis, security assessments and penetration tests.
3. % Security Assessment Coverage by Team (Find Issues)
• The Security Champion encourages their team to assess their architecture and code-base using source code analysis,
security assessments and penetration tests to find security issues.
• This is very important to feed #2. If you don’t have methods to find security issues, your issue counts will naturally be low.
Less important but needed to feed/improve the above:
4. Security Knowledge and Skills
• The Security Champion grows their own knowledge by completing learning activities such as training to ultimately help their teams affect
the metrics above.
5. Security Champion Program Participation
• The Security Champion demonstrates commitment to advancing and contributing to the program through attendance in meetings,
likes/comments in the group chat, inviting others to become a Champion, etc.
5. Security Champion Player Types
1. Driver
• Team-Oriented and Goal-Driven
• Coaches, leads, and supports the team to reach their goals
2. Aspirer
• Self-Oriented and Goal-Driven
• Ambitiously pursues personal growth and development
3. Inspirer
• Team-Oriented and Experiment-Driven
• Motivates team to pursue their own unique visions
4. Pioneer
• Self-Oriented and Experiment-Driven
• Invents and experiments with innovative ideas
6. Security Champion Driver Player Type
Wants to contribute to overall
company success
Believes in company’s purpose
Constantly learns and grows technical knowledge
Drives to meet project goals
Earns certifications, degrees, and collects qualifications Designs creative technical solutions to solve business needs
Competes with others to stand out in technical
knowledge
Strives to appease leadership by meeting their goals
Works closely with team to ensure overall team
success
Is curious to learn about new business needs
Anticipates production outages and issues that can occur anytime
Reduces risk to ensure availability of
data and systems
Has a strong desire to not lose job
Is extremely busy to satisfy the needs of the business
and meet deadlines – no luxury of time, so must
determine and work top priorities
Anxious for their code and ideas to be tested and put
in front of customers to determine their effectiveness
Is very proud and protective of their ideas and the
things they’ve built
Has strong attachment to the technical ideas/
thoughts/ beliefs they’ve settled on over the years
Meaning
Empowerment
Social
Influence
Unpredictability
Avoidance
Scarcity
Ownership
Accomplishment
7. Scaffolding Phase Desired Actions
1. Program Participation (Business Metric 5):
• Attend monthly Champion training meetings
• Ask comment/question during meeting
• Share Champions meeting content with own team
• Like, comment, or post content in group chat area
• Invite a guest to the monthly Champion training meeting
• Invite someone to become a Security Champion
2. Security Knowledge and Skills (Business Metric 4):
• Watch a security training video
• Complete secure code training course
• Read a security-focused book
• Help refine company security standards or guidelines
3. % Security Assessment Coverage by Team (Business Metric 3)
• Invite security team to perform a security assessment for a project
• Assist security team in the security assessment of a project
• Identify and share a valid risk discovered
• Onboard an application that needs to be scanned by security tooling
4. (Decrease) Avg # Security Issues per Developer (Business Metric 2)
• Assist to analyze a security tool finding
• Assist to remediate security risk in own area
• Demonstrate clean security scan for a project
5. # of Security Habits Followed by Team (Business Metric 1)
• Integrate a new security activity into own Software Development Lifecycle
• Show team is following all Software Development Lifecycle practices
The experience flow is generally such that Security Champions will start with light participation in the program and get more involved over
time, ultimately working their way up to helping assist their team meet the most important business metrics.
8. Analysis of Current Experience
Consistent narrative on the bigger picture of helping protect the company
Champions are an elite group for which you must be selected
Acknowledgement from security team and program
facilitator for attending the training meetings
Ability to assist in the design and content of the Champions wiki
Champions answer quick “fill in the blank” quiz questions during training
Champions think of unique ways to hack the fake training website
Training knowledge shared motivates desire to reciprocate
Slack channel group to share knowledge, and ask questions,
and react to other posts
Unknown next training presentation topic
Random prize awarded to a training meeting attendee
Responsibility to protect the Champion’s area from a security breach
Don’t want to miss out on an entertaining training topic or event
Prizes rewarded only if attending the training
Live trainings only happen at specific times
Live trainings only last a limited amount of time
Security Champions can recruit and invite
others to become Security Champions
Meaning
Empowerment
Social
Influence
Unpredictability
Avoidance
Scarcity
Ownership
Accomplishment
9. Brainstorm of New Features
Name Description Core Drives
Karate Belt Level Champions earn points based on activities to either increase their security knowledge or
participate in the program (attend meetings, etc.). Based on points earned, they obtain a Karate
belt level (White through Black) that they can display proudly to others.
2, 4, 5, 6
Area Maturity Level Champions earn stars based on the ongoing security practices of their team (scanning,
remediation of findings, security development habits etc.). Certain points obtained earn them a
Security Maturity level (Bronze through Diamond). This level is also applied to their VP’s area and
micro/group leaderboards are used to compare VP areas.
2, 4, 5, 6
Level Sliding Window Belt and Maturity Levels are based on activity in the past year and must be maintained by
consistent activity. Ex: If a user doesn’t gain any extra knowledge in a year would cause a
demotion.
8
Relative Leaderboard Total stars and points are tallied (ignoring the sliding window) and Champions are consistently
shown their position relative to others of their player type (3 above and 3 below)
2, 5, 6
Knowledge Categories Champions can choose to gain knowledge in any of 8 security domain categories. An attribute
web chart can be used to show their knowledge profile. Experts in certain categories can emerge.
3, 5, 6
Badges Badges can be earned in two cases: 1. the first time Champions complete a desired action that
requires significant effort, and 2. When their knowledge level reaches a certain # of points in a
category (showcasing their “expert” status). Badges can be shown to others via a trophy room.
2, 4, 5
Crowning All Belt and Maturity level-ups will be shared during Champion meetings, including a moment of
silent recognition.
2, 5
Streak Booster Champions start with a streak of 100% attendance in meetings, which earns them a double-point
booster. Ends if they miss a meeting, but the streak starts again each fiscal year.
2, 7, 8
10. Brainstorm of New Features (Cont’d)
Name Description Core Drives
Attendance Raffle Attendees in the Champions meetings are added for a random prize drawing in the next
meeting, but they must be present in the next meeting to claim it.
6, 7
Mentorship Champions who have reached Blue belt level can volunteer to mentor up to 3 newer
participants (up to Green level). Mentors earn half the points of any activity the mentee
performs. Mentors can gift a double-points booster once a month to one of their mentees,
which can be combined with other boosters.
2, 3, 5, 6
Training Narrative In every training session, stress the importance of being a Champion and make them feel unique
by emphasizing the importance of their mission to help secure their organization and that they
are out to thwart malicious attackers.
1
Annual Bests Reward the Champions at the end of each year for various high-level achievements: most
points/stars gained that year, highest total # points/stars, biggest leaderboard jump, top
knowledge experts. Consider mystery box prizes and let this be an Easter Egg the first time.
2, 5, 7
Milestone Unlocks Access to chat forum restricted until Champion’s first points level-up to Yellow Belt. Invitation to
join Advisory Group (limited seats) only available to Brown Belts.
2, 4, 7
SDLC Collection Set Clearly communicate the available software development lifecycle (SDLC) practices the
Champion’s teams should be performing, the star rewards and badges for each, and provide an
extra reward once they complete them all the first time.
2, 3, 4
Invite Magnetic Cap Champions are only rewarded with points for two guests they invite to a Champions meeting 6
11. Thank you!
To Yu-kai and the OP team: I have learned so much
about how to motivate people through Octalysis and
can’t thank you enough for selflessly sharing your
knowledge!
At this point the concepts I’ve learned so far have
been applied to most aspects of my life, both at
work and at home.
The journey is just beginning.
Dustin Lehr
Accomplished software engineer and information security leader focused on
motivating organizations toward better security habits.
Let’s connect! https://www.linkedin.com/in/dustinlehr/