Apr 23, 2025

Scaling Security Champions: From Zero to Hero With Bonnie Viteri

TLDR

Thanks Bonnie for the lovely conversation. Here are a few points that stood out:

Some of the signals to look for while looking for Security Champions is to see the interest in security, knowledge of tech stack and the understanding of how they integrate.
Enablement and empowerment are two key factors of success of security champions program. This helps security champion to not only learn but also influence security programs.
While designing Security Champions Program, do a yearly planning, make it goal-driven and define success metrics. Perform deep retrospection at the end of the year to understand the impact and areas of improvement.

Transcript

Host: Hi everyone, this is Purushottam and thanks for tuning into ScaleToZero podcast. Today's episode is with Bonnie Viteri. Bonnie designs security programs that make sense, turning complexity into clarity. Her strength lies in bridging the gap between technical teams, leadership and addressing human risk with strategic and actionable programs. Bonnie, thank you so much for taking the time and joining me for today's podcast.

Bonnie: Yeah, thank you, Puru. Thanks for having me. I'm excited to be here and dive into this.

Host: Absolutely love it. Before we kick off, do you want to add anything to your journey? Like do you want maybe highlight how did you get into it or what do you like or don't like in your day to day to day?

Bonnie: Yeah, absolutely. This is a great question because I'm actually considered a non-traditional engineer, which that basically just means that I don't have any classical cybersecurity training. You my background's in behavioral psychology and criminology. So I had transferable skills and a work ethic and a passion for security that just always made me question what could go wrong. So that's carried me pretty far. I'm fortunate that I had great mentors and worked with a really great intelligent people that I've been able to learn from and absorb their life force, say. But I truly get to say that I wake up every morning and do what I love and you who wouldn't want to do that.

Host: Love that. mean, often what I have seen is like majority of the folks who are in a specific domain, have done academics or something like that in the same domain. But sometimes you have folks who have not done academics in the same domain, but excel really well because they bring in different perspective. So that helps a lot. And I'm hoping I can get some of that learning from you today during our conversation.

So today's topic is focused on security championship program, how to build one and in an effective way. So let's dive in.

In one of the recent talks, you highlighted that security champions are not just about checking boxes, that hey, we just have security champions program, but they are more about building the influence and bridging the gap between security and development team, even leadership to act as ambassadors.

Now the question is how do you define the role of a security champions?

Bonnie: Yeah, you know, every program is different and every champion is different. But for me, was, you well, the industry security champions are members of the development team who really act as that extension of the security team. They keep their eyes and ears open for potential issues that might require security expertise. And so, you know, while being well-versed in security frameworks or best practices, champions really focus on integration, that execution instead of just compliance.

So they can understand the requirements for like a NIST or an IS2, but changing that into actionable, practical, scalable security strategies that are gonna improve your security posture and position security as a competitive advantage. This is where they act as those islands to the teams and they support properly to make basically the difference in that ever exclusive shift left conversation.

Host: So that's a very good way to sort of identify the role of a security champions program. When you are trying to identify someone, let's say you're working with a development team and you're trying to identify who should be my champion, what signals do you look for?

Bonnie: So obviously somebody who is passionate about security, it's interesting. Sometimes you don't have to look for them. They'll come out of the woodwork and say, hey, I saw this on TV or I heard this or I watched this movie about cyber and I'm interested in it. Like, can you tell me more?

But the ideal security champion is really going to be someone that's embedded in the development team, understands their tech stacks, has that knowledge enough to be able to understand the concepts of security and how it interacts with their tech stacks and their goals, processes, culture, of course, but, you know, really just the passion, you know, if they have a passion to do it, then, you know, I can teach you the rest, essentially.

So that's kind of who I'm looking for.

Host: OK, which makes sense because at the end of the day, you have to not only learn about the security, what are the security risks and how do you address some of it. At the same time, you need to have good understanding of technical skills as well, like what the team is working on or what the team is building.

Can you give an example where you have seen someone maybe unexpected who grew into a powerful champion?

Bonnie: So let me rephrase that. So you're asking for someone who grew into a really powerful champion along their journey. Yeah, I wouldn't really say that that's unexpected. I'd say that what I've noticed with some of the champions that I've worked with and the 116 engineers I had the privilege of working with at Yahoo, it was really like they were unaware of their secret powers. And so they might've been like doubtful in themselves or doubtful in like how to approach certain situations.

And so basically, you know, if they had, I'll give the example of like one that had a hard time rolling information up to leadership. So, you know, I started to notice that they were knew their shit when it came to like technical and security and like infrastructure, but they just didn't have that confidence. So like walk into a room and say, I know this answer and here's the solution that I propose.

And so sometimes it's just about, you know, really seeing where they might just need a little nudge or a little help and then being positive and staying on their side is a powerful thing. So it's just, you know, showing them that they can do it, this particular person, that you do have the knowledge you can do it. Maybe helping them with a pre-meeting, walking them through, hey, talk to me like I'm that person.

But everybody has an internal view of themselves and they need to get out of their head. just reminding them of the things that they're really good at opens their eyes. And now I see that person who's an influential force. They can walk into a room, they articulate their ideas clearly, and they back it up with facts. And they contribute at a high level. So sometimes you just got to be a cheerleader and give them a push.

Host: Makes sense. So speaking of Yahoo, I think at Yahoo, the security team is called Paranoids, right? Or something like that. I don't know how that name came into place. But I see that often in blogs and all. And even some folks who I'm connected with, also say, yeah, Paranoids. I don't know why, I'm pretty sure there is a story behind it.

Bonnie: Yeah. So actually, when I first started doing my talk and I knew I had to understand, like, how did we get to where we are? I had to roll it all back and I did a timeline on it. And back in 1996, we actually started to build a security team. And the people then said, hey, we're just going to be known as the Paranoid. It's one of the very few branded security teams. We would go to conferences with our t-shirts and, you know the little keyhole logo who's fantastic. it's so basically, yeah, it started in 1996 at Yahoo, and it just carried through and it became kind of a thing. And so now it's, you know, stay paranoid or once a paranoid, always a paranoid.

So once you've worked with that group of high-level folks, like you understand how security teams should function.

Host: Yeah, makes sense. yeah. mean, 1996 is very early, like when it comes to security, enforcing security or following security. At that time, security was not the primary focus in a way. So makes sense. One follow up question to your previous answer is,

let's say you picked a security champion. How do you see them evolve in the organization? And what role do they play in influencing security decisions?

Bonnie: So it's always different for basically, again, every organization. But man, I love this question. So I've seen it happen quite often when I was at Yahoo. So I realized that really by setting them up for success and providing initial conversation documents that eventually that they could use on their own is Yeah, so what would I mean by that? It's showing them how to be an influencer.

You don't want them to be worker bees because that's when your program fails. If you're just trying to say, hey, I just need you to do security tasks to take this off my team's plate, they're going to just be like, whoa, whoa, But if you're really understanding kind of why am I in this program? Why do they want to be there? What do they want to learn? You know, how can you help set them up for success? You know, here's some key talking points for your stand up. Here's the responses for leadership when you're working on the program, why it's relevant, what we're doing, how it aligns to the business and your product team needs. Here are the metrics that have impacted the company and you actually achieved that. I didn't achieve that, you guys achieved that.

So, it's gonna save an all hands on deck issue at some point. You praise, you roll out, you roll up. It's really about the dev's gross and influencing and teaching them how to integrate the work into their daily habits. And then they initially provide those resources to their teams, and then you praise their efforts and they start walking the walk, you know. I've said quite a few times, the more you give, the more you get back. And I've seen that tenfold.

Host: Mm-hmm. Yeah, I love that. And I have seen that as well, like the more you give, the more you get back. And it fits perfectly to security as well, right? Now the question is, we spoke about security champions, like how do you find, what are some of the skills and things like that. If we look at overall at a security champions program, what are some of the principles that make a security champion program successful? You want to find security champions, you want to nurture them so that they can influence some of the security issues. What are some of the core principles that you have seen that make the security champions program successful?

Bonnie: It's always so different, right? And I talk to people about security champions programs all the time. We have the community of interest. We're working on the OWASP maturity model. so, principles that really make the program successful is, well, think about the evolution of a program, right? I mean, you can Google it. There's like tons of information out there to read on the evolution.

But it's the foundational planning. Why are we setting up the program in the first place? What's the need? Who's the executive sponsor? Who are we talking to about this? What's it gonna look like at the end of the day? Who are our ideal champions, right?

The second thing that you really wanna ensure is that you're following that evolution, right? So kinda once you get that foundational planning, you're gonna jump into, all right, well, what's next? Here's the design. Then, okay, well, here's how we're gonna maximize that design, and here's how we're gonna go out, and we're gonna scale for purpose. And I am telling you, that is a game changer.

So when you go to leadership and you say, hey, I want one of your team members for 20 % of their time to come focus on security with me, they go 20%, that's a lot. And I'm like, well, know, ebbs and flows, you might have 10 % this quarter, 5 % next quarter. But being able to align that to the business, the product team goals, the security team goals, taking a step back, looking at that holistically and then saying, okay, well, here's my security champion program goals for the year. Here's how we're gonna get there. And then here's how I'm gonna talk to the champions about influencing their team to understand these goals and like integrate it, right?

So integrated into their workflows, integrated into their dearest friends and creating buy-in. So if you listen to leaders problems and truly listen to their problems and what they have issues with, and then you help fix it or come with solutions, they're gonna start to listen a little bit deeper.

Host: Absolutely. think one of the things that you highlighted, I really liked is like the exec sponsor, right? Like getting that buy-in early plays a huge role in the success of the program as well.

Now the question is, let's say we have 20 people, we started the Security Champion Program. Now as we grow, like as the organization grows, how do you see security champion program grow as well? Like what are some of the maybe challenges that organizations face as the organizations grow and how do they overcome that?

Bonnie: Yeah, I laugh because… every company has to be able to put forth resources if you really want to see it be successful. Even at Yahoo, only 50 % of my time was allocated to the Security Champions program to lead it, and the other 50 % was to do other jobs. But every year, I would start planning for the following year towards the end of Q2 and the beginning of Q4, and that's having those crucial conversations with leadership on, OK, what's our goals in 2025, what's that strategy look like? What's the product team doing to align to that strategy? Okay, well, I'm not gonna take their time. I'm gonna go and I'm gonna search out their team all hands and I'm gonna listen to that recorded video so that I can align the program to it.

Talking to security subject matter experts, talking to champions about their pain points from the previous year. And then actually making good on my promises like.

Make it that you got to build that credibility at the end of the day. But yeah, I would say if you're talking about evolving the program, you have to evolve it year over year. You have to take a step back and say, what are we doing this year? What are those success metrics? How am going to talk about them? And executive leadership does play a big role for that buy in.

And depending on who that is, know, ours fell under product security. It was my director. You know, obviously I didn't build the original champions program. I kind of took it over. But it's having them also have those high-level conversations with their peers, but arming them with the information to be able to have those conversations. The lead's role is not for the faint of heart. I will say that.

Host: Yeah, yeah. No, I can understand. Like often security is seen as a roadblock, right? And when you are advocating for a security champion program and you are working across teams, there would be pushback, right? So I can totally see why that would be a challenging position to be in. So every team has, every organization, every team also has a North Star in a way, right?

So, do you have a specific checklist that you follow that can act as a North Star for organizations when you are thinking about incorporating or scaling Security Champions program?

Bonnie: So the North Star for when scaling a champions program, okay, I'm just thinking through this one because that's a really great question. Obviously when you're scaling, like I had said before, it's scale for purpose. For us or for me, that jump to the cloudy sky, getting all of our data from on-prem to the cloud was the reason. And so when I started thinking about how are we migrating to the cloud? Every product now needs a security review.

Okay, they came to me and said, can we use the champions to like help do these reviews? Well, let's set them up for success. What does that look like? So we're gonna build the process. We're gonna say, all right, you're gonna be influencers. You're not gonna be doing the reviews. Let's train you on the process. Here's the targeted training. Here's the information that you relay. Here's all the resources.

And really the cherry on top was when they started owning it. Which was a lot of fun and watching them grow and say, I get this now, like I get why it's important. And I wanna say almost every team that actually did their security v for the migration, their champion was consulted and they knew where to go and how to get the information. And so when you showed that return on investment where it was less time for the product teams to migrate, our products were more secure because they were doing them correctly. The recommendations were getting integrated into their Jira's friends.

So they made sure that they were there. Like that's just when you take a step back and you go, they don't need me anymore. Essentially, essentially they're good to go. know, and I don't know if that's regular for all programs. You know, I've only really had the privilege of building one, but I've consulted on many, many, and I've seen their blockers. And I think, you know,

The miss is when you try to make them just workers and not influencers, and you actually don't set them up for success. So those are the two big key components.

Host: I see how, like, I love the example that you gave, right? How, for example, when you were migrating to cloud, how you approached it and how you picked the champions and what type of roles they, what type of role they were playing in it. They were not doing the actual work, rather they were influencing and things like that.

So you have worked at, you have done the security champions program at a house game for.

Do you see any difference if a startup, let's say, let's say startup thinks about incorporating a security campaign program? Are there any differences in building a champion program at a smaller scale and a larger scale like Yahoo?

Bonnie: Yeah, like I said, I really haven't had the privilege of doing one at a startup quite yet. but there's, there's, there's two major differences that I can immediately identify. And the larger companies like take, I'll just use Yahoo. Cause that's, know, what I know the best. that was legacy, you know, I didn't, many people came before me to start building that program. had satellite champions, then we went to, you know, security, then security champions, and we went to deputy paranoid.

And so, I had to go in and do deep research on like, why did those programs not fail, not succeed? How can I change that perception of leadership? How can I address it in a different manner? It's just thinking differently and talk, talk, talk, talk, talk to as many people as you can and get their perception, right? Because you want to change perception on, hey, these do work. It is effective.

At a startup, it's a little different because you're probably starting Greenfield. You're probably starting with word of mouth and the original purpose of your program is to just spread the good word with security. It's everyone's job. It's not just the security teams. Like we gotta keep our stuff safe. And then you start to move into that foundational planning, who's the best candidate? How many do we need based on the size? So it all goes back to that evolution of a program and that's the recommendation I would give to a startup.

What I've seen with the startups that I've consulted for, has been that they don't allocate enough resources for their lead. The lead might have 10 % of their time. Well, you get back what you put in, and if you're only giving 10%, you're only gonna get probably five. So, yeah, so, you know, find that passionate lead that wants to do it.

And I will say for anybody considering taking on the lead, well, here's it. could never decide if I wanted to be an IC or a manager. I could never decide on my path. And so when you lead a program like Security Champions, you get to merge those two and you get to do both. So you get to be an IC and kind of hide in the bushes and do your work and get your hands dirty. And you also get to manage and lead and be inspirational and show people what they love. So if that's what you're looking for, then you'll make a good lead.

Host: I love how you sort of merge the IC and Manager role in this case, right? Because often as engineers, we want to see in our lane that, I'm an engineer, I just want to do hands-on work, or I'm a manager, then I'm not doing any hands-on work. But this gives you sort of best of both worlds, where you can be a hands-on engineer, and the same time, you can lead a program and show your influence to your team and the organization as well. Love that!

So we spoke about executive sponsors and leadership buy-in, right? Something that really resonated with me from one of your talks is how you tie the security programs, like champions program to business outcomes, because ultimately organizations are trying to achieve some business outcomes so that they can make money and grow.

Now, often in that process, security is seen as a blocker or overhead. And we spoke about perception, how we can change the perception. How do you ensure that the initiatives like security champions program aligns with business and product goals? Because ultimately, if you can show that alignment, then you will get executive buy-in or funding or the resources and things like that. How do you ensure that happens?

Bonnie: Witchcraft, essentially. That's the secret. Yeah, and that goes back to that yearly planning, right? So what's the business strategy? What's the product strategy? What's the security strategy? How do we bridge all those gaps to have a really good program strategy? And so every year over year, you have to do that research. And you have to have

Host: Yeah, that is the secret.

Bonnie: Communication and interest. And when I say that, like, sincerely have communication, like over communicate, and then interest in what they're doing, you know, if you don't know, ask. I found that actually one of my very first mentors told me one of the things that she loved about me was that I would just go to a CEO and like spark up a conversation, ask them what his pain points were, how could you know? And so,

Host: That's an amazing skill.

Bonnie: And I well mostly I would do it unknowingly because I But yeah And it's gotten me a long way I think just just trying and I know that's not everybody's strength is that that personable bridge gap You know, it actually was something that I put a lot of effort into learning But really truly genuinely trying to make security easy for them to understand easy for them to use easy for them to integrate so speaking their language, how do they like to be communicated with, what are their pain points, and then ensuring that you follow up on those pain points. If you say you're gonna do it, you do it.

And sometimes the feedback's hard to hear. I would do an end of year survey to the security champions and the security champions leaders every year. And I would take those metrics and I would aggregate them.

And I would read the testimonials and feedback and I'd be like, some of them would be like, man, okay, I didn't know, but now I know, so let's fix that. And the best part about that survey was I would get like 98% response rate. And it was honestly because I showed genuine interest and they knew that if they told me that I was gonna go out and I was gonna try to find that answer. Even if I couldn't fix the problem, I would let them know where it stood.

So that's kind how I would say like aligning to business goals is do your research, TLDR, do your research, have those conversations even if they're difficult, request the feedback, and then always have your success metrics every year to prove that you are bettering the program every year.

Host: I love how you structured them. So speaking of metrics, do you follow a specific metrics to show not only alignment but also progress?

Bonnie: Yeah, you know, and metrics come in that when you're talking about that developmental evolution of a program, you know, that cyclical program stage, which, you know, is anywhere from one, three to five years.

But when you're talking about metrics, you know, that first year with, okay, I've talked to everybody. I know the pain points. Here's the top three things we're going to do in the program this year. And that's, you know, elevate, maybe it's onboard all of our repos to GitHub and or a fast tool or whatever we're doing here.

And then maybe it's how do we prove influence, which is what my first talk on is, if you listen to the talk from Lisbon, it's about expanding that influence. And then how do you actually metricize that? So you want to be able to talk in qualitative and quantitative. And so what does that look like? And so every year it would be for me, one of the big metrics that I had is, okay, we scaled. Nobody thought we would, challenge accepted, but we did. We scaled for purpose. So that was one of my first metrics. This is can we scale company wide?

The second metric after that. So we've got our champions now. So what are we going to do with them? What's our success metrics? What does leadership want us to do? Okay, we're going to build an on demand training. We're going to drop it into the source of truth, which, you know, whatever your training platform is, how many of our how many of my champions went and took that training.

And then after they took the training, how many of them went and was able to take that, the communication and implement it into their, like whether it was Slack, standup, one-on-ones, whatever it was. And so those were my other two metrics is did they take the training? Are they communicating the training? That shows influence. If people were doing it like, so basically onboarding the repos.

What I found out was 80 % of the repos that were onboarded were actually done by team members, not a champion. And that's how I know that they weren't influencing.

Host: Nice, okay. So the champions are not doing the actual work, but rather they are influencing so that others can do the work. And that sort of shows the progress or success of the Security Champions Program. Love that. Yeah.

Bonnie: Enabling and empowering. So and you have to be creative with your metrics, but be able to back those metrics up. So if you say this is how I'm showing influence and impact, define what that influence and impact is and then show the metric that's associated with it.

Host: Makes sense. So one more question on the Security Champions program is, on the metrics and things like that, if you have leaders who understand the value of security, it's much easier, right? Because they know the value of security, Security Champions program, and things like that. We got this question from our friend Dustin Laird, who is asking, who wants to know this from you.

How can we make our security champion programs more data-driven and demonstrate clear ROI for the non-believers? Because if you have your execs who understand and believe, then it's much easier. But what if they don't believe in this whole security champions program? How do you do it in that case?

Bonnie: Dustin, let me give a shout out to Catalyst here. We're actually working on a gamification case study together. So Dustin and our good buddies. But yeah, non-believers, great word for it. I like to say to have metrics is to make metrics. And this goes back to that foundational and you're replanting again, design, grow, engage, implement, execute, and then ensure the future optimization.

So that's the metrics part. the strategy planning again, if you don't know, go find out. Again, you what's the business plan for security? You don't know, Slack channel, CISO, CTO, find it out and then align that program with it. So once you make those metrics, and like I said, every company is different, program's different, culture's different, you have to be able to report them out. So building what I… call an executive steering committee. So that's gonna be people from leadership that we have security, so engineering leadership.

It's gonna be developers and engineers that might not be champions, but they have a really good idea of what's needed for your tech stacks and securing them. Security SMEs, and then your executive sponsor. And then always, I would invite the CISO as optional.

Sean's attic was really, active at Yahoo, but every year he did come to the end of year readout. So being able to put those metrics into beautiful graphs, a great deck and speak to them intelligently and be prepared for hard questions about the baseline of those metrics.

So, you know, here was the baseline. Here's how we grew. Here's where we're at. Here's how we're going to get better next year. And so it's just, you know, five, six slides. Previous year, current year, next year. And then just sit back and wait for them to ask you how you performed the witchcraft.

Host: Yeah, makes sense. So one of the things that you have mentioned multiple times today is the yearly planning or the end-of-the-year review and things like that, which makes me think that it's Security Champions program is not a one-time activity. You have to continuously do it every year. I was thinking we'll just do it, set it once and then forget it and we are good.

In that case, how do you keep this program fresh and scalable and relevant as your organization grows? Any tips or tricks that you have for that?

Bonnie: Yeah, when we're thinking about like, I always think of it, any program and any evolution of a program, like I've said a million times, the evolution of a program, it's cyclical. And so every year it's gonna change. Like you can't say, all right, I'm gonna train them on the OWASP top 10. And then five years later, you're still training them on OWASP top 10 from five years previous because that's not the case any longer. So you have to refresh your content.

I always like to also, well, what are the threats that are actively attacking my company? So make it applicable to your company. Make it applicable to what you're seeing. Is it fishing? Is it smishing? Is it perimeter? And then align some goals to that. There's a lot of ways to kind of keep it active and keep it engaged.

So, you know, community, what are the conversations we're going to have? Who are the speakers? What do the champions want to hear about? You know, how can I make sure that I'm touching on all these different points? yeah, so when I did my foundational planning, was one, three and five years, I noticed that it had to be refreshed yearly for content. And then engagement is, know, those touch points, those check ins, the one on ones, the 15 minutes that you make.

If you have 100, I had 116 engineers, I knew every single one of them personally. I knew what their goals, their wants, what their dreams were, why they were in the program, and then making plans to nurture that. Again, give more than you give back. So every cyclical program is gonna be different, but you you might have to refresh one year. You might have to refresh three. If you're going past a three year refresh, then you're behind the game.

Host: That is so true because security is ever evolving, right? And you have to stay ahead of it in a way. One of the question that is slightly related to this, and we got this question from Anshuman Bhartiya, is let's say you have laid out the security program, champions program.

At the beginning of the year, you have picked the security champions. How do you, like what's the secret in keeping security champions engaged and happy so that they continue to not only learn, but also influence in the right way?

Bonnie: Whoo, that's a loaded question. Engaged and happy, that's such, what's the word I'm looking for? Specific to the person, right? And so, but seriously, it is just giving back more than you asked for. It is, this is what I've really noticed in today's culture is that starting a relationship is easy. Actually continuing and nurturing relationships is very difficult. Family, work, priorities, know, all that 15-minute one-on-one check-in with my champion, you know, I can push that, I can push that. But you can't because that's where your relationships are built. That's where it's formed. That's where you understand how to keep them engaged and what they want from the program.

So, okay, you wanna speak at a conference, let's work on that. You wanna get a promotion and that's why you did this program. Okay, well, let's focus on the next steps to get there. Have you talked to your leader? You know, where are you in the promotion cycle? Like, you know, do you want to be an IC? Do you want to be a manager? Let's chat through what that looks like. You want to switch to security? All right, well, which pillar of security? You didn't know that there are quite a few pillars of security? Well, here's some resources for you to do some research. Let me know and we'll dig deeper together.

So the more questions you ask and the more time you take and the more genuine and sincere you are, the more they're going to start. And sometimes, I'll never forget this one girl, she was a tough nut to crack and man, she was very constructive criticism. And I actually valued that because sometimes people get nervous to like actually tell you what they're thinking. And it took me a long time, I'd say almost eight months to like finally crack her down to just being like, why are you in the program?

And the first time I asked, she said, my boss made me. Six months later, well, why are you still in the program? Well, I really learned a lot. OK. Nine months later, why are you in the... I'm drinking the Kool-Aid at this point. It's really like just just continuing and being, you know, precise. And I love that. I love always finding people that challenge me. And that's that's that drives me to. So.

Host: Make sense. if you like from your example, you converted not maybe converted is a strong word, but you made someone believe in the program. Maybe early on it was because someone else just assigned that work to them, they had to do it. But by ninth month, they could see the value. They were believers at that time that, this program has value and this program will deliver value in longer term as well. So that's amazing.

So one last question on this is, like earlier you touched on it, right? Like as a security champion, you would have to do both types of work. Like you are an individual contributor, you are doing your own work, but at the same time you're doing, you're learning about security, you're influencing your team and things like that. Which often brings burnout, right, to the individuals. How do you prevent that from happening?

Bonnie: Yeah, man, burnout is real, right? Especially in this fast-paced environment and, you know, in tech, happens very, very frequently. So, you know, the most you can do as a lead is be supportive. You know, I would always if, you know, I would, I would do quarterly jury tickets with like a six year old task or, you know, some communication for them to take back. And I would always say in the ticket, if you don't have time to do this, move it to done, you know, let me know why or if they would move it to done, I'd be like, just to check in like, hey, you doing okay? But just be supportive. If you're swamped this month, hey, I get it. Take the time you need, focus, ping me when you wanna catch up, I'm here for ya. If I can help alleviate any sort of pressure, can I get you connected to someone? Have you talked to your manager? Do you wanna do a quick run through on what that conversation might sound like? Empathy, caring, be kind, offer support.

Champions that you know are normally active that go quiet, you might want to just reach out and sometimes just listening and offering a friendly ear. It's really just what someone might need. So you never know what someone's going through. So just kindness and empathy.

Host: Make sense. Absolutely. That's a great tool to have.

You touched on recognition earlier, like for the security champions. And you slightly touched on gamification, community building, and things like that. Can you give some examples? Like, how do you recognize the work of a security champion? Or what type of gamification have you seen work? If you can give some examples for our audience.

Bonnie: Yeah, I love this question too. So the entire program, your basis should be recognition and appreciation. I mean, these people are giving you extra time that they may not actually have to do something that's technically a volunteer role.

And so they're learning a new skill, they're showing up, they're changing the way their teams think, you know, they're getting outside their comfort zone. Every single accomplishment should be celebrated.

So roll it up to leadership, shout out on your internet, help them write a resume blurb about the program that they're in, give them a LinkedIn badge, let them know that, okay, let's involve you in a case study, let's involve you in some more security work. If they ask for it, help them.

Gamification, I'm gonna get back to you on that one. That goes back to Catalyst and Dustin Lehr. We're working on that to see where doing a little case study on that. if you don't know about catalysts, definitely check them out.

But community building, that should happen organically. So if you're talking to people in the industry, if you're bringing in topics and speakers that the champions want to hear, which was always a question on my end of the year form, what would you like to hear about next year?

And just constant chatter in your champions. Slack channel if you have one. And stay involved. You want them to be involved you know, the investment that you put in, they're going to give back and you're going to get a return on investment for it. So it's really always appreciate, you know, all the time.

One of my favorites was if you would see something they were working on, you know, in another channel or maybe in like a locked channel that, Hey, we just had 98 % X, Y, and Z. And then throwing that out to the whole champions program of like, Hey, look at what they're working on. This is awesome. Even if it's not security related. It shows you're watching!

Host: Yeah, so when you are recognizing, like do that in public so that others can also see the value and the champions also feel appreciated for the efforts that they are putting in. And the key word that you use is volunteers, right? It's not their primary job, but they are trying to volunteer and help push the security program further.

So yeah, makes sense doing the recognition in the public would definitely make them feel valued for contributing into the security program. the last question I have around security, not in the Champion Program, but security as a whole,

Like at the end of the day, it comes down to security culture in the organization, right? And what type of culture do you have in the organization that defines success of some of these programs as well? And that also means that you need to have collaboration of security team with all other teams, like whether it's engineering or leadership or finance or any other team.

What are some of the approaches that you have seen which help breaking that gap between security and development so that there is better collaboration when it comes to security topics? What have you seen?

Bonnie: Yeah, collaboration, that's so many different types of collaboration, right? So it's a loaded question a little bit. I like it though. So what I'm thinking about like breaking down silos and making sure you're collaborating effectively, right? So it's, you know, some teams prefer to work in a silo, some teams have to, like some security efforts you just can't talk about, right? Sensitive nature.

And then, you know, your company culture, you've really got to understand, but… What I've personally seen effective is like, okay, why are we collaborating? How is this gonna make your team's life easier? What are the key points? What's the overarching vision? Who needs to be in the room? Who are the stakeholders? Okay, well, if you're not the stakeholder, who do you think would be really great to collaborate on this?

And so I remember when I was trying to figure out the best way to prioritize cloud migration security alerts and like, prioritizing the recommendations that we were giving them to implement. I talked to so many people like the champions, the leaders, the cloud SMEs, what's the pain points? Let's do a quick brainstorming. Having that curious mind will get you a long way, but then also structuring it. So, you know, never putting a collaboration on a calendar without an agenda. That's the quickest way to get overlooked. So, specific.

And that's true for any job function. You have to earn respect, deliver on promises, follow up and be appreciative, make time to pay it forward, own your mistakes, fail, pivot faster. So if one thing's not working, let's pivot. How are we going to do that? And I'll tell you that building credibility and to some extent, political capital, they're two things that are so difficult to obtain but so easy to lose.

So stay consistent. That's my biggest. Put that out there. Be consistent.

Host: Yeah, mean, it's funny that you mentioned, right? Like the example that you gave of agenda, like when you're setting up some time with someone having a clear agenda. We see that so often. It's such a small, small thing to do, but it has a huge impact. And it goes back to like the trust that you build with the person or the team and things like that.

Some of these small, small things play a major role in that. One, I think I said last question, but I have one more question around it. What challenges do you see when you are trying to foster collaboration between security and engineering? And what have you seen?

Bonnie: Yeah, challenges, it's always a little bit different. So I actually get this question a lot with like, know, champions losing interest or challenges that you have with leadership or how do you keep it fresh, you know? But it really boils down to communication.

You know, the challenges that I've noticed or, you know, the programs that I've seen not be able to move things forward is, you know, not being collaborative, not having that open communication, not asking teams what they want, but just assuming what they want.

Don't be afraid to be the squeaky wheel sometimes. Everything might take precedence, but you really are trying to make things better. so framing it in a, this is what you get from it. I'm trying to help you.

And so that really helps overcome the challenges when you also frame it in their language. So leadership, dollars and cents, show me the business value. Product teams, know, meantime, why, you know, start talking that dev language. And they all speak a different, different language.

It's taken me 10 years to learn to speak developer. I learned to speak engineer is what I've called it. But yeah, you know, there's no, I never looked at it as a challenge, look at it as an opportunity and something that you can overcome. And then figure it out. I always think we're all smart people at the end of the day. It's how much effort are you willing to put in? So I love that question, by the way.

Host: Yeah. So I love your answer because I think I was recently listening to a podcast where a CTO of Facebook said that communication is the job. Like, ultimately, you are going to collaborate with multiple teams. You will never be working in silos throughout your life, right? It's you will be collaborating with others.

So communication is your job in that case, because how do you use the language that they understand? How do you use the right metrics or how do you, yeah, like how do you communicate with the other team that plays a major role than your actual, I mean, your actual work also has an equal weightage, but communication also plays equal, has equal weightage. Like that's what he was like, communication is your job in a way. So yeah, that's what I love your answer in this case.

So that brings us to the end of the security questions.

Before I let you go though, I have one last question, which is around any recommendation, reading recommendation that you have for our audience. It could be like a blog or a book or a podcast or anything that you think our audience can get value out

Bonnie: Yeah, love this too. So let's go back to that communication. There is a book by Stephen Covey and I love Stephen Covey. actually start all of my conference talks with a quote by him, but Crucial Conversations. So it's basically mastering difficult discussions, where stakes are high, opinions differ, emotions run strong. How can you improve your relationships, the health of the know, program your career, it really emphasizes that importance of like, creating a safe space for dialogue and understanding different perspectives and then working together to achieve common goals. So like, it's a powerful and poignant book and it provides a framework for navigating those difficult conversations in a way that forms understanding and builds relationships and just leads to better problem solving. So yeah, I can't say enough about it.

Host: Mm-hmm. Yeah, I love that recommendation. Thank you so much for doing that. When we publish the episode, we'll add it to the show notes so that our audience can also go in and read and learn to have the difficult conversations, hopefully in an easier way.

So yeah, thank you. Thank you so much, Bonnie, for coming to the podcast and sharing your knowledge around Security Champions Program, how to collaborate, How do you find security champions and how do you foster the research and things like that?

Thank you so much for your time.

Bonnie: Yeah, thanks for having me and it's been a great conversation. I appreciate it.

Host: Absolutely. Thank you. And to our audience, thank you so much for watching. See you in the next episode. Thank you.