January 20, 2025 • 45 mins
Join G. Mark Hardy in a riveting episode of CISO Tradecraft as he sits down with Dustin Lehr to uncover strategies for creating security champions among developers. Explore effective techniques to inspire culture change, leverage AI tools for security, and discover the difference between leadership and management. This insightful discussion includes actionable steps to establish a robust security champions program, from defining a vision to executing with gamification. Whether you’re an aspiring champion or a seasoned cybersecurity leader, this episode is packed with valuable insights to elevate your organization’s security practices.
Big Thanks to our Sponsors:
ZeroPath - https://zeropath.com/
CruiseCon - Use code CISOTRADECRAFT10 at https://cruisecon.com/ for 10% off registration!
Transcripts - https://docs.google.com/document/d/1IgPbmnNaEF_1GIQTRxHStOoUKtZM4azH
Learn more about this topic by reading Justin's Website - https://securitychampionsuccessguide.org/
Justin Lehr's Company - https://www.katilyst.com/
Chapters
- 01:05 Meet Dustin Lair
- 04:05 Leadership vs. Management
- 06:17 The Role of Security Champions
- 17:20 Recruiting Security Champions
- 24:42 Exploring the Framework: Vision and Goals
- 26:25 Defining Participants and Their Roles
- 28:37 Understanding the Current Setting
- 33:27 Conceptualizing Ideal Actions
- 35:20 Designing with Gamification in Mind
- 40:30 Effective Delivery and Continuous Tuning
- 41:30 Overcoming Challenges and Final Thoughts
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
G Mark Hardy (00:00):
Hey, welcome to CISO Tradecraft.
(00:01):
You heard about tactics, techniques,and procedures, and we usually
think about them as technical ones.
But hey, how about tactics,techniques, and procedures
to create security champions?
Sounds like an interesting idea.
Stick around.
We got a great episodefor you coming right up.
(00:24):
Hey, today's show we're talkingabout programs to create security
champions among developers, buthere's an awesome tool that will help
you leverage AI to detect securityvulnerabilities in your software.
ZeroPath is a SAST tool thatcan help you secure JavaScript,
Python, Go, Java, C sharp, and PHP.
Their wall of fame lists the opensource vulnerabilities they found
(00:45):
already, and you can put the sameworld class tool to work for you.
Schedule a personalizeddemo today at zeropath.com
Welcome to another episode ofCISO Tradecraft, the podcast that
provides you with the information,knowledge, and wisdom to be a more
effective cybersecurity leader.
My name is G.
Mark Hardy, and I'm your host for today.
(01:05):
And I have a specialguest today, Dustin Lair.
He's going to talk about tactics,techniques, and procedures to
protect against, bad actorsand application security.
Hey, welcome to the show.
Dustin Lehr (01:16):
Hey, it is fantastic to be here.
And I'm excited to talkabout my favorite subject
G Mark Hardy (01:21):
And I'm looking forward to talking to it too, but before we
go, really quickly, time's running out.
CruiseCon, it starts on the 8thof February, ends on the 13th
of February, and it'll be outof Port Canaveral, Florida.
Come on out to sea with a numberof other CISOs, get a chance to
do some networking, maybe work onyour tan if you're from up north.
Although down here in Florida,it's still pretty cold.
And give you an opportunity todo a professional meeting and a
(01:45):
really clever way of doing it.
So if you're going to sign up,you can go to cruisecon.com and
we've got a special code for you.
CISOTRADECRAFT10 and I'llgive you a discount on it.
I'll be there, Admiral Mike Rogers willbe there, and hopefully you'll be there.
So anyway, Dustin, tell me a littlebit about yourself and your background.
Dustin Lehr (02:06):
Yeah, happy to.
so I was actually a software engineer,so I spent over a decade writing code.
I was in industries such as retail.
I worked on video games for alittle bit, which is a little bit
relevant to this conversation.
I worked in the DOD, and then I got into,cybersecurity as a security architect.
(02:26):
So I have kind of a verytechnical background.
G Mark Hardy (02:30):
can't hold down a job, right?
Is that what you're trying to
say?
well, you know,
Dustin Lehr (02:34):
but I got pretty quickly into leadership actually.
So I joined cybersecurity, and thenwithin the course of months, they actually
asked me to lead the AppSec program.
This was back at Staples.
so got the opportunity to go rightinto leadership and then, you know,
learn kind of on the fly, like fromthe, you know, frying pan into the
fire essentially, about what it takesto be successful when it comes to
(02:56):
rolling out AppSec programs in general.
so did that for about threeyears and then I went to Fivetran
essentially as the first AppDevhire there, to do the same, right?
Build and scale an AppSec program.
G Mark Hardy (03:09):
As an old Fortran programmer, I love the name.
Dustin Lehr (03:12):
It's based on that.
Yes, exactly.
It's based on Fortran.
A lot of people have questions about that.
So that's where the name comes
G Mark Hardy (03:19):
I know what F 8.
3 means, you can look it up and
Dustin Lehr (03:23):
There you go.
so yeah, so basically scaled anapp tech program there as well,
got up to a deputy CISO position.
So sort of,
G Mark Hardy (03:30):
well done.
Dustin Lehr (03:30):
you know, acquired additional responsibilities such as security
awareness, cloud security and so forth.
and then most recently, I took a littlebit of time to focus on a business that
I had been creating for about threeyears that focuses on security champions.
So, very much familiarwith this champion concept.
(03:51):
I think there's a lot of challengesand so forth, that people run
into, so I'm really excited to talkabout this particular topic today.
G Mark Hardy (03:59):
And I'd love to get into it.
And you had mentioned somethingearly on about a leadership role.
And I think it's really important.
I try to differentiate on the show.
When I talk about jobs, what'sthe, from your perspective,
what's the difference between.
Leadership and Management.
Dustin Lehr (04:16):
Oh boy.
Well, I think a big A big thing tonote here is you don't have to be
a leader by title to be a leader.
I think that, I think leaders pursuesomething they care about and they
are able to inspire folks to geton board and follow this idea.
Again, this can emerge from anIC role in a company where they
(04:41):
identify an opportunity, Theystart to, you know, organize an
effort around it to address it.
Other people start to follow.
They inspire that, right?
So I think that, I think leadershipcenters around that concept, you know,
to be a true leader, you're forgingessentially the way, for others
(05:01):
to also follow and get involved.
G Mark Hardy (05:03):
And I think key to what you're saying is it's not
always in the job description,
Dustin Lehr (05:08):
Exactly.
Yeah, and you don't need the titleto do it, and I think this is a very
important thing for folks to get excitedabout, and that's that they can be
a leader no matter where they are.
I think some folks feel maybethey don't have the title or
the position or whatever it is.
I'm not in management, so Ican't necessarily lead things.
And I don't think that's true.
(05:28):
I think you should feel comfortable tostart a movement if you see an opportunity
at your company or wherever, you know,this could be out in the, the rest of
the world too, if you see something,you know, in your community, as an
example, where you can lead a change.
You know, you don't have tohave an official position to
pursue something like that.
G Mark Hardy (05:49):
and I concur with you.
I think that when we look at the challengeof leadership, a lot of that has to do,
and I say, it's probably not even in thejob description, if not even a title,
but developing your people, not takingcare of them, not protecting them or
whatever, but develop them, developingthem, bring them to the next level,
help them understand that they too cango ahead and can accept responsibility.
(06:09):
For being able to move the ballforward with other people and
inspire them to go ahead and do that.
So I love that.
And I think that's great, which reallydovetails into your comment earlier,
which is said for the listeners whodidn't catch it, Dustin's an expert on
building security champion programs.
I think you've evenspoken about that at RSA.
Now sometimes security champions, wecall it security evangelists and things,
(06:32):
but it's someone from the dev team.
It's going to focus on cyber security.
So Dustin, what's beenyour previous experiences?
Why would a developer even wantto become a security champion?
Dustin Lehr (06:43):
Yeah.
And frankly, this whole champion modelis based on the concept of leadership
too, because I think a big piece ofwhat you're trying to accomplish when
you're rolling out a solid securityprogram is you're trying to induce
culture change across your company.
And you have to inspire folks to dothat in the same way we were just
(07:03):
talking about in terms of leadership.
I see the security champions thatemerge at your company to get
involved with the change that you'retrying to, to make as those sort of
early followers that get involvedand, and become leaders themselves.
So kind of to your point, you know, asa good leader, how do you empower folks?
(07:25):
You know, to do more whenit comes to that stuff.
And that's exactly what thechampion model is built for.
Why would a developerwant to get involved?
You know, I think there's a few reasons.
We were just talking about this conceptof getting early adopters or early
allies involved across your companyand the change you're trying to make.
and I think there's, there's anattraction, you know, for, for
(07:47):
certain folks to that type of thing.
As an example, like maybe you come intoa company, you're like, Hey, there's
a few opportunities we have here.
Why don't we do more of thisbetter security, best practices,
better development, best practices.
What happens is there will be certainpeople who emerge as believers in that.
Okay.
There will be other people thatsay we don't have time for that.
(08:10):
Leave me alone.
You know, I have other things to do.
But you will have people whosay, I really believe in that.
I've been, I've been trying to tellthem to do this or something like that.
Right.
Those are the beginningsof your champion program.
So I think, you know, very specificallyto address your question, you know,
why would a developer do that?
These are the developerswho want to see change.
(08:32):
They want to see better.
higher quality software,engineering practices.
They want to see something different.
And you're giving them the opportunityto get involved to make that difference.
G Mark Hardy (08:44):
Got it.
Yeah, because you've got everythingfrom people who say, Hey, I absolutely
want to do the best I can to makesure my application, the code
that I write is totally secure.
You got great code.
And other people are like,yeah, what the heck happens?
Let the world poke at it.
If it blows up, maybe we'll.
We'll deal with it in version 1.
1 or version 2 or whatever.
So there's a whole range of attitudesand obviously the people who embrace
(09:05):
security that have some sort of apersonal desire to say, Hey, I get this.
And in fact, I don't think anybodywants to use let alone pay for an
application that is known to be insecure.
Why would I do that?
It's Hey, we have this greatwallet, but it's got a hole in
the bottom and your money willfall out of it from time to time.
But if you don't care, it's a great deal.
So from that perspective,we can understand that.
(09:28):
It really helps out all the otherdevelopers at the extreme level.
It keeps you, I'll keep a job because yourcompany's not going to go out of business
because it's screwed up a whole lot.
What are some of the commonresponsibilities that you'd
assigned to a security championthat they would do perhaps even in
addition to their normal dev tasks?
Dustin Lehr (09:48):
Yeah, and, you know, I think this is important because I think
that champions, developers specifically,can contribute uniquely to what you're
building on your security program.
You know, they've got knowledge,they've got, know how and they
understand, you know, the code base.
They understand nuances about Theenvironment, the product and so
(10:11):
forth that the security team doesn'tnecessarily have visibility or privy into.
and that's where I thinkchampions can contribute the most.
Like how do we essentially combine theknowledge of the security team with
the knowledge of the developers, right.
To make it better for everyone.
So when I think about a champion model,I think this is really important.
(10:32):
It's not about passing theresponsibility of security to the dev
It shouldn't be about that.
And frankly, any.
model that sort of has that as itsparadigm, I think, is doomed to fail
because developers are busy enough,they, you know, they have enough to
think about, and, they don't necessarilyhave the expertise that the security
(10:55):
team does to do their job, right?
However, there are certainthings that I think champions,
can contribute very well to.
So let's take the topic of, like,threat modeling as an example.
you know, my favorite part ofthese threat modeling types of
exercises is the fact that you bringtogether knowledge from various,
(11:21):
stakeholders, various concerns, right?
And you do that so that everyone cansort of talk about the system that you're
threat modeling from their differentviewpoints, security being one, but also
like involving product people, as anexample, to start talking about their
perspective when it comes to the product.
just makes everyone better overall, right?
(11:41):
So think about it like this securityteam gets involved to help with
the threat modeling activity.
They're going to bring aperspective that has to do with
security best practices and.
Active threats that might exist and soforth, based on everything they focus on,
developers bring more of that perspectiveof here's why we built it, here's how we
(12:02):
built it, and, you know, maybe insightsinto where the bodies are buried and,
and some of these Secret things that noone would really know about, and it's
really the combination of that knowledgethat I think gives you sort of that
maximized, view and maximized effort whenit comes to an effective threat model.
(12:23):
So, just some thoughts there.
G Mark Hardy (12:24):
Yeah, it makes good sense because from a security
perspective, if you think aboutit, if I'm not a developer, I've
been looking to check something.
What does it look like?
It's a black box, right?
There's a bunch of code in here.
What is it?
you don't know what code is in therebecause you're not the developer.
You don't have the source.
So you can look at the gazintas andthe gazoutas and you can change the
inputs to see what time it outputs andthen you can infer whether or not this
(12:46):
thing is doing what it's supposed to do.
But any type of testing like that, youmiss the opportunity for something like a
SAST or you can do a DAST, but the staticapplication testing, you can't look at
the code unless you've got access to it.
And by having that securitychampion in your dev team.
Hey, these security peoplearen't here to screw things up.
They're not here to slowdown your release schedule.
(13:08):
They're not here to mess withyou or put you on report.
They're here to help us build a betterproduct, and during building a better
product, if there's knowledge transferthat's involved, it's not just a matter
of printing out a report and throwingit over the cubicle wall and say, yep,
here's, your findings, go fix them.
But it's a sit down and being ableto have that information exchanged
by having a security champion.
You've got somebody who's sitting.
(13:30):
On the same side of the table as therest of the developers who a, I get it.
But then if they turn to him and he said,here, let me explain a little bit more
because sometimes there's always a littlebit of a communications gap when somebody
speaking security, somebody speakingapplications and things such as that.
And they don't always accumulate acrossbecause, for example, if you think take a
task like threat modeling and you do that,some of the key questions you'll ask from
(13:54):
a threat modeling manifesto perspective.
what are we working on?
What can go wrong?
What are we going to do about it?
And did we do a good enough job about it?
And if you ask these types ofquestions, you have better software
because you can look at things likethe confidentiality, the integrity,
the availability, what could go wrong?
What can we do about it?
(14:14):
And if you start asking.
the right questions.
where could this application go wrong?
How could somebody put somethingin this input field that actually
does something we don't want it to?
Buffer overflow, or doing a SQL injection,or all the other stuff like that.
Now you start asking those questions,and now you can avoid preventable
(14:35):
failures, because you're Starting tobake these things in, not just in terms
of standards, which somebody may or maynot follow, but the thought process.
And I used to be a developer and Iwould think about things like that.
You always sanitize your input and Iwouldn't think of doing anything else.
They'll be like, open yourmouth and close your eyes.
They have some input for you.
Here's a surprise.
No, you're not gonna do that.
But if you're new at it, you might not.
(14:57):
So any other experiences you mighthave seen where you can really justify
the cost of this type of a program?
Dustin Lehr (15:03):
I, I mean, certainly, so.
I think one of the things to reallythink about that you touched on, very
briefly, but we should probably diveinto a little bit more is that people
are more likely to listen to theirpeers talk about security than to the
security team talk about security.
And I think this is general humanbehavior, like, think about if
there's a new product or somethingthat comes onto the market, you
(15:26):
know, it's advertised and, and.
You know, the company loves theirown products, so they're talking
about the product and so forth.
but are you, are you reallygoing to buy based on that?
Or are you more likely to buy becauseyour friend told you that they bought the
product and they believe in the productand they're excited about the product?
Okay, well now I'm going to check it out.
(15:47):
I think it's the exact same concept here,where, you know, the security team has
certain, you know, best practices or ideasor so forth that they're trying to share.
And it's not, you know, the developerswho will necessarily buy into that
concept unless they start to hearit from their peers and they start
to hear that from the champions.
(16:09):
So when we talk about the benefit ofthese programs, you know, if you've got an
awareness program, if you've got a regularnewsletter or announcements, et cetera,
that you're trying to share informationacross your organization through,
what's more effective in my view is tofind these allies and these champions.
And have the message go through them
(16:30):
for the exact reason that I was justsaying, because people are going to
ignore the bulletins and the emailsand whatever, like the security team is
supposed to talk about security, you know,that that's expected, like I can just put
you in a box and basically ignore you.
As opposed to my friend istelling me that this is important.
G Mark Hardy (16:47):
Mm-hmm
Dustin Lehr (16:49):
so I think that's important and I think that's when it comes down
to like this culture change concept.
And I don't know that enough folks arethinking about what we're doing from a
cyber security lens in terms of change.
but I would encourage usto really think about that.
You know, are we showing up to kindof check the compliance box or are we
(17:09):
showing up to really make a difference?
In our organizations, which to memeans change and all the things
that go go along with that.
So,
G Mark Hardy (17:20):
Now, if you embrace that, it seems like someone says,
okay, I'll press the I believe button.
I like this.
But how do you get started?
Is it just a matter of anybody wantedto be a champion, Buehler, or is
there a better strategy than that?
Dustin Lehr (17:36):
yeah, and this goes way into some of the behavioral science
concepts that I have spent a lot of timewith now, which is interesting, right?
Because I was a tech person.
I was like, you know, total code nerd.
and shifted very much over time to reallystarting to learn more about, what makes
(17:57):
humans tick, what makes humans work, howdo you influence people and so forth.
So yeah, some, you know, during astandup, all company, all hands,
if you're like, does anybody wantto be a champion, raise your hand.
That doesn't work.
Okay, but something more like, Hey,I noticed your behavior is already
(18:20):
showing me that you're aware ofcyber security best practices.
That's awesome.
I'm going to call you out specificallyas someone who might be interested in
getting involved in a program like thisbecause of what you've already been doing.
You know, how could someone sayno to that essentially, right?
(18:41):
So, and it It goes back to what we weresaying before in terms of finding allies.
I think as you're going out and buildingrelationships with your organization,
certain people are going to emerge asbelieving in what you're talking about.
That's a good time to invite themin specifically, individually,
you know, point to point,because again, it means a lot.
(19:03):
the other method that I'veused to recruit is having folks
manager recommend them as well.
So, you know, More of an official program,I think, takes a lot of leadership support
and a lot of leadership communication.
so as you're out there talking toleadership and getting them involved
(19:23):
in all of this stuff, starting toask them questions about, well, who
do you think would be good for thisprogram, works as well because what
they'll do is, you know, they, theybasically endorse somebody, right?
They say, this person would be good.
You go to that person, yousay, your manager thought that
you would be good for this.
That's huge too.
(19:44):
It's not, Hey, I'm a randomperson who's just going to ask
if you want to get involved.
It's, you know, I talked toyour management about this.
They thought that you wouldbe a really good candidate.
now another couple of thoughts abouthow to roll a program like this out.
I think there's kind oftwo ways to think about it.
There's the grassroots.
way.
(20:04):
And then there's more of the topdown, big bang official program way.
I think either of them can work.
I think eventually you can build yourselfinto more of an official sort of top
down leadership supported, program.
But if you have to start with moregrassroots because maybe leadership
(20:27):
is skeptical, you know, I've run intothis a lot, even, even CISOs were like,
I'm not sure this is going to work.
You go, okay, you know, that's fine.
And then you go start talkingto people and you start through
leadership, you start a movement.
And now you've got 20 peoplewho want to get more involved.
And you go back to your CISO and you say,I've got 20 people here who are interested
(20:48):
in getting more involved in cybersecurity.
What do we do with them?
Is it time to start moreof an official program?
Etc.
So, just some thoughts there as well.
G Mark Hardy (20:59):
good ideas.
Yeah.
And I think one of the itemsthat came out of Dale Carnegie.
We talked about how to win friendsand influence people is give somebody
a fine reputation to live up to.
And you, you, touched on that and youcome up to me and says, Hey Dustin,
I hear that you're one of the bestdevelopers that we got at this place.
And one of the things that's part of thatdevelopment excellence is making sure
(21:22):
that your code is works and it runs right.
We agree, right?
this is why you're so good isyou don't write lousy code.
one of the best ways to improve,make your code even more
bulletproof, like whatever it is.
Align with them.
Make sure is that a trigger word forthem is getting some cyber security and
helping your team is awesome becausenow you're going to be perceived as
a leader and people want to know,hey, how do you do what you do?
(21:42):
you can help them this way.
And so whatever it happens to be, it'swe're not really in a manipulation.
It's if you view that as anegative side, but influence.
And if you ever read Dr.
Robert Cialdini's book on influenceand the power of persuasion, we all
know that there's a lot of ways thatpeople will want to come and do things.
Now, if you're building one of theseprograms, you want to do it right.
(22:04):
And therefore just going around andrecruiting people a little bit like
you're walking around and say, followme, drop your nets and follow me.
Is to be able to say, Hey,we've actually got some template
or something we can aim for.
Is there anything out there?
Is there some sort of a standard or atemplate or whatever that people could
look to and go wow, this gets me going.
Dustin Lehr (22:26):
Yeah, you know, there, there's actually a lot of resources
out there that you can find to help youfind your way when it comes to why you
should build security champion programs.
folks like even AWS have writtenarticles on You know, how they've
been able to create successwith these types of programs.
(22:47):
So there's a lot of resources out there.
I created a resource as well.
there's a website.
Let's see if I may share.
It's called, it's called the SecurityChampion Program Success Guide.
And the reason I wrote it is because Ireally wanted to describe the process
(23:08):
for building a successful program.
So this goes way beyondjust why, and more into how.
Because I think that's the nextstep, is like, well, how do
I get started, what do I do?
And it's written a lot more in terms ofa process that you can go through, or
go through, as opposed tojust prescribing a program.
(23:29):
Because the thing is with thesechampion programs, Is every culture is
different and and certain things thatwill work for one company may not work
for another so you can't just takea program from this company and drop
the exact same design into another.
You have to step back.
You have to think about whatare we trying to accomplish?
(23:49):
Who is our audience?
This is sort of thestructure of the guide.
Who's the audience?
what's the current setting as well?
Like, what is the culture like today?
What's incentivizing folks?
How do they act when it comesto security and so forth?
And then getting crisp on, well, what arethe responsibilities of the champions?
What do we want to see them do?
(24:09):
And so forth.
And then from there, after you'vebuilt that foundation of knowledge,
how do we design a program that'sgoing to be tailored, right?
For all the stuff that you discoveredthere and then how to measure that,
how to measure success and everything.
Is all part of that guide.
So I tried to take everything, all themistakes that I have learned and, you
(24:30):
know, kind of share, potholes and, andpotential pitfalls and so forth that you
might run into to kind of guide your way.
So would definitelyrecommend checking that out.
G Mark Hardy (24:42):
I've got the website up right in front of me here and I'm
looking at the, different steps yousaid, make a procedure, got vision,
participants, setting, concept,design, delivery, and tuning.
And we talked a little bit on the pre showabout gamification and stuff, but I want
to move your stuff up like now becausewe can cover, we could backfill some of
the stuff on games and things like that.
(25:02):
Cool books like this one here.
Let's talk a little bitabout the framework here.
So if you start with a vision, and in myopinion, that's one of the most important
thing a leader has to have, a vision.
You're setting a future direction, notonly for yourself, but for your team.
and so what are, what would be goodlong term goals for the program?
How would somebody embrace this visionstuff once they get going for a security
Dustin Lehr (25:26):
absolutely.
So one of my favorite parts abouttalking about the vision is.
It's an opportunity for you to kindof dream a little bit, like really
think big and really think long term.
So when we think about developerchampions, you know, something
like, well, as part of their regularhabits, when writing code, they're
(25:48):
referencing standards and theyare coding securely, essentially
because they have the knowledge,they have the, sort of foundational
knowledge to allow them to do that.
So something like that, like, likecreate a North star that seems.
Almost, almost unachievable, right?
I think you need to be a littlebit, big in your thinking
(26:11):
and have a B, a BHAG, a big,
G Mark Hardy (26:13):
big, hairy, audacious goal.
I remember the first time mybusiness school told me about
it, that was the funniest thing.
I thought he made it up.
And then I, of course, heard it ina lot of other contexts as well.
But yeah, so we got the vision.
Now the next was the participants.
Who were we trying to reach?
do you want everybody?
Is it just makes sense?
Or is it very, is it more specific thanthat when we're looking at building
(26:33):
a security and champion program, notjust the security champions, but the
people whom they're trying to influence.
Okay.
Dustin Lehr (26:39):
Yeah, let me go back super quickly to the vision because I
think this is an important foundationand that's going from that long term
vision to something that's more goaloriented and specifically, Smart goal
oriented where there, there are actuallyspecific, measurable, et cetera,
G Mark Hardy (26:56):
achievable, realistic and time race.
Yes,
Dustin Lehr (26:58):
exactly.
I don't know if you cheated andreferenced something or if you have
that memorized, but that's all righty.
You
G Mark Hardy (27:05):
BJ Fogg model and which you might cover also.
So all of a sudden I get alittle flashback to all my
years in front of a classroom.
Dustin Lehr (27:12):
Yeah.
So I think that's importantto get crisp on as well.
You know, what are the specific metricsyou're trying to move with your program?
and some of the, you know, alot of this comes from a lot of
conversations I have with folkswhere they don't have this defined.
So they're like, well, wehave a champion program.
It's not going very well.
We're not really sure what to do about it.
(27:33):
And I'm like, well, what areyou trying to accomplish?
What, what are you trying to do?
And the answer is, youknow, we don't know.
And I think, again, that's a big problem.
So it's important toset up all that stuff.
Up front and then totalk about participants.
Yeah, I think it depends on your goals.
Like, this is why it's soimportant to talk about vision.
Is this a developer focused program?
(27:54):
Is it more of an ambassadorprogram that maybe has like a
security awareness focus that's notnecessarily focused on developers.
It's focused on employees as a whole.
so the point with this step is it'simportant to define that, you know, who is
the audience that you're trying to reach?
and that varies from program toprogram, from company to company.
G Mark Hardy (28:17):
That makes sense.
And I think it was a Chinesephilosopher Lao Tse who said,
without vision, the people perish.
And so again, back to your numberone thing, and you'll find a lot of
smart people going back thousandsof years backing up on that.
So you've got vision and participants.
The next thing in your framework issetting your current environment.
(28:37):
Tell me a little bitmore about the setting.
What are we talking about here?
Dustin Lehr (28:40):
Oh, we're, we're going to get into depth here.
G Mark Hardy (28:43):
Oh yeah.
this is, this to me is
Dustin Lehr (28:45):
this is great.
G Mark Hardy (28:46):
written.
I can cover BJ Fogg some other time, but.
Dustin Lehr (28:51):
So, so setting is about understanding your current
environment or setting or contextis another way to think about it.
Right?
So you've identified whatyou want to accomplish.
You've identified who you want to reach.
Now let's talk about what motivates thosefolks, what types of behaviors are you
seeing them do, where do they put securityin terms of their priorities, what's
(29:15):
incentivizing them, what is leadershippush in terms of the things that they
think are important, and so, so on.
I think it's really important tocapture all of that because everything
else you design from there is going tohave to take this into account, right?
Is this a highly competitive,direct type environment?
Is this more of a collaborative, maybesofter, respectful type of culture?
(29:41):
You know, your entire designof your program is going to be
based on knowing this stuff.
Couple of thoughts here.
you could use surveys also, when it comesto learning about how people view security
as an example and how close maybe peopleare to the goals that you want to hit.
but be careful of surveys because surveyswon't tell you the whole picture either.
(30:03):
It's important to combinesurveys or people's response
with their actual behavior.
I can, I can tell you that I thinksecurity is important, it's just that
every chance I get I do something else.
Rather than security, because I've gotother pressures and so forth, right?
So it's important to kindof tease those things out.
(30:25):
and then the other thing that Ireally like to do is I like to profile
folks when it comes to motivation.
And there is a, framework, gamificationframework that I like to refer back
to ever since I found out about it.
And it's called Octalysis.
(30:46):
And it's essentially, it describes theeight different core drives that humans
have.
there was a fantastic book,Actionable Gamification, that
I read some years ago now.
It'd be great to sharethis with the audience.
G Mark Hardy (31:01):
Yeah, I'll put something in the show notes for you.
Dustin Lehr (31:03):
Yeah, that's great.
It just changed my entire approachbecause it helped me really
understand what makes people tickwhat what actually motivates folks.
So as part of this setting phase, Ilike to create profiles that are based
on the personas that we're tryingto reach and what motivates them.
(31:23):
So as an example, a softwareengineer might be slightly motivated.
might be differently motivated than,than others across your environment.
So how can you generally sort of capturewhat motivates software engineers and
then tailor your program to, to them?
so for example, over the years of doingthis, I have found software engineers to
(31:47):
be highly motivated by Social aspects,which we can talk about in a minute,
but also development and accomplishment.
Okay, that is to say they like to seeprogress being made, and I can attest
to this as a dev as well, right?
They like to see that their effortsare actually going somewhere.
(32:07):
It's doing something for them.
It's doing something forthe company and so forth.
And then socially, there's a little bit ofa club when it comes to technical folks,
right, that you have to get yourself into.
So what we were talking about beforearound being recognized as maybe a
developer that stands out somehow.
Like, hey, you're a guru when itcomes to this, maybe it's cyber
(32:31):
security in this case, that wouldmake a developer be motivated, right?
Now they stand out amongsttheir peers and so forth.
So I know I'm talking about this alot, but I get excited about all this.
so designing a, champion program,that's again, tailored for these
motivators specifically for youraudience, I think is extremely important.
G Mark Hardy (32:56):
And as a quick aside on the actionable gamification
book we talked about, he said eightdifferent ideas that are in there.
Epic meaning, accomplishment, empowerment.
Ownership, social influence, scarcity,unpredictability, and avoidance.
And so those are all a gamesaying, and we can dive into that.
But before we get into that, Ireally want to finish up your model.
(33:18):
So we're going to go pop the stack alittle bit here where you've got the
vision, participants, and setting.
And the fourth one in yourmodel is a concept about how
we want people to behave.
And tell me a little bitmore about the concept idea.
Dustin Lehr (33:29):
Yeah.
So this is where you really getcrisp on what Actions specifically.
Do you want to see people
take a, which I think is important todefine because it's like, okay, cool.
We have champions.
All right.
What do they do?
What do you want them to do?
What are the specificresponsibilities and so forth?
so in this step, I like to encouragefolks to really think about that.
(33:54):
Just list them.
And again, you can go, youcan really think about this,
in terms of ideal situation.
I actually, I like to call themideal actions because it's a
little bit more of, you know,what would a perfect champion do?
You know, it would show up to allof your events, they would, they
would speak up during your events,they would get involved in capture
(34:18):
the flag things, they would reportany security issues that they find.
You know, here are the things thatideally we want to see them do.
And I think, again, that'simportant to capture.
the other thing in this step that I thinkis important, and this is why I mentioned
goals before is to tie these actions togoals, and I've, I've found the exercise
(34:39):
of listing the actions you want them totake and trying to figure out what goal
they're associated with raises a lot ofquestions, like you'll, you'll list some
actions and then you'll realize, well.
That's not aligned with any of our goals.
Okay.
Well, you've got a couple options.
Now you either remove it and say,that's not important clearly.
(34:59):
Cause we didn't set any goal against it.
maybe you, you missed a goal.
Maybe there's this entire thoughtthat you had in terms of what the
champions should do that doesn'tcurrently align with a goal.
So you need to go create a goal for that.
And you need to go figure out howyou're going to measure success
when it comes to that as well.
G Mark Hardy (35:19):
So that's your concept.
And next was design, though,about creating incentivization
for the participants.
Now, to a certain extent, we alittle bit earlier, talked about the
gamification and some characteristics.
So if you build a good game, you're goingto want to have people do these things.
Does that tie into the design part here?
Dustin Lehr (35:35):
it very much does.
And I think this is a good timeto define gamification because
I do think there's a lot of.
Misunderstanding aboutexactly what that means, okay?
Gamification is not turningsomething into a game.
Okay, I'll just say that clearly.
it is, is it's finding the techniquesthat work in games and applying
(35:59):
them to real world situations.
And this is important because, here's thething, people don't have to play games.
Okay, it's completely optional, right?
but we do anyway.
And there's something about gamesthat's motivating us to come back.
And it centers around a lot of these eightdifferent core drives of, of motivation.
(36:24):
and games have it down.
Because, again, I have to go to work.
You know, what motivatesyou to go to work?
Well, I have to eat.
Like, it's very simple.
I need money.
but I don't have to play that game.
So why do I keep playing that?
Why do I spend time doing that?
so anyway, so what can we learnfrom the gamification world in terms
of motivating folks so that we canapply it to the real world is a good
(36:46):
way to think about gamification.
the other concept that comes directlyfrom the gamification world is this
rewards, a way to think about rewardsthat's beyond just material things.
So I've got this on thesuccess guide website.
(37:07):
It's an acronym and it's SAPS, S A P S.
And it stands for Status,Access, Power, and Stuff.
And why I love this is becausewhat it's trying to show is, you
know, there are things beyondstuff that people care about.
(37:27):
So, let's look at status quickly.
This is, you know, beingrecognized as someone who
excels at a certain thing, etc.
And you earn a certain status.
So we've seen like belt level systems asan example for security champion programs.
that's a status reward.
I'm leveling up and I'm beingrecognized for that level up.
(37:51):
Leveling up is a gamification concept,but here's a perfect example of
using A game like concept in the realworld, when you get promoted at your
company, what is actually encouraging,rewarding, et cetera, about that?
Is it the extra paycheck?
Or is it the status that comes from that?
(38:12):
The recognition, the increase inresponsibility, you know, the social
aspects of your peers, et cetera,recognizing that, hey, you, you
know, you earned this, you workedhard, you deserve this, right?
There's so much that comes.
With being promoted, that'smore of a status type of reward.
(38:35):
and then access usually comeswith a promotion as well, right?
You get access to certain meetings,you get a seat at the table, right?
With
G Mark Hardy (38:43):
to the executive washroom with a nice thick toilet paper.
Dustin Lehr (38:46):
Exactly.
And then power as well.
You have more decision makingauthority control and so forth.
That's also very rewarding.
So.
Now it comes to really talking abouthow do we, you know, take these concepts
and apply them to champion programs.
This is where in the design phase,I really like to talk about,
(39:07):
using these rewards effectively.
So having a leveling system where peopleearn status, having rewards like access
to tools or information, et cetera,that they didn't have access to before,
but they earned their way into it.
two examples.
One of them is, you know, I found that alot of folks are very intrigued by the,
(39:34):
potential like, breaches or incidentsthat have happened at a company.
Right?
They're interested in that, but that's,it's a little bit privileged information.
Like, the security team isnot going to share all those
details with the employees.
Right?
However, what if you earnyour way to that information?
(39:55):
Right?
So, you earn a certain status levelas a champion, and now the security
team is going to share a littlebit more of that insight with you.
Maybe not all of it.
More of it than you would have had before.
Is that an incentive?
Is that motivating for people to want toget involved in the program and level up?
I think so.
(40:15):
And
G Mark Hardy (40:15):
Finding that
Dustin Lehr (40:16):
I've seen it
G Mark Hardy (40:17):
and opening it up and see what's inside there is it works.
It's that gamification.
So if we're getting down to the last fiveminutes of the show, we've done vision
participants, setting concept design.
What's next?
Dustin Lehr (40:30):
so this is where we talk about delivery and we were talking
about like grassroots versus big bang.
It's good.
I think it's good to talk aboutthe best way to communicate, market
and roll out a program like this.
Could be a phased approach.
it could be a big bang,like we talked about before.
So that's the step where I liketo encourage figuring that out.
(40:51):
And then lastly is tuning.
how are you going to measurethis success of the program?
What controls do you have in placeand sort of dials that you can use
to sort of adjust things as you go?
I think the important concepthere is you don't just like sail
the ship off into the sea, right?
Like, cool.
We designed a champion program.
Alright, we launched it.
(41:12):
We're all done now, right?
No, it takes constant careand feeding, tuning, etc.
So that's what that step is all about.
G Mark Hardy (41:21):
So we've got a quick review.
Everybody got the vision participants,setting concept, design delivery.
And tuning.
Now, in doing this with yourapplication developers, is there any
of these steps that have tend to beone that people struggle with about?
And if so, what's a goodhint or methodology to help
(41:42):
them get up over the hump?
Dustin Lehr (41:45):
the biggest piece of people's Well, there are two major pieces that
come to mind that people struggle with.
One is proving the value ofthe program to leadership.
the second is motivating folksto continue to stay involved.
and I try to address bothof these in the guide.
the leadership aspect by settingclear goals that you can measure,
(42:08):
that you can show, right?
Show small wins as yougo, incremental wins.
share stories, et cetera, asfolks are getting involved, you
know, Hey, we wouldn't have evenknown about this security hole
over here without a champion who
it to us.
That's important stuff to share.
so yeah, that's, that's where I'd start.
G Mark Hardy (42:28):
Awesome.
So in terms of resources outthere, you'd mentioned the one site
before, which I thought was great.
And it issecuritychampionsuccessguide.org.
Make sure we get the right link there.
And you've also got a websitefor your business, right?
Katilyst spelled K A T I L Y S T dot com.
Is that a kind of a little plug for you?
(42:49):
Cause you didn't have to do it.
I did it for you.
Dustin Lehr (42:53):
Yeah, this was a company I created, like I mentioned at the
beginning years ago, and we focus onsecurity champion programs and providing
not just services like design to helpyou succeed, but we've also got a product
that automates a lot of the gamifiedelements that we talked about today.
G Mark Hardy (43:10):
All right.
So any closing thoughts,any way you can think of it?
People say, Hey, I like this idea.
I really want to get started.
I we've given a couple links hereand we'll put them in the show notes.
So you don't have to check in yourspelling and things like that.
but how would you help people eitherconvince their management or their boss,
or even themselves to get off a top deadcenter and start moving on something?
Dustin Lehr (43:31):
yeah, you know, I think it comes down to what we were talking
about in terms of vision, like.
Dream big, you know, what, what doesan ideal culture at your company look
like when it comes to cybersecurity?
I like, for me, that's motivating, right?
I, I, I like the idea of, okay,here's something, a BHAG, right?
(43:54):
It would be amazing if peoplewould behave like this.
Well, what if I told youthat that is possible?
It takes a lot of time.
It takes a lot of effort and soforth, but we can move toward that.
and I think that's exciting.
So hopefully that'sinspiring and motivating.
The other thing to think aboutreally is to get excited.
Like if you're going to be successfulin creating a program like this,
(44:18):
you know, put your creativityinto it to the point where you're
excited about the whole thing.
because if you're not excited, noone else is going to get excited.
And it kind of goes back to leadership.
Like we were talking about before,how do you inspire others, you
know, by being skeptical orboring, that's not how to do it.
So get excited and have fun.
G Mark Hardy (44:36):
Yeah.
And I love the idea of gamification.
here I am.
probably can't tell thatthe screen resolves.
There we go.
So there's my link or what am I doing?
500 days on doing my Duolingoand he just hit that.
So that's again, you get in thereand you create the streak, you
create the continuity, you createthe gamification, the incentive,
(44:56):
and you find a way to do stuff.
So Dustin, I think you'vehad some awesome ideas.
Hey, anybody who's listening tothe show, if you think you've
loved this stuff, let us know.
Pay it forward.
Let other people know whereyou found the podcast.
See so tradecraft.
com.
Go to us on LinkedIn.
If you're not following us onLinkedIn, please do so because we put
out a lot more than just podcasts.
We also have a sub stack newsletter withsome good information that's out there,
(45:17):
and we'd love to help you on your careerjourney in the cybersecurity world.
So thank you very much for beingpart of our audience to us.
And thank you for coming onboard and joining us today.
and for everybody else out there tillnext time, this is your host, Gmark Hardy.
Stay safe out there.
Hey, welcome to CISO Tradecraft.
(00:01):
You heard about tactics, techniques,and procedures, and we usually
think about them as technical ones.
But hey, how about tactics,techniques, and procedures
to create security champions?
Sounds like an interesting idea.
Stick around.
We got a great episodefor you coming right up.
(00:24):
Hey, today's show we're talkingabout programs to create security
champions among developers, buthere's an awesome tool that will help
you leverage AI to detect securityvulnerabilities in your software.
ZeroPath is a SAST tool thatcan help you secure JavaScript,
Python, Go, Java, C sharp, and PHP.
Their wall of fame lists the opensource vulnerabilities they found
(00:45):
already, and you can put the sameworld class tool to work for you.
Schedule a personalizeddemo today at zeropath.com
Welcome to another episode ofCISO Tradecraft, the podcast that
provides you with the information,knowledge, and wisdom to be a more
effective cybersecurity leader.
My name is G.
Mark Hardy, and I'm your host for today.
(01:05):
And I have a specialguest today, Dustin Lair.
He's going to talk about tactics,techniques, and procedures to
protect against, bad actorsand application security.
Hey, welcome to the show.
Dustin Lehr (01:16):
Hey, it is fantastic to be here.
And I'm excited to talkabout my favorite subject
G Mark Hardy (01:21):
And I'm looking forward to talking to it too, but before we
go, really quickly, time's running out.
CruiseCon, it starts on the 8thof February, ends on the 13th
of February, and it'll be outof Port Canaveral, Florida.
Come on out to sea with a numberof other CISOs, get a chance to
do some networking, maybe work onyour tan if you're from up north.
Although down here in Florida,it's still pretty cold.
And give you an opportunity todo a professional meeting and a
(01:45):
really clever way of doing it.
So if you're going to sign up,you can go to cruisecon.com and
we've got a special code for you.
CISOTRADECRAFT10 and I'llgive you a discount on it.
I'll be there, Admiral Mike Rogers willbe there, and hopefully you'll be there.
So anyway, Dustin, tell me a littlebit about yourself and your background.
Dustin Lehr (02:06):
Yeah, happy to.
so I was actually a software engineer,so I spent over a decade writing code.
I was in industries such as retail.
I worked on video games for alittle bit, which is a little bit
relevant to this conversation.
I worked in the DOD, and then I got into,cybersecurity as a security architect.
(02:26):
So I have kind of a verytechnical background.
G Mark Hardy (02:30):
can't hold down a job, right?
Is that what you're trying to
say?
well, you know,
Dustin Lehr (02:34):
but I got pretty quickly into leadership actually.
So I joined cybersecurity, and thenwithin the course of months, they actually
asked me to lead the AppSec program.
This was back at Staples.
so got the opportunity to go rightinto leadership and then, you know,
learn kind of on the fly, like fromthe, you know, frying pan into the
fire essentially, about what it takesto be successful when it comes to
(02:56):
rolling out AppSec programs in general.
so did that for about threeyears and then I went to Fivetran
essentially as the first AppDevhire there, to do the same, right?
Build and scale an AppSec program.
G Mark Hardy (03:09):
As an old Fortran programmer, I love the name.
Dustin Lehr (03:12):
It's based on that.
Yes, exactly.
It's based on Fortran.
A lot of people have questions about that.
So that's where the name comes
G Mark Hardy (03:19):
I know what F 8.
3 means, you can look it up and
Dustin Lehr (03:23):
There you go.
so yeah, so basically scaled anapp tech program there as well,
got up to a deputy CISO position.
So sort of,
G Mark Hardy (03:30):
well done.
Dustin Lehr (03:30):
you know, acquired additional responsibilities such as security
awareness, cloud security and so forth.
and then most recently, I took a littlebit of time to focus on a business that
I had been creating for about threeyears that focuses on security champions.
So, very much familiarwith this champion concept.
(03:51):
I think there's a lot of challengesand so forth, that people run
into, so I'm really excited to talkabout this particular topic today.
G Mark Hardy (03:59):
And I'd love to get into it.
And you had mentioned somethingearly on about a leadership role.
And I think it's really important.
I try to differentiate on the show.
When I talk about jobs, what'sthe, from your perspective,
what's the difference between.
Leadership and Management.
Dustin Lehr (04:16):
Oh boy.
Well, I think a big A big thing tonote here is you don't have to be
a leader by title to be a leader.
I think that, I think leaders pursuesomething they care about and they
are able to inspire folks to geton board and follow this idea.
Again, this can emerge from anIC role in a company where they
(04:41):
identify an opportunity, Theystart to, you know, organize an
effort around it to address it.
Other people start to follow.
They inspire that, right?
So I think that, I think leadershipcenters around that concept, you know,
to be a true leader, you're forgingessentially the way, for others
(05:01):
to also follow and get involved.
G Mark Hardy (05:03):
And I think key to what you're saying is it's not
always in the job description,
Dustin Lehr (05:08):
Exactly.
Yeah, and you don't need the titleto do it, and I think this is a very
important thing for folks to get excitedabout, and that's that they can be
a leader no matter where they are.
I think some folks feel maybethey don't have the title or
the position or whatever it is.
I'm not in management, so Ican't necessarily lead things.
And I don't think that's true.
(05:28):
I think you should feel comfortable tostart a movement if you see an opportunity
at your company or wherever, you know,this could be out in the, the rest of
the world too, if you see something,you know, in your community, as an
example, where you can lead a change.
You know, you don't have tohave an official position to
pursue something like that.
G Mark Hardy (05:49):
and I concur with you.
I think that when we look at the challengeof leadership, a lot of that has to do,
and I say, it's probably not even in thejob description, if not even a title,
but developing your people, not takingcare of them, not protecting them or
whatever, but develop them, developingthem, bring them to the next level,
help them understand that they too cango ahead and can accept responsibility.
(06:09):
For being able to move the ballforward with other people and
inspire them to go ahead and do that.
So I love that.
And I think that's great, which reallydovetails into your comment earlier,
which is said for the listeners whodidn't catch it, Dustin's an expert on
building security champion programs.
I think you've evenspoken about that at RSA.
Now sometimes security champions, wecall it security evangelists and things,
(06:32):
but it's someone from the dev team.
It's going to focus on cyber security.
So Dustin, what's beenyour previous experiences?
Why would a developer even wantto become a security champion?
Dustin Lehr (06:43):
Yeah.
And frankly, this whole champion modelis based on the concept of leadership
too, because I think a big piece ofwhat you're trying to accomplish when
you're rolling out a solid securityprogram is you're trying to induce
culture change across your company.
And you have to inspire folks to dothat in the same way we were just
(07:03):
talking about in terms of leadership.
I see the security champions thatemerge at your company to get
involved with the change that you'retrying to, to make as those sort of
early followers that get involvedand, and become leaders themselves.
So kind of to your point, you know, asa good leader, how do you empower folks?
(07:25):
You know, to do more whenit comes to that stuff.
And that's exactly what thechampion model is built for.
Why would a developerwant to get involved?
You know, I think there's a few reasons.
We were just talking about this conceptof getting early adopters or early
allies involved across your companyand the change you're trying to make.
and I think there's, there's anattraction, you know, for, for
(07:47):
certain folks to that type of thing.
As an example, like maybe you come intoa company, you're like, Hey, there's
a few opportunities we have here.
Why don't we do more of thisbetter security, best practices,
better development, best practices.
What happens is there will be certainpeople who emerge as believers in that.
Okay.
There will be other people thatsay we don't have time for that.
(08:10):
Leave me alone.
You know, I have other things to do.
But you will have people whosay, I really believe in that.
I've been, I've been trying to tellthem to do this or something like that.
Right.
Those are the beginningsof your champion program.
So I think, you know, very specificallyto address your question, you know,
why would a developer do that?
These are the developerswho want to see change.
(08:32):
They want to see better.
higher quality software,engineering practices.
They want to see something different.
And you're giving them the opportunityto get involved to make that difference.
G Mark Hardy (08:44):
Got it.
Yeah, because you've got everythingfrom people who say, Hey, I absolutely
want to do the best I can to makesure my application, the code
that I write is totally secure.
You got great code.
And other people are like,yeah, what the heck happens?
Let the world poke at it.
If it blows up, maybe we'll.
We'll deal with it in version 1.
1 or version 2 or whatever.
So there's a whole range of attitudesand obviously the people who embrace
(09:05):
security that have some sort of apersonal desire to say, Hey, I get this.
And in fact, I don't think anybodywants to use let alone pay for an
application that is known to be insecure.
Why would I do that?
It's Hey, we have this greatwallet, but it's got a hole in
the bottom and your money willfall out of it from time to time.
But if you don't care, it's a great deal.
So from that perspective,we can understand that.
(09:28):
It really helps out all the otherdevelopers at the extreme level.
It keeps you, I'll keep a job because yourcompany's not going to go out of business
because it's screwed up a whole lot.
What are some of the commonresponsibilities that you'd
assigned to a security championthat they would do perhaps even in
addition to their normal dev tasks?
Dustin Lehr (09:48):
Yeah, and, you know, I think this is important because I think
that champions, developers specifically,can contribute uniquely to what you're
building on your security program.
You know, they've got knowledge,they've got, know how and they
understand, you know, the code base.
They understand nuances about Theenvironment, the product and so
(10:11):
forth that the security team doesn'tnecessarily have visibility or privy into.
and that's where I thinkchampions can contribute the most.
Like how do we essentially combine theknowledge of the security team with
the knowledge of the developers, right.
To make it better for everyone.
So when I think about a champion model,I think this is really important.
(10:32):
It's not about passing theresponsibility of security to the dev
It shouldn't be about that.
And frankly, any.
model that sort of has that as itsparadigm, I think, is doomed to fail
because developers are busy enough,they, you know, they have enough to
think about, and, they don't necessarilyhave the expertise that the security
(10:55):
team does to do their job, right?
However, there are certainthings that I think champions,
can contribute very well to.
So let's take the topic of, like,threat modeling as an example.
you know, my favorite part ofthese threat modeling types of
exercises is the fact that you bringtogether knowledge from various,
(11:21):
stakeholders, various concerns, right?
And you do that so that everyone cansort of talk about the system that you're
threat modeling from their differentviewpoints, security being one, but also
like involving product people, as anexample, to start talking about their
perspective when it comes to the product.
just makes everyone better overall, right?
(11:41):
So think about it like this securityteam gets involved to help with
the threat modeling activity.
They're going to bring aperspective that has to do with
security best practices and.
Active threats that might exist and soforth, based on everything they focus on,
developers bring more of that perspectiveof here's why we built it, here's how we
(12:02):
built it, and, you know, maybe insightsinto where the bodies are buried and,
and some of these Secret things that noone would really know about, and it's
really the combination of that knowledgethat I think gives you sort of that
maximized, view and maximized effort whenit comes to an effective threat model.
(12:23):
So, just some thoughts there.
G Mark Hardy (12:24):
Yeah, it makes good sense because from a security
perspective, if you think aboutit, if I'm not a developer, I've
been looking to check something.
What does it look like?
It's a black box, right?
There's a bunch of code in here.
What is it?
you don't know what code is in therebecause you're not the developer.
You don't have the source.
So you can look at the gazintas andthe gazoutas and you can change the
inputs to see what time it outputs andthen you can infer whether or not this
(12:46):
thing is doing what it's supposed to do.
But any type of testing like that, youmiss the opportunity for something like a
SAST or you can do a DAST, but the staticapplication testing, you can't look at
the code unless you've got access to it.
And by having that securitychampion in your dev team.
Hey, these security peoplearen't here to screw things up.
They're not here to slowdown your release schedule.
(13:08):
They're not here to mess withyou or put you on report.
They're here to help us build a betterproduct, and during building a better
product, if there's knowledge transferthat's involved, it's not just a matter
of printing out a report and throwingit over the cubicle wall and say, yep,
here's, your findings, go fix them.
But it's a sit down and being ableto have that information exchanged
by having a security champion.
You've got somebody who's sitting.
(13:30):
On the same side of the table as therest of the developers who a, I get it.
But then if they turn to him and he said,here, let me explain a little bit more
because sometimes there's always a littlebit of a communications gap when somebody
speaking security, somebody speakingapplications and things such as that.
And they don't always accumulate acrossbecause, for example, if you think take a
task like threat modeling and you do that,some of the key questions you'll ask from
(13:54):
a threat modeling manifesto perspective.
what are we working on?
What can go wrong?
What are we going to do about it?
And did we do a good enough job about it?
And if you ask these types ofquestions, you have better software
because you can look at things likethe confidentiality, the integrity,
the availability, what could go wrong?
What can we do about it?
(14:14):
And if you start asking.
the right questions.
where could this application go wrong?
How could somebody put somethingin this input field that actually
does something we don't want it to?
Buffer overflow, or doing a SQL injection,or all the other stuff like that.
Now you start asking those questions,and now you can avoid preventable
(14:35):
failures, because you're Starting tobake these things in, not just in terms
of standards, which somebody may or maynot follow, but the thought process.
And I used to be a developer and Iwould think about things like that.
You always sanitize your input and Iwouldn't think of doing anything else.
They'll be like, open yourmouth and close your eyes.
They have some input for you.
Here's a surprise.
No, you're not gonna do that.
But if you're new at it, you might not.
(14:57):
So any other experiences you mighthave seen where you can really justify
the cost of this type of a program?
Dustin Lehr (15:03):
I, I mean, certainly, so.
I think one of the things to reallythink about that you touched on, very
briefly, but we should probably diveinto a little bit more is that people
are more likely to listen to theirpeers talk about security than to the
security team talk about security.
And I think this is general humanbehavior, like, think about if
there's a new product or somethingthat comes onto the market, you
(15:26):
know, it's advertised and, and.
You know, the company loves theirown products, so they're talking
about the product and so forth.
but are you, are you reallygoing to buy based on that?
Or are you more likely to buy becauseyour friend told you that they bought the
product and they believe in the productand they're excited about the product?
Okay, well now I'm going to check it out.
(15:47):
I think it's the exact same concept here,where, you know, the security team has
certain, you know, best practices or ideasor so forth that they're trying to share.
And it's not, you know, the developerswho will necessarily buy into that
concept unless they start to hearit from their peers and they start
to hear that from the champions.
(16:09):
So when we talk about the benefit ofthese programs, you know, if you've got an
awareness program, if you've got a regularnewsletter or announcements, et cetera,
that you're trying to share informationacross your organization through,
what's more effective in my view is tofind these allies and these champions.
And have the message go through them
(16:30):
for the exact reason that I was justsaying, because people are going to
ignore the bulletins and the emailsand whatever, like the security team is
supposed to talk about security, you know,that that's expected, like I can just put
you in a box and basically ignore you.
As opposed to my friend istelling me that this is important.
G Mark Hardy (16:47):
Mm-hmm
Dustin Lehr (16:49):
so I think that's important and I think that's when it comes down
to like this culture change concept.
And I don't know that enough folks arethinking about what we're doing from a
cyber security lens in terms of change.
but I would encourage usto really think about that.
You know, are we showing up to kindof check the compliance box or are we
(17:09):
showing up to really make a difference?
In our organizations, which to memeans change and all the things
that go go along with that.
So,
G Mark Hardy (17:20):
Now, if you embrace that, it seems like someone says,
okay, I'll press the I believe button.
I like this.
But how do you get started?
Is it just a matter of anybody wantedto be a champion, Buehler, or is
there a better strategy than that?
Dustin Lehr (17:36):
yeah, and this goes way into some of the behavioral science
concepts that I have spent a lot of timewith now, which is interesting, right?
Because I was a tech person.
I was like, you know, total code nerd.
and shifted very much over time to reallystarting to learn more about, what makes
(17:57):
humans tick, what makes humans work, howdo you influence people and so forth.
So yeah, some, you know, during astandup, all company, all hands,
if you're like, does anybody wantto be a champion, raise your hand.
That doesn't work.
Okay, but something more like, Hey,I noticed your behavior is already
(18:20):
showing me that you're aware ofcyber security best practices.
That's awesome.
I'm going to call you out specificallyas someone who might be interested in
getting involved in a program like thisbecause of what you've already been doing.
You know, how could someone sayno to that essentially, right?
(18:41):
So, and it It goes back to what we weresaying before in terms of finding allies.
I think as you're going out and buildingrelationships with your organization,
certain people are going to emerge asbelieving in what you're talking about.
That's a good time to invite themin specifically, individually,
you know, point to point,because again, it means a lot.
(19:03):
the other method that I'veused to recruit is having folks
manager recommend them as well.
So, you know, More of an official program,I think, takes a lot of leadership support
and a lot of leadership communication.
so as you're out there talking toleadership and getting them involved
(19:23):
in all of this stuff, starting toask them questions about, well, who
do you think would be good for thisprogram, works as well because what
they'll do is, you know, they, theybasically endorse somebody, right?
They say, this person would be good.
You go to that person, yousay, your manager thought that
you would be good for this.
That's huge too.
(19:44):
It's not, Hey, I'm a randomperson who's just going to ask
if you want to get involved.
It's, you know, I talked toyour management about this.
They thought that you wouldbe a really good candidate.
now another couple of thoughts abouthow to roll a program like this out.
I think there's kind oftwo ways to think about it.
There's the grassroots.
way.
(20:04):
And then there's more of the topdown, big bang official program way.
I think either of them can work.
I think eventually you can build yourselfinto more of an official sort of top
down leadership supported, program.
But if you have to start with moregrassroots because maybe leadership
(20:27):
is skeptical, you know, I've run intothis a lot, even, even CISOs were like,
I'm not sure this is going to work.
You go, okay, you know, that's fine.
And then you go start talkingto people and you start through
leadership, you start a movement.
And now you've got 20 peoplewho want to get more involved.
And you go back to your CISO and you say,I've got 20 people here who are interested
(20:48):
in getting more involved in cybersecurity.
What do we do with them?
Is it time to start moreof an official program?
Etc.
So, just some thoughts there as well.
G Mark Hardy (20:59):
good ideas.
Yeah.
And I think one of the itemsthat came out of Dale Carnegie.
We talked about how to win friendsand influence people is give somebody
a fine reputation to live up to.
And you, you, touched on that and youcome up to me and says, Hey Dustin,
I hear that you're one of the bestdevelopers that we got at this place.
And one of the things that's part of thatdevelopment excellence is making sure
(21:22):
that your code is works and it runs right.
We agree, right?
this is why you're so good isyou don't write lousy code.
one of the best ways to improve,make your code even more
bulletproof, like whatever it is.
Align with them.
Make sure is that a trigger word forthem is getting some cyber security and
helping your team is awesome becausenow you're going to be perceived as
a leader and people want to know,hey, how do you do what you do?
(21:42):
you can help them this way.
And so whatever it happens to be, it'swe're not really in a manipulation.
It's if you view that as anegative side, but influence.
And if you ever read Dr.
Robert Cialdini's book on influenceand the power of persuasion, we all
know that there's a lot of ways thatpeople will want to come and do things.
Now, if you're building one of theseprograms, you want to do it right.
(22:04):
And therefore just going around andrecruiting people a little bit like
you're walking around and say, followme, drop your nets and follow me.
Is to be able to say, Hey,we've actually got some template
or something we can aim for.
Is there anything out there?
Is there some sort of a standard or atemplate or whatever that people could
look to and go wow, this gets me going.
Dustin Lehr (22:26):
Yeah, you know, there, there's actually a lot of resources
out there that you can find to help youfind your way when it comes to why you
should build security champion programs.
folks like even AWS have writtenarticles on You know, how they've
been able to create successwith these types of programs.
(22:47):
So there's a lot of resources out there.
I created a resource as well.
there's a website.
Let's see if I may share.
It's called, it's called the SecurityChampion Program Success Guide.
And the reason I wrote it is because Ireally wanted to describe the process
(23:08):
for building a successful program.
So this goes way beyondjust why, and more into how.
Because I think that's the nextstep, is like, well, how do
I get started, what do I do?
And it's written a lot more in terms ofa process that you can go through, or
go through, as opposed tojust prescribing a program.
(23:29):
Because the thing is with thesechampion programs, Is every culture is
different and and certain things thatwill work for one company may not work
for another so you can't just takea program from this company and drop
the exact same design into another.
You have to step back.
You have to think about whatare we trying to accomplish?
(23:49):
Who is our audience?
This is sort of thestructure of the guide.
Who's the audience?
what's the current setting as well?
Like, what is the culture like today?
What's incentivizing folks?
How do they act when it comesto security and so forth?
And then getting crisp on, well, what arethe responsibilities of the champions?
What do we want to see them do?
(24:09):
And so forth.
And then from there, after you'vebuilt that foundation of knowledge,
how do we design a program that'sgoing to be tailored, right?
For all the stuff that you discoveredthere and then how to measure that,
how to measure success and everything.
Is all part of that guide.
So I tried to take everything, all themistakes that I have learned and, you
(24:30):
know, kind of share, potholes and, andpotential pitfalls and so forth that you
might run into to kind of guide your way.
So would definitelyrecommend checking that out.
G Mark Hardy (24:42):
I've got the website up right in front of me here and I'm
looking at the, different steps yousaid, make a procedure, got vision,
participants, setting, concept,design, delivery, and tuning.
And we talked a little bit on the pre showabout gamification and stuff, but I want
to move your stuff up like now becausewe can cover, we could backfill some of
the stuff on games and things like that.
(25:02):
Cool books like this one here.
Let's talk a little bitabout the framework here.
So if you start with a vision, and in myopinion, that's one of the most important
thing a leader has to have, a vision.
You're setting a future direction, notonly for yourself, but for your team.
and so what are, what would be goodlong term goals for the program?
How would somebody embrace this visionstuff once they get going for a security
Dustin Lehr (25:26):
absolutely.
So one of my favorite parts abouttalking about the vision is.
It's an opportunity for you to kindof dream a little bit, like really
think big and really think long term.
So when we think about developerchampions, you know, something
like, well, as part of their regularhabits, when writing code, they're
(25:48):
referencing standards and theyare coding securely, essentially
because they have the knowledge,they have the, sort of foundational
knowledge to allow them to do that.
So something like that, like, likecreate a North star that seems.
Almost, almost unachievable, right?
I think you need to be a littlebit, big in your thinking
(26:11):
and have a B, a BHAG, a big,
G Mark Hardy (26:13):
big, hairy, audacious goal.
I remember the first time mybusiness school told me about
it, that was the funniest thing.
I thought he made it up.
And then I, of course, heard it ina lot of other contexts as well.
But yeah, so we got the vision.
Now the next was the participants.
Who were we trying to reach?
do you want everybody?
Is it just makes sense?
Or is it very, is it more specific thanthat when we're looking at building
(26:33):
a security and champion program, notjust the security champions, but the
people whom they're trying to influence.
Okay.
Dustin Lehr (26:39):
Yeah, let me go back super quickly to the vision because I
think this is an important foundationand that's going from that long term
vision to something that's more goaloriented and specifically, Smart goal
oriented where there, there are actuallyspecific, measurable, et cetera,
G Mark Hardy (26:56):
achievable, realistic and time race.
Yes,
Dustin Lehr (26:58):
exactly.
I don't know if you cheated andreferenced something or if you have
that memorized, but that's all righty.
You
G Mark Hardy (27:05):
BJ Fogg model and which you might cover also.
So all of a sudden I get alittle flashback to all my
years in front of a classroom.
Dustin Lehr (27:12):
Yeah.
So I think that's importantto get crisp on as well.
You know, what are the specific metricsyou're trying to move with your program?
and some of the, you know, alot of this comes from a lot of
conversations I have with folkswhere they don't have this defined.
So they're like, well, wehave a champion program.
It's not going very well.
We're not really sure what to do about it.
(27:33):
And I'm like, well, what areyou trying to accomplish?
What, what are you trying to do?
And the answer is, youknow, we don't know.
And I think, again, that's a big problem.
So it's important toset up all that stuff.
Up front and then totalk about participants.
Yeah, I think it depends on your goals.
Like, this is why it's soimportant to talk about vision.
Is this a developer focused program?
(27:54):
Is it more of an ambassadorprogram that maybe has like a
security awareness focus that's notnecessarily focused on developers.
It's focused on employees as a whole.
so the point with this step is it'simportant to define that, you know, who is
the audience that you're trying to reach?
and that varies from program toprogram, from company to company.
G Mark Hardy (28:17):
That makes sense.
And I think it was a Chinesephilosopher Lao Tse who said,
without vision, the people perish.
And so again, back to your numberone thing, and you'll find a lot of
smart people going back thousandsof years backing up on that.
So you've got vision and participants.
The next thing in your framework issetting your current environment.
(28:37):
Tell me a little bitmore about the setting.
What are we talking about here?
Dustin Lehr (28:40):
Oh, we're, we're going to get into depth here.
G Mark Hardy (28:43):
Oh yeah.
this is, this to me is
Dustin Lehr (28:45):
this is great.
G Mark Hardy (28:46):
written.
I can cover BJ Fogg some other time, but.
Dustin Lehr (28:51):
So, so setting is about understanding your current
environment or setting or contextis another way to think about it.
Right?
So you've identified whatyou want to accomplish.
You've identified who you want to reach.
Now let's talk about what motivates thosefolks, what types of behaviors are you
seeing them do, where do they put securityin terms of their priorities, what's
(29:15):
incentivizing them, what is leadershippush in terms of the things that they
think are important, and so, so on.
I think it's really important tocapture all of that because everything
else you design from there is going tohave to take this into account, right?
Is this a highly competitive,direct type environment?
Is this more of a collaborative, maybesofter, respectful type of culture?
(29:41):
You know, your entire designof your program is going to be
based on knowing this stuff.
Couple of thoughts here.
you could use surveys also, when it comesto learning about how people view security
as an example and how close maybe peopleare to the goals that you want to hit.
but be careful of surveys because surveyswon't tell you the whole picture either.
(30:03):
It's important to combinesurveys or people's response
with their actual behavior.
I can, I can tell you that I thinksecurity is important, it's just that
every chance I get I do something else.
Rather than security, because I've gotother pressures and so forth, right?
So it's important to kindof tease those things out.
(30:25):
and then the other thing that Ireally like to do is I like to profile
folks when it comes to motivation.
And there is a, framework, gamificationframework that I like to refer back
to ever since I found out about it.
And it's called Octalysis.
(30:46):
And it's essentially, it describes theeight different core drives that humans
have.
there was a fantastic book,Actionable Gamification, that
I read some years ago now.
It'd be great to sharethis with the audience.
G Mark Hardy (31:01):
Yeah, I'll put something in the show notes for you.
Dustin Lehr (31:03):
Yeah, that's great.
It just changed my entire approachbecause it helped me really
understand what makes people tickwhat what actually motivates folks.
So as part of this setting phase, Ilike to create profiles that are based
on the personas that we're tryingto reach and what motivates them.
(31:23):
So as an example, a softwareengineer might be slightly motivated.
might be differently motivated than,than others across your environment.
So how can you generally sort of capturewhat motivates software engineers and
then tailor your program to, to them?
so for example, over the years of doingthis, I have found software engineers to
(31:47):
be highly motivated by Social aspects,which we can talk about in a minute,
but also development and accomplishment.
Okay, that is to say they like to seeprogress being made, and I can attest
to this as a dev as well, right?
They like to see that their effortsare actually going somewhere.
(32:07):
It's doing something for them.
It's doing something forthe company and so forth.
And then socially, there's a little bit ofa club when it comes to technical folks,
right, that you have to get yourself into.
So what we were talking about beforearound being recognized as maybe a
developer that stands out somehow.
Like, hey, you're a guru when itcomes to this, maybe it's cyber
(32:31):
security in this case, that wouldmake a developer be motivated, right?
Now they stand out amongsttheir peers and so forth.
So I know I'm talking about this alot, but I get excited about all this.
so designing a, champion program,that's again, tailored for these
motivators specifically for youraudience, I think is extremely important.
G Mark Hardy (32:56):
And as a quick aside on the actionable gamification
book we talked about, he said eightdifferent ideas that are in there.
Epic meaning, accomplishment, empowerment.
Ownership, social influence, scarcity,unpredictability, and avoidance.
And so those are all a gamesaying, and we can dive into that.
But before we get into that, Ireally want to finish up your model.
(33:18):
So we're going to go pop the stack alittle bit here where you've got the
vision, participants, and setting.
And the fourth one in yourmodel is a concept about how
we want people to behave.
And tell me a little bitmore about the concept idea.
Dustin Lehr (33:29):
Yeah.
So this is where you really getcrisp on what Actions specifically.
Do you want to see people
take a, which I think is important todefine because it's like, okay, cool.
We have champions.
All right.
What do they do?
What do you want them to do?
What are the specificresponsibilities and so forth?
so in this step, I like to encouragefolks to really think about that.
(33:54):
Just list them.
And again, you can go, youcan really think about this,
in terms of ideal situation.
I actually, I like to call themideal actions because it's a
little bit more of, you know,what would a perfect champion do?
You know, it would show up to allof your events, they would, they
would speak up during your events,they would get involved in capture
(34:18):
the flag things, they would reportany security issues that they find.
You know, here are the things thatideally we want to see them do.
And I think, again, that'simportant to capture.
the other thing in this step that I thinkis important, and this is why I mentioned
goals before is to tie these actions togoals, and I've, I've found the exercise
(34:39):
of listing the actions you want them totake and trying to figure out what goal
they're associated with raises a lot ofquestions, like you'll, you'll list some
actions and then you'll realize, well.
That's not aligned with any of our goals.
Okay.
Well, you've got a couple options.
Now you either remove it and say,that's not important clearly.
(34:59):
Cause we didn't set any goal against it.
maybe you, you missed a goal.
Maybe there's this entire thoughtthat you had in terms of what the
champions should do that doesn'tcurrently align with a goal.
So you need to go create a goal for that.
And you need to go figure out howyou're going to measure success
when it comes to that as well.
G Mark Hardy (35:19):
So that's your concept.
And next was design, though,about creating incentivization
for the participants.
Now, to a certain extent, we alittle bit earlier, talked about the
gamification and some characteristics.
So if you build a good game, you're goingto want to have people do these things.
Does that tie into the design part here?
Dustin Lehr (35:35):
it very much does.
And I think this is a good timeto define gamification because
I do think there's a lot of.
Misunderstanding aboutexactly what that means, okay?
Gamification is not turningsomething into a game.
Okay, I'll just say that clearly.
it is, is it's finding the techniquesthat work in games and applying
(35:59):
them to real world situations.
And this is important because, here's thething, people don't have to play games.
Okay, it's completely optional, right?
but we do anyway.
And there's something about gamesthat's motivating us to come back.
And it centers around a lot of these eightdifferent core drives of, of motivation.
(36:24):
and games have it down.
Because, again, I have to go to work.
You know, what motivatesyou to go to work?
Well, I have to eat.
Like, it's very simple.
I need money.
but I don't have to play that game.
So why do I keep playing that?
Why do I spend time doing that?
so anyway, so what can we learnfrom the gamification world in terms
of motivating folks so that we canapply it to the real world is a good
(36:46):
way to think about gamification.
the other concept that comes directlyfrom the gamification world is this
rewards, a way to think about rewardsthat's beyond just material things.
So I've got this on thesuccess guide website.
(37:07):
It's an acronym and it's SAPS, S A P S.
And it stands for Status,Access, Power, and Stuff.
And why I love this is becausewhat it's trying to show is, you
know, there are things beyondstuff that people care about.
(37:27):
So, let's look at status quickly.
This is, you know, beingrecognized as someone who
excels at a certain thing, etc.
And you earn a certain status.
So we've seen like belt level systems asan example for security champion programs.
that's a status reward.
I'm leveling up and I'm beingrecognized for that level up.
(37:51):
Leveling up is a gamification concept,but here's a perfect example of
using A game like concept in the realworld, when you get promoted at your
company, what is actually encouraging,rewarding, et cetera, about that?
Is it the extra paycheck?
Or is it the status that comes from that?
(38:12):
The recognition, the increase inresponsibility, you know, the social
aspects of your peers, et cetera,recognizing that, hey, you, you
know, you earned this, you workedhard, you deserve this, right?
There's so much that comes.
With being promoted, that'smore of a status type of reward.
(38:35):
and then access usually comeswith a promotion as well, right?
You get access to certain meetings,you get a seat at the table, right?
With
G Mark Hardy (38:43):
to the executive washroom with a nice thick toilet paper.
Dustin Lehr (38:46):
Exactly.
And then power as well.
You have more decision makingauthority control and so forth.
That's also very rewarding.
So.
Now it comes to really talking abouthow do we, you know, take these concepts
and apply them to champion programs.
This is where in the design phase,I really like to talk about,
(39:07):
using these rewards effectively.
So having a leveling system where peopleearn status, having rewards like access
to tools or information, et cetera,that they didn't have access to before,
but they earned their way into it.
two examples.
One of them is, you know, I found that alot of folks are very intrigued by the,
(39:34):
potential like, breaches or incidentsthat have happened at a company.
Right?
They're interested in that, but that's,it's a little bit privileged information.
Like, the security team isnot going to share all those
details with the employees.
Right?
However, what if you earnyour way to that information?
(39:55):
Right?
So, you earn a certain status levelas a champion, and now the security
team is going to share a littlebit more of that insight with you.
Maybe not all of it.
More of it than you would have had before.
Is that an incentive?
Is that motivating for people to want toget involved in the program and level up?
I think so.
(40:15):
And
G Mark Hardy (40:15):
Finding that
Dustin Lehr (40:16):
I've seen it
G Mark Hardy (40:17):
and opening it up and see what's inside there is it works.
It's that gamification.
So if we're getting down to the last fiveminutes of the show, we've done vision
participants, setting concept design.
What's next?
Dustin Lehr (40:30):
so this is where we talk about delivery and we were talking
about like grassroots versus big bang.
It's good.
I think it's good to talk aboutthe best way to communicate, market
and roll out a program like this.
Could be a phased approach.
it could be a big bang,like we talked about before.
So that's the step where I liketo encourage figuring that out.
(40:51):
And then lastly is tuning.
how are you going to measurethis success of the program?
What controls do you have in placeand sort of dials that you can use
to sort of adjust things as you go?
I think the important concepthere is you don't just like sail
the ship off into the sea, right?
Like, cool.
We designed a champion program.
Alright, we launched it.
(41:12):
We're all done now, right?
No, it takes constant careand feeding, tuning, etc.
So that's what that step is all about.
G Mark Hardy (41:21):
So we've got a quick review.
Everybody got the vision participants,setting concept, design delivery.
And tuning.
Now, in doing this with yourapplication developers, is there any
of these steps that have tend to beone that people struggle with about?
And if so, what's a goodhint or methodology to help
(41:42):
them get up over the hump?
Dustin Lehr (41:45):
the biggest piece of people's Well, there are two major pieces that
come to mind that people struggle with.
One is proving the value ofthe program to leadership.
the second is motivating folksto continue to stay involved.
and I try to address bothof these in the guide.
the leadership aspect by settingclear goals that you can measure,
(42:08):
that you can show, right?
Show small wins as yougo, incremental wins.
share stories, et cetera, asfolks are getting involved, you
know, Hey, we wouldn't have evenknown about this security hole
over here without a champion who
it to us.
That's important stuff to share.
so yeah, that's, that's where I'd start.
G Mark Hardy (42:28):
Awesome.
So in terms of resources outthere, you'd mentioned the one site
before, which I thought was great.
And it issecuritychampionsuccessguide.org.
Make sure we get the right link there.
And you've also got a websitefor your business, right?
Katilyst spelled K A T I L Y S T dot com.
Is that a kind of a little plug for you?
(42:49):
Cause you didn't have to do it.
I did it for you.
Dustin Lehr (42:53):
Yeah, this was a company I created, like I mentioned at the
beginning years ago, and we focus onsecurity champion programs and providing
not just services like design to helpyou succeed, but we've also got a product
that automates a lot of the gamifiedelements that we talked about today.
G Mark Hardy (43:10):
All right.
So any closing thoughts,any way you can think of it?
People say, Hey, I like this idea.
I really want to get started.
I we've given a couple links hereand we'll put them in the show notes.
So you don't have to check in yourspelling and things like that.
but how would you help people eitherconvince their management or their boss,
or even themselves to get off a top deadcenter and start moving on something?
Dustin Lehr (43:31):
yeah, you know, I think it comes down to what we were talking
about in terms of vision, like.
Dream big, you know, what, what doesan ideal culture at your company look
like when it comes to cybersecurity?
I like, for me, that's motivating, right?
I, I, I like the idea of, okay,here's something, a BHAG, right?
(43:54):
It would be amazing if peoplewould behave like this.
Well, what if I told youthat that is possible?
It takes a lot of time.
It takes a lot of effort and soforth, but we can move toward that.
and I think that's exciting.
So hopefully that'sinspiring and motivating.
The other thing to think aboutreally is to get excited.
Like if you're going to be successfulin creating a program like this,
(44:18):
you know, put your creativityinto it to the point where you're
excited about the whole thing.
because if you're not excited, noone else is going to get excited.
And it kind of goes back to leadership.
Like we were talking about before,how do you inspire others, you
know, by being skeptical orboring, that's not how to do it.
So get excited and have fun.
G Mark Hardy (44:36):
Yeah.
And I love the idea of gamification.
here I am.
probably can't tell thatthe screen resolves.
There we go.
So there's my link or what am I doing?
500 days on doing my Duolingoand he just hit that.
So that's again, you get in thereand you create the streak, you
create the continuity, you createthe gamification, the incentive,
(44:56):
and you find a way to do stuff.
So Dustin, I think you'vehad some awesome ideas.
Hey, anybody who's listening tothe show, if you think you've
loved this stuff, let us know.
Pay it forward.
Let other people know whereyou found the podcast.
See so tradecraft.
com.
Go to us on LinkedIn.
If you're not following us onLinkedIn, please do so because we put
out a lot more than just podcasts.
We also have a sub stack newsletter withsome good information that's out there,
(45:17):
and we'd love to help you on your careerjourney in the cybersecurity world.
So thank you very much for beingpart of our audience to us.
And thank you for coming onboard and joining us today.
and for everybody else out there tillnext time, this is your host, Gmark Hardy.
Stay safe out there.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Cold Case Files: Miami
Joyce Sapp, 76; Bryan Herrera, 16; and Laurance Webb, 32—three Miami residents whose lives were stolen in brutal, unsolved homicides. Cold Case Files: Miami follows award‑winning radio host and City of Miami Police reserve officer Enrique Santos as he partners with the department’s Cold Case Homicide Unit, determined family members, and the advocates who spend their lives fighting for justice for the victims who can no longer fight for themselves.