Security Champion Blog

Every October, Security Awareness Month presents a golden opportunity for Security Champion program owners to energize their communities. Running creative, motivating events not only boosts awareness but also reinforces your champions’ role as advocates for secure practices across the organization. We’ve come up with a set of event ideas, complete with how to run them and tips for tying them into your program’s gamified structure.

Last month at DEF CON, Katilyst's CEO and co-founder, Stanley Harris, had the privilege of facilitating a 2-hour training workshop on Security Champion Program Design along with Tanya Janca. Bringing together practitioners, leaders, and curious first-timers from across the security and engineering community, our goal was simple: give attendees a clear, actionable path to build (or rebuild) a Security Champion program that truly works.

At Katilyst, we’ve found that the biggest barrier to strong threat modeling isn’t technical knowledge—it’s engagement. Even with the best frameworks (STRIDE, PASTA, etc.), teams tune out if threat modeling becomes a rote checklist. That’s why we set out to transform it into an epic quest. Inspired by tabletop RPGs like Dungeons & Dragons, our approach gives security champions the tools to lead fun, collaborative, and genuinely productive threat modeling sessions.

Points aren’t about gamification. They’re about giving visibility to the invisible, and tracking the impact of security champions in a way that celebrates their contributions - without adding overhead. A good points system should reflect your culture and drive the behaviors you actually want to see.

Through a combination of conversations and firsthand experience, we have developed a sixth sense about the mistakes that are most commonly made over the lifetime of a champion program which lead to failures.

Security Champions play a crucial role in fostering a culture of security within organizations. While "stuff"—like swag and gift cards—is a common way to reward them, there's an opportunity to think bigger and leverage other powerful motivators.

The key to building security culture is motivating and inspiring your colleagues to take proactive action - focusing on the carrot, not the stick. This can be a lot of work, so we created Katilyst to lift the burden.