Modern Cyber with Jeremy Snyder - Episode
27

Dustin Lehr of Katilyst

In this episode, Jeremy talks with Dustin Lehr, co-founder and Chief Product and Technology Officer at Katilyst, about the role of security champion programs in fostering culture change within organizations.

Watch Now
Dustin Lehr of Katilyst

Podcast Transcript

Jeremy At Firetail (00:02.99)
All right, welcome back to another episode of the Modern Cyber Podcast. I'm Jeremy hosting today's episode and I've got somebody who brings deep knowledge on a topic that is bubbling up a lot these days and that is security champions. I am delighted to be joined today by Dustin Lair. Before shifting into cybersecurity leadership, Dustin spent 13 years as a software engineer, an application architect in a variety of industries, including retail, US Department of Defense, and even video games.

This background has helped him forge close partnerships with development teams, engineering leaders, and security professionals to design programs that maximize engagement. And we're definitely gonna get into that topic a lot. Dustin's currently the co -founder and chief product and technology officer at Katilyst, and that's K -A -T -I -L -Y -S -T, which assists companies with culture change through security champion programs. Dustin also co -founded the global virtual open discussion meetup, Let's Talk Software Security.

which is a free online meetup group. We're gonna have that posted in the show notes. And he authored the free security champion program success guide. We'll also have that linked from the show notes. Dustin has a computer science degree from Colorado State and a whole slew of certifications from different industries, too many to get into on today's episode for sure. Dustin, thank you so much for making the time to join us today.

Dustin Lehr (01:21.725)
Absolutely, really happy to be here, really excited to chat about this topic, my favorite topic. So thank you for having me.

Jeremy At Firetail (01:26.957)
Well, I figure it must be your favorite if you took the time to write a book about it, right? Because I hear the book writing process can be a lot of work, a lot of effort, a lot of focus and engagement. So let's dive in. I hear the security champions concept a lot. I hear it bubbling around mostly larger organizations talking about implementing security champions across the organization. But let's just start at the high level. What does security champions mean? What is a security champions program?


Dustin Lehr (02:37.855)
Yeah, absolutely. So I tend to think about security champions as really a method for culture change, ultimately. And I think that we're in the business of culture change when we come to companies as security folks, because obviously if a company was already doing everything perfectly, they wouldn't really need us to be there. So security champions in my mind is sort of the beginning of a movement toward change.

And you see this in really any sort of change effort where you would find allies across the company and essentially work very closely with them to win them over as advocates. Maybe they're already predisposed to this concept of whatever you're trying to change in the organization. So they're interested in it. They want to get involved.

And then it's an opportunity to work more closely with them, train them, educate them and so forth on security in this case, so that they can become effective advocates and representatives of the change that you're trying to implement. So the way this typically comes out is in like an AppSec program, for instance, right? So you're trying to encourage developers to maybe think about security a little bit more in their day -to -day work.

And you're finding these advocates, these allies across the org that also want the same thing initially, which they're there. Okay, this is important. There are people who are thinking this way. They already think about quality. They already think about security and sort of those extra things on top of software engineering. Besides just writing code, it's a matter of finding them. It's a matter of working closely with them.

Jeremy At Firetail (04:17.992)
Mm -hmm.

Dustin Lehr (04:19.201)
and then essentially building them up as representatives for this movement, the security movement on their teams. And the way the model typically works is that these folks are, like I mentioned, representatives of security. They sort of play more of a role when it comes to advocating for security and so forth on their teams. So that's kind of the basic concept. Obviously, because it's about culture change, the whole idea is that it grows. You know, you start with security, a few security champions.

Jeremy At Firetail (04:46.696)
Yep.

Dustin Lehr (04:49.377)
You win more, they tell their friends, and then eventually what you'd like to see at the end of the day is that the entire culture, the engineering culture, is just following better security practices.

Jeremy At Firetail (05:02.088)
So there's a bunch of questions that come to my mind from that response, and I want to dive into a couple of them. One is that just right off the bat, when you introduce this, you didn't say this is a security program. This is a culture change program, in your words, right? Help us understand why that is the case as opposed because security is the desired outcome that we're going for. Why is this not a security program?

Dustin Lehr (05:28.354)
Yeah, I mean, I would argue it is an aspect of a security program, right? I think, like I was mentioning before, I think that we are in the business of culture change, ultimately, to do security effectively, because we need help from other people. It's not like we can have a security team that's effective just running around doing everything by ourselves, right? You know, everyone does their job and we just run around and secure their job. That's not really the right approach in my experience.

In my experience, it's much better to train, educate, reinforce, and incentivize the people across the organization to take their own personal responsibility for security, which means no matter what their job is, thinking a little bit more about security as they do that job. And that means change, right? You're actually trying to influence and change the habits of your organization.

And that's where this whole concept comes into play because how do you actually effectively roll out a change like this? I would say it's starting by finding those allies, finding people who do believe in this change.

Jeremy At Firetail (06:42.053)
But that brings a question around friction that comes to my mind. And I'm curious what your take is on this because if I think about a program where, let's say, I've got an application team and I'm now going to embed a security champion into that team, first of all, do you recruit from within that team or do you bring somebody who is, let's say, an application security specialist and you kind of deploy them to that team? How does that work? And then secondly,

If I'm thinking about an existing team, they're probably already a cohesive unit to some extent. They've been working together for a while, they know each other's habits, strengths, weaknesses, et cetera. What's the general receptivity to somebody new coming in who may not be focused on the application as much as they're focused on the security of the application, if that makes sense?

Dustin Lehr (07:36.197)
Yeah, it 100 % makes sense. So the way that I like to talk about this is really using this theory of diffusion of innovation. Have you ever seen this? This is like a normal curve that basically describes the population of a company. And on the extremes you have, yeah, bell curve, exactly. On the extremes you have, on one extreme you have the laggards. Okay, these are the portion of the population that are like.

Jeremy At Firetail (07:50.756)
Okay, it's like a bell curve.

Dustin Lehr (08:02.021)
whatever, like we don't care about whatever you're doing. We're happy with what we're doing. Leave us alone. The other side is people who are very receptive to the change that you're trying to implement, right? They're like, I've been trying, I've been trying to tell my manager about this. I've been, I've been trying to start this stuff, you know, myself, but you know, so, so they're just happy that someone is taking the reins and, and, you know, working with them on something that they already want essentially.

Jeremy At Firetail (08:05.252)
Right, right.

Jeremy At Firetail (08:13.379)
your classic early adopters.

Jeremy At Firetail (08:20.354)
Yeah.

Dustin Lehr (08:29.894)
And then in the middle, you have, you know, the majority, right? The early majority, the late majority. And those are people that they don't really feel strongly either way. So the way, so to kind of answer your questions, you know, I do think that you will find some friction with the laggards, like you're going to find for whatever reason, people who are resistant to the change that you're trying to implement, but the opposite is also true too. Like I was mentioning, you will find people that are receptive. And I think in general,

Jeremy At Firetail (08:40.162)
Yep, yep.

Dustin Lehr (08:58.918)
you should focus on the people that are receptive at first. And I've actually got some personal experience leading security champion programs, leading this change, where the whole concept is once this concept spreads, you know, better security habits across the development teams, as an example, you will eventually reach the laggards. And I've actually had cases where there was a laggard that

felt very strongly about not getting involved in this. We don't have time, you know, develop my team is busy, this isn't for us, that sort of stuff. Securities, yeah, exactly, that sort of stuff. And then years later, the same person becomes a champion themselves. Okay, and that just shows the effectiveness of when you actually do spread a movement like this across your company, you can even reach those laggards.

Jeremy At Firetail (09:36.128)
Security's not my job.

Jeremy At Firetail (09:55.775)
And so to that point though, do you start with kind of the early adopter mindset within an existing team or do you send somebody into the team to join them?

Dustin Lehr (10:06.534)
Yeah, that's a great question. So I do think that an effective security program will have enough resources allocated that they're able to build personal relationships with the members of the development team. You have to have enough security professionals to be able to go into the various teams and start those conversations, right? Start to win those advocates, start to find those advocates that are across the organization. But no matter the size of your security team,

you can find those people. And I think there's a sort of heavy effort that you have to take in terms of going out there, reaching out to people. Like you can't have this passive security group, you know, that just has some tools and you send a global message that says, we've got scan tools and we're going to be implementing this. It's a lot more effective to get out there and talk to people and build relationships and so forth.

And then you'll start to find those people that emerge that really latch on to the movement that you're trying to make. And those are your initial security champions. The ones that don't, the ones that are like, whatever, leave me alone. Again, don't worry about them at first. You can come around and hopefully influence them later.

Jeremy At Firetail (11:21.406)
Yeah, yeah. And, you know, one of the other questions that kind of comes to my mind as you think about this is like, is a security champions program a program that whose success will actually put the program out of existence? Because you kind of evangelize the security across the organization, you get all the teams kind of like, educated up or up to a certain level. And then at some point, you're like, you know what, we don't need a security champions program anymore, because we're good.

you know, all these app teams, they're embracing it or whether it's app teams, infrastructure teams, whatever. How do you think about that?

Dustin Lehr (11:50.983)
Mm -hmm.

Dustin Lehr (11:57.256)
Yeah, this is a great question that I've had to answer multiple times. So I think in my view, there's always opportunities to improve. I don't think you're ever done. But I do hear you in terms of reaching the laggards and if you're able to successfully induce this change across the entire company, do you still need a security champion program? And what I would say to that is, you know, what were the incentives and the elements

that you were able to implement for your security champions. As the program grew, I would say in my view, it's good to just continue doing those things. Like a lot of the things that you've implemented very early for the champions to get them involved and engaged and motivated, things like gamified systems or just motivational systems in general, why not continue with those just at a larger scale, right? For the entire company, let's say.

Jeremy At Firetail (12:31.421)
Mm -hmm.

Dustin Lehr (12:57.289)
So as an example, a lot of folks will implement like a belt system or some sort of leveling system for their security champions, which is highly effective. And I'd love to go into more detail there, but you know, that's typically just for the champions to start like, Hey, you're a security champion. You can level up by learning things, by doing things, by taking action, reporting security issues, whatever those actions are that, that caused them to level up. And then as the program spreads,

the idea is that more people are involved in that belt level system where ideally, and I will admit that I've not seen this happen up to this point, but I think this is sort of the dream is that eventually your entire company becomes part of that program more or less. Now you're going to have different, you know, levels. You're going to have some people that are like, I just don't have time. I'm a little bit lower level. That's okay. You're going to have those people who are higher level because they're more involved and they're more interested in

Jeremy At Firetail (13:47.741)
Yep, yep.

Dustin Lehr (13:56.649)
attaining that level as well as contributing to security. So why not? So in my mind, that's the security champion program now just being part of the entire culture instead of for, you know, a limited group of people.

Jeremy At Firetail (14:11.289)
Gotcha, gotcha. So this belt system that you talked about, I assume this is kind of based on martial arts, kind of white belt, yellow belt progression, working your way up towards black belt. Is that kind of how you think about it?

Dustin Lehr (14:23.308)
Yeah, that's the idea. I think there's a lot of very creative things that you can apply here, like leveling systems, like other points and badges and that sort of stuff. Those are the gamification elements. I think you can and should get creative. I think there are cultural things that you can do to kind of lean into certain things about your culture that you can be creative with. But the reason that I think...

Jeremy At Firetail (14:35.769)
Yeah.

Jeremy At Firetail (14:48.281)
Yeah.

Dustin Lehr (14:50.765)
belt systems have emerged as something that people do often is because I think they're in, people just understand them intuitively. You don't have to explain, like I've seen, I've also seen Star Wars themes and that kind of stuff, you know, where you like work your way up through a Jedi, you know, like leveling system all the way up to like Jedi master and council member or whatever.

Jeremy At Firetail (15:10.777)
Yeah.

Dustin Lehr (15:15.437)
But not everyone gets that right away because you don't have people that are necessarily fans of Star Wars. But a belt system, pretty much everyone knows that black belt is good, right? Black belt is the highest. So I find myself, exactly. And I find myself going back to that just because it's very, it's instantly, you know, people understand what that means.

Jeremy At Firetail (15:16.345)
Okay. Yeah. Yeah.

Jeremy At Firetail (15:26.649)
Right. Even if you never did martial arts.

Jeremy At Firetail (15:38.905)
Yeah, well, let's talk more about this gamification concept, because I know you've spent a lot of time learning about it, training about it, and I imagine some element of that is in your book as well as what can some of the positive benefits of gamification be. But just from your own personal experience, give us some examples of where gamification has really produced positive results in either security awareness training or in a security champions program and how we should think about incorporating gamification as we roll some of these culture change elements out.

Dustin Lehr (16:08.751)
Yeah, 100%. So I have yet to write a physical book, by the way. I would love to write that at some point. But my virtual book, the Security Champion Success Guide is ebook. Yeah, it's out there. There's a lot of material that people can use to help build a security champion program, which includes a lot of these gamification elements as well. I kind of go into that in the guide. Yeah, when it comes to gamification, I always start by just...

Jeremy At Firetail (16:13.529)
okay.

Jeremy At Firetail (16:17.113)
ebook

Dustin Lehr (16:35.342)
mentioning that I think the word gamification does it a little bit of an injustice and it's a bit of a misunderstood thing, right? So it's not necessarily turning things into a game, which I think causes some hesitation, right? Some people go gamification, but we're, this is a professional environment. Like we don't play games here, you know, is kind of the first regurgitative like reaction to that word.

Jeremy At Firetail (16:59.769)
Yeah, yeah.

Dustin Lehr (17:04.015)
But a better definition in my mind, which is actually more popular in the gamification community in general, is that it's really about taking techniques and elements from games that work for games to motivate people and applying them in non -game situations. Okay, so it's not about making it a game. It's just about taking the things that work in the games industry and applying them to non -games.

And why do we do that? And I think this is really important that, you know, games have something figured out and that is we don't have to play games, right? There's nothing, we don't get any money from them, right? However, and I don't know about you and your personal experience, but we play them anyway. There's something about games that keeps us coming back, whether they're fun or there's elements of urgency, you know, hey, I have to take care of my...

Jeremy At Firetail (17:57.689)
Mm -hmm.

Dustin Lehr (18:02.672)
crops or something, you know, if it's Farmville or whatever game you're playing. So they've tapped into something when it comes to how humans tick, you know, how humans are motivated and so forth that I think we can all learn from, right? And that's the idea behind gamification. How do we take those elements that cause urgency, that cause us to be interested, that make us feel like, hey, this is fun or I'm progressing or whatever that is.

Jeremy At Firetail (18:05.177)
Yep, yep.

Dustin Lehr (18:32.432)
and applying those to things like security champion programs or any sort of cultural movement.

Jeremy At Firetail (18:38.425)
And aside from the reaction that you mentioned, which is, you know, we're a serious company, we don't play games here. What other kind of negative pushback do you get? Because I can see, and I have seen instances where people are like, what do I care about some little digital badge or, you know, some little icon that shows up next to my name? You know, what are some of the other pushback elements that you get from people around this?

Dustin Lehr (19:05.712)
Yeah, so I think the one that you just mentioned is a big one where it's like, hey, who cares about this level? Who cares about this badge or icon or whatever that I've just earned? I don't care about that. Well, I think one of the keys here is to actually tie those accomplishments to something that people do care about. And this comes into when it comes to a cultural change, making the earning of that badge

something that's actually special that other people recognize. Okay, so as an example, right, maybe you earn black belt level. Okay, cool, I earn black belt level. But if there's no other kind of reward that comes with that, which might include things like recognition, you know, lunch with the CISO or lunch with another C level or, you know, a mention at an all hands or something where

Jeremy At Firetail (19:49.113)
Yeah.

Jeremy At Firetail (19:56.153)
Yeah.

Dustin Lehr (20:02.096)
Now this earning of a black belt or badge or whatever it is has real implications to one's career, right? That's the kind of stuff that I think people care about. And once you build that culture where, and I've seen this now, where there's, you know, someone gets a promotion and one of the reasons that they got a promotion is listed right there in the company announcement, you know, involvement in the security program as a black belt security champion.

Okay, now you're talking about real rewards that people care about that are based on this system of points and, you know, kind of the leveling system that you've set up, but it's translated now into real world benefits for the champions.

Jeremy At Firetail (20:31.705)
Yeah.

Yeah, yeah. Yeah.

Jeremy At Firetail (20:42.201)
Yeah.

Jeremy At Firetail (20:46.873)
Yeah, I mean, that's a super tangible example, but even the things that you mentioned at the beginning of that were things that I think a lot of people value. You know, just the recognition in front of the team or in front of your peers or the opportunity to actually build closer relationships with people higher up in the organization that can have those types of, you know, career benefits later on when opportunities arise, you know, when there's a special project around, let's say a security sprint or something like that, who's going to be first in line? It's not going to be the

you know, person who never engaged with the security champions program, it's going to be the person who went through these things. And by the way, project bonuses are a real thing in most organizations, right? Especially larger ones. So I get that. And I think that's a great point about, you know, you can, you can use the gamification elements and then tie them to real incentives. And a lot of those incentives like recognition or a lunch or whatever, these are, we're not talking about huge investments. Sometimes we're not even talking about any financial investment.

but we're talking about things that really do have, that really can be appreciated. So I think that's a great point, well said.

Dustin Lehr (21:51.921)
100%. Yeah, there's a concept just to expand on this a little bit in the gamification world. There's actually an acronym and it's SAPS, which is actually really easy to remember. It stands for status, access, power and stuff. And these are the different types of rewards. And what's really interesting and there's been a lot of studies actually that have come out about this, you know, status, access, power, stuff, the stuff piece.

Those tend to be more expensive things to implement, right? They're bonuses and gift cards and little trinkets and items and that sort of stuff. But the other three, status, access and power, are typically cheaper. Think about status as something like you were mentioning. This is just recognition. This is just pointing someone out as, hey, this person is doing a really excellent job. That doesn't take a whole lot of money, none in fact.

Jeremy At Firetail (22:35.897)
Yeah.

Dustin Lehr (22:49.651)
I mean, I guess you could build in cost for time spent talking about it and that sort of stuff, but we don't need to go there. And they actually mean more to people. Like think about when somebody gets a promotion as an example, right? Do they care about the increase in salary compared to the recognition that they've earned, the status bump that they've earned, the increase in responsibilities, new challenges, you know, new sort of level that they've attained.

Jeremy At Firetail (22:53.273)
Eh.

Dustin Lehr (23:18.642)
I would argue that's more important when people get promoted than the actual stuff, the bonus and that sort of stuff. So you can use SAPs to kind of be creative and come up with different rewards that people care about.

Jeremy At Firetail (23:31.513)
Yeah. One of the things that I'm kind of curious about, how do you think about measurement? Because, you know, in the security world, there's, it's one of those things where we like to say as security professionals, you know, probably the adage of an ounce of prevention is worth a pound of cure or something like that is very applicable, right? Anything that you can do proactively to prevent problems later is actually worth 10 times the amount of effort that you put into it.

But that doesn't get measured very effectively in most of my observations. It's hard to recognize the team when everything's good, there's no breaches, nothing's happening. How do you think about measurement and tracking metrics or KPIs or things around them when you're looking at implementing security programs or security champion programs?

Dustin Lehr (24:23.476)
This is such a great question. There's probably a lot of things that we can unpack here. I've noticed the same thing. There seems to be never enough time to do it right, but always enough time to fix something when it breaks. So I'd love to see more of a preventative mindset.

Jeremy At Firetail (24:27.975)
Okay.

Jeremy At Firetail (24:37.447)
Yep. Yep.

Dustin Lehr (24:42.1)
in general, right? How do we implement proactive measures? And to a large degree, when I, you know, at the beginning, when we were talking about culture change, I do think implementing proactive measures is a big part of this. I don't think you need to convince people to run around when there's a fire. Everyone's going to, everyone's already doing that. If there's a breach or whatever, it's more about how do you reinforce people taking proactive measures. And I think that, you know, for the most part,

It's hard for people to see that and that's where putting these other incentives in place really makes a lot of sense because you're trying to reward people for being proactive and to a large degree, that's the end goal. Now to go into measurement of all this stuff, it's hard to measure. I think I would point to...

some of the articles that have been shared about this, you know, the cost, right, of fixing, of preventing a security issue in the design phase versus in production and so forth, as good indicators and reasons why we want to be proactive at the end of the day. Now, in terms of how do you measure that, it's very difficult, okay. So as an example, I always use this example and we can kind of get into.

different types of metrics, but how do you justify training as an example, right? How can you show directly that a developer was about to code something of a vulnerability, but they remembered that training that they just took last week, so they didn't. They were going to, but because of that training, they didn't. Now that happens, that happens, but how do you measure that at the end of the day?

Jeremy At Firetail (26:27.363)
Yeah. Yeah. Yeah. so hard.

Dustin Lehr (26:33.015)
you really can't, at least not directly, right? And this is where causation correlation comes into play. You can't measure direct causation, but you can start to measure correlation. So what that means is indirectly, you can show that maybe some people who have taken training produce less vulnerabilities overall than some people who haven't. Or people who are champions have

different results than people who aren't champions. Or teams that have champions on their team produce less vulnerabilities, fix vulnerabilities faster, are more involved in secure design and that sort of stuff, which you can measure than teams without, you know, someone who's a security champion. So that can help demonstrate, hey, are these things actually effective? And you can measure those. You can measure number of vulnerabilities, you can measure how quickly they fix them.

Jeremy At Firetail (27:04.321)
Mm -hmm.

Dustin Lehr (27:30.201)
You can measure vulnerability escape rate, which I love that term. Like in what phase of the process are vulnerabilities being produced? And then even things like, hey, if you've got a security team that are doing secure design reviews, which is a good practice, what are they finding? What types of things are they finding? And do those things vary across teams that have champions versus not and so forth?

Now if you're really serious about this, you can set up actually statistically significant ways to measure this as well. It's a lot of work and this is where I think the metrics conversation gets difficult is how much time do you want to spend setting up like an A -B test or some sort of a random sample of individuals where you can actually measure this stuff to show a difference. It's a lot of work, but I do think it's worth it.

One more note on this, I would love to see more published results about this to the extent that companies can because the results are out there. I think it's just more of a fact of it's hard to measure and people aren't necessarily taking the time to measure it or they're not taking the time to publish their results for other people to latch onto and see.

Jeremy At Firetail (28:27.777)
Gotcha.

Jeremy At Firetail (28:32.993)
Yeah.

Jeremy At Firetail (28:44.609)
Yeah.

Jeremy At Firetail (28:50.195)
I certainly have seen that last point personally in much of the work that I've done over the last decade in cloud security, primarily. Companies are just not too thrilled about sharing information around like, we used to have 10 ,546 misconfigurations across our AWS environment. Now we're down to 2 ,789. No company kind of wants to be out there.

admitting to the world that they're not great at security, no matter what we all know as security professionals, most companies aren't that great at security, unfortunately. But, you know, I do think you could express it as percentage change. I do think you could think about, you know, looking at just the Delta or the improvement and whatnot. But I also think a lot of companies are just not interested in, you know, kind of publishing their internal metrics around this kind of stuff. I am very curious around

regulatory requirements and things like reporting requirements coming into play, I do think we're on a path towards companies having a cybersecurity score that is going to get reported at some point pretty soon as part of, you know, publicly traded companies, at least as part of like an annual or a quarterly review. I can actually very clearly see that coming.

Dustin Lehr (30:10.713)
I don't think that would be a bad thing at all. I think that...

putting a little bit more pressure and I think there's this whole conversation that we could probably have around auditors and more of a part that they can play in terms of objectively measuring the maturity of a security organization in a company as compared to others and so forth. I'd love to see more of a, I guess, industry focus on this.

because I think it would it would put the proper amount of pressure and and frankly You know, I think regulation is important because it's going to just like with you know FDA and and and the heavy role that these other You know regulated industries have to abide You know to these regular regulatory bodies Having something very similar to that like third -party objective

Jeremy At Firetail (30:41.246)
Mm -hmm.

Dustin Lehr (31:10.299)
analysis of where people are in their maturity helps the industry in general. It puts pressure on people, you know, to make sure they get that stuff right. It also helps consumers at the end of the day, make sure that they know what they're getting, you know, are companies truly protecting their data as an example. I think there's a pretty major, I guess, you know, to not focus on that very much.

does the ultimate consumer or customer a disservice to a large degree? And I think we're seeing more and more of that come out.

Jeremy At Firetail (31:42.364)
Mm -hmm. Yeah.

Jeremy At Firetail (31:47.194)
Yeah, I mean, to that point, I think just the mix of direct costs in terms of the credit monitoring that these companies have to provide and pay for in the event of a breach, and then the reputational damage that some of them take. You know, not too long ago, there was a wannabe Twitter slash X slash whatever, you know, competitor that was starting to gain momentum. And then they were exposed as having just

insanely bad security around some of their application components. And it killed their momentum. You know, they were effectively dead in the water at a time when there is a massive opportunity to create a replacement for what is in my view, a sinking ship. And you know, our company, we pulled off of that platform completely, not so much around security, more around kind of content and other issues related to that platform. But anyway,

I totally get what you're saying and I think that is definitely, some level of reckoning is coming around this. I've got a couple of other topics that I wanna get into and we've only got a few minutes left today. I know you have written this ebook that we've talked about a couple of times. It's securitychampionsuccessguide .org if I've got that right. Talk to us a little bit about that, and if we're to...

try to take from it, you know, let's say a few key lessons learned or a few key best practices for implementing a security champion or starting a security champions program. What would be like your top three items or something like that if you could boil it down to that simplistic.

Dustin Lehr (33:22.397)
Yeah, absolutely. So yeah, the guide I wrote basically because at this point implemented a few successful security champion programs, learned a lot of lessons along the way. I'm not going to say that everything that I did there was perfect. It actually wasn't. And there were some very hard lessons. There were some slow starts. There were some mistakes.

mistakes were made, right? And then through Catalyst, this company that I'm creating, we also work with a lot of clients to help them with their Security Champion program. So there's a lot of knowledge that we've been able to collect about what works, what doesn't work, and so forth. And that, so that prompted me to create this guide as a free resource.

for folks to build up a security champion program and the way that it's structured is really as a process. Okay, so this is not, this is important. This is not a recipe, you know, or a very clear sort of predefined, just do these things and everything's gonna work perfectly for you. It's a lot more of, you know, take the time to understand who is your target audience? What are you trying to accomplish? What's your vision?

What is the current culture? What is the current context? What are you trying to, what's the change that you're trying to make? What are specific actions you want people to take? And then how can you design, given all that, an effective program that's gonna work at your culture? So you can't just take something from a company and drop it into another company and expect that to work. You do have to go through these motions to make sure you get it right. And that's the way that this guide is set up.

Jeremy At Firetail (35:05.205)
Right. Okay.

Dustin Lehr (35:08.062)
Now in terms of best practices and takeaways that comes from the guide, I already kind of mentioned a few. I think top three, if I was to cherry pick three that are on the top of my mind, I do think you need to have an ultimate vision and goal for what you're trying to accomplish. I do talk to a lot of people who are like, our champion program is going wrong and we're not really sure what to do. And my question to them is, well, what are you trying to do? What are you trying to accomplish? And a lot of times they don't know.

Jeremy At Firetail (35:14.229)
Yep, yep.

Jeremy At Firetail (35:23.637)
Okay. Okay.

Dustin Lehr (35:38.017)
Right? Well, I thought it was what we were supposed to do or something. So I think having that clearly, yeah, it's something, I don't know. Isn't that what we're supposed to do? Right? Or my CISO told me to, or, so really clearly defining that I think is really important because it makes sure that everything you do is aligned to that ultimate vision and ultimate goal. At the end of the day, it very much focuses you. So I think that's.

Jeremy At Firetail (35:42.709)
get more secure or right as like a fuzzy goal. Yeah.

Dustin Lehr (36:06.528)
definitely one of the three. I think second one I would cherry pick is really make it about the champions. Think about them, their experience and so forth. If you're just thinking about yourself as a security team and what you need and all that kind of stuff, I think you're gonna run into problems pretty quickly. And I think this is where the conversation of like volunteer versus voluntold comes in.

Jeremy At Firetail (36:25.203)
Okay.

Dustin Lehr (36:30.24)
If it's truly about the champions, then giving them the option to get involved and the options for how to get involved and then just setting up a good way to reinforce the actions that you want to see is the way to do it as opposed to you have to get, you know, the security team needs to scale. So you have to be a security champion. Here are the things you have to do without any increase in pay or anything like that. Totally the wrong approach. That's not going to turn out okay.

Jeremy At Firetail (36:30.387)
Yeah.

Dustin Lehr (37:00.321)
So, and then if I was to pick a third one, I think I would go toward really thinking about how to motivate people in the long term because I do think a lot of programs start strong and there's a lot of motivations for that. Like people are curious, you know, this is new, they want to get involved. So it starts strong and then what will happen is over time it'll start to wane.

you know, people understand, okay, I know what this is all about. It's not different, whatever that is. So really thinking about the motivations for how to keep people involved is important. So as an example, start with curiosity, sure. But if you're not delivering value at the end of the day, if you don't have like a lot of programs have like a monthly meeting or something like that, where there's training and education and that kind of stuff, if that stuff isn't actually providing long -term value to people.

Jeremy At Firetail (37:39.953)
Yeah.

Dustin Lehr (37:58.112)
then you're just gonna see engagement drop off. So content is king here, right? Really thinking about how to provide value for your champions at the end of the day.

Jeremy At Firetail (38:01.137)
Yeah, yeah.

Jeremy At Firetail (38:09.201)
Gotcha, gotcha. And I know you also host a monthly Meetup. I think it's monthly, right? Or is it every other week?

Dustin Lehr (38:14.784)
Yeah, it's monthly.

Jeremy At Firetail (38:16.977)
Okay, so talk to us about that. How do people find out more? I know we've got the link that we're gonna drop into the show notes here for anybody who wants to join that group. I take it it's an open meetup group.

Dustin Lehr (38:27.394)
Yeah, happy to share. So I actually co -founded this years ago, three years ago. And what we had noticed is there's a lot of webinars, there's a lot of people talking at you. And we wanted to take a different approach where it's just, this is basically an open discussion, right? So we meet for two hours every month on a specific topic. Anyone can chime in. There's a lot of inclusiveness in terms of like making sure people get a chance to speak and that sort of stuff.

So it's been a really awesome exchange of ideas. We've got some vendors there, we've got practitioners there, we've got students, we've got CEOs of companies. We've got people who are even outside of the security industry proper coming in because they're curious about software security. So it's this awesome mix of people and the discussions are deep and amazing. Sometimes a little debate.

crops up, you know, because you might have people that disagree and that sort of stuff. But I think challenging each other is a way for all of us to learn. So that's what the group is. And yeah, it's open to anyone to join. So we'd love to see anyone there who's interested.

Jeremy At Firetail (39:41.006)
Awesome, awesome. Well, there's been a ton of great stuff in today's conversation. I've really learned a lot about Security Champion programs, about some good, some things to kind of keep an eye out for, some thoughts about measurement and progress and so on. We've got those resources. We'll have the links in the show notes. Dustin Laird, thank you so much for taking the time to join us to talk about Security Champions. It's been a real pleasure. I don't know if there's any final thoughts you have that you wanna leave with our audience.

Dustin Lehr (40:10.213)
Sure, I would say the more fun you have designing this kind of culture change or security champion program, the more fun they're gonna have as well. So lean into that, right? Lean into, hey, what is exciting? If you're like, I'm just designing this program to check a box and I don't really care. No one else is gonna get excited if you take that approach, right? But if you're like, hey, I really had this awesome creative idea. We're gonna have an awesome system. Here's how it's gonna work. I'm excited about it.

Jeremy At Firetail (40:30.027)
Yeah.

Dustin Lehr (40:37.924)
that energy will translate into the participants as well. So yeah, lean into the fun side of it. But otherwise, thanks for having me, Jeremy, this was great.

Jeremy At Firetail (40:49.579)
It's been a real pleasure. So lean into the fun, get excited. I think those are great notes to leave today's conversation on. Dustin, thanks again for taking the time to our audience. Thank you so much for joining us. We will talk to you next time on the next episode of Modern Cyber. Bye bye.

Discover all of your APIs today

If you can't see it, you can't secure it. Let FireTail find and inventory all of the APIs across your organization. Start a free trial now.
Start Trial

This site uses cookies

By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Got it!