Consent Preferences
top of page

Scaling Security Culture: Lessons from Our DEF CON Security Champion Program Design Workshop

  • Writer: Stanley Harris
    Stanley Harris
  • Sep 8
  • 3 min read

Last month at DEF CON, Katilyst's CEO and co-founder, Stanley Harris, had the privilege of facilitating a 2-hour training workshop on Security Champion Program Design along with Tanya Janca. Bringing together practitioners, leaders, and curious first-timers from across the security and engineering community, our goal was simple: give attendees a clear, actionable path to build (or rebuild) a Security Champion program that truly works.


What unfolded over those two hours confirmed something we’ve believed for a long time: organizations are hungry for culture-driven approaches to security, but they need structured guidance to translate intention into impact.


Stanley and Tanya reviewing training resources with workshop attendees
Stanley & Tanya reviewing training resources with the workshop attendees

Why Security Champions? Why Now?

Today's evolving threat landscape has forced security teams to be stretched thinner than ever. Developers and product teams, meanwhile, are under constant pressure to deliver quickly. A well-structured Security Champion program bridges that gap, empowering motivated individuals within engineering or product teams to advocate for security best practices, act as liaisons to the security function, and multiply the impact of scarce AppSec resources.


But as many attendees shared, past attempts at these programs often falter. Common pitfalls include lack of clear goals, little executive support, or failing to make the program meaningful to participants. Our workshop was designed to tackle those challenges head-on.



Inside the Workshop

Our condensed training took attendees on a journey through the core building blocks of a successful program:

  • Vision & Goals: Participants drafted vision statements and practiced setting Year 1 goals that were both realistic and inspiring.

  • Stakeholders & Culture: We explored how to identify allies across the organization, from engineering managers to HR/L&D partners, and how to assess the cultural readiness for Champions.

  • Recruitment & Training: Each participant began sketching a recruitment plan and a Year 1 training roadmap tailored to their company.

  • Metrics & Launch Prep: We closed by reviewing key metrics to measure impact and provided an outline for a 3-month launch roadmap.


The interactive workbook we provided acted as a companion throughout, ensuring participants didn’t just hear ideas, they left with a personal artifact they could take back to their organizations.


Preview of the Workshop Workbook - building goals
Sneak peak into the Security Champion Program Design Workbook

What We Learned From the DEF CON Crowd

One of the most energizing parts of the workshop was seeing just how diverse the audience was. We had security engineers from startups, leaders from global enterprises, and even developers stepping into security for the first time. Despite their different backgrounds, several themes emerged:


  • Skepticism is real. Many had seen “culture change” efforts fail before. They needed practical steps, not just lofty ideals.

  • Executive sponsorship matters. Attendees agreed that without leadership alignment, programs risk being seen as “side projects.”

  • Motivation goes beyond swag. While everyone loves a good hoodie, Champions want recognition, skill development, and connection.

  • Programs need to scale. Smaller organizations may start with 5–10 Champions, but the same principles need to work for 100+ in larger enterprises.


These insights not only validated the structure of our workshop; they also gave us new ideas for how to support future cohorts.



What’s Next for Katilyst

Delivering this workshop at DEF CON was more than a one-off event for us. It was the launchpad for something bigger: a multi-session, virtual Security Champion Program Design workshop series we’ll be bringing to clients in 2026.


This longer-format series (four 3-hour sessions) will allow us to go deeper into communication strategies, gamification, and implementation planning. Most importantly, it will give participants the time and space to fully design a program tailored to their organization, with the workbook evolving into a true playbook they can implement the very next day.


At Katilyst, our mission is to help organizations design programs that don’t just start strong, but endure. That means blending human-centered design with practical frameworks, and yes, bringing a little creativity and fun along the way.



Closing Thoughts

Standing in front of a room at DEF CON, guiding practitioners through the messy but rewarding process of building Security Champion programs, was a reminder of why this work matters. Security is not just about tools or policies, it’s about people. Champions give organizations the ability to scale security culture, embed security thinking into everyday work, and create lasting resilience.

We left DEF CON inspired, and we hope our attendees did too. We can’t wait to build on this momentum and continue helping teams turn the idea of Security Champions into programs that stick.

Comments

bottom of page