In the Security Champion Program Success Guide blog, I invite industry professionals to offer their opinions, experiences, and viewpoints about Security Champion programs in order to expand our collective knowledge and encourage healthy, productive conversation. In this post, Staff Product Security Engineer / Tech Lead Manager at Toast Alina Yakubenko shares the resources needed to launch and sustain a successful champion program. Enjoy! — Dustin Lehr
In some of my previous articles, we’ve explored the power of building security from within and the psychology of engagement design. But there is a silent killer of even the most well-intentioned initiatives: the assumption that a program will run itself, even after the initial excitement fades.
The reality is that a Security Champion program is not a “set it and forget it” project. It is a living ecosystem that requires specific resources, deliberate leadership, and the humility to seek external expertise if the internal engine stalls.
If you want a program that doesn’t just exist on a slide deck but actually moves the needle on risk, you need to consistently invest in four critical areas to sustain your program.
1. The Human Fuel: Securing Three-Way Support
A program without buy-in is just noise. To make it sustainable, you need a “triangle of support”:
- The Candidates: They need to see the “What’s in it for me?” Is this a path to career growth, a way to gain exclusive skills, or just more work?
- The Direct Managers: This is where most programs die. If a Champion’s manager doesn’t see the value, they won’t protect the time required for the role. You can’t just recruit Champions; you have to recruit their bosses too.
- The Executive Sponsors: Senior leadership support provides the air cover needed for the program to survive organizational shifts and budget cycles.
2. The Dedicated Heart: Why You Need a Program Lead
Many organizations try to “crowdsource” the management of their Champion program, spreading the administration across the entire security team. This is a mistake.
A successful program needs a dedicated, passionate leader. This person isn’t just a project manager; they are a community builder, a mentor, and a data storyteller. They are the ones who notice when engagement is dipping and pivot the strategy before the program goes extinct. Without a single point of accountability, the program becomes everyone’s second priority—and eventually, no one’s.
3. The Engine: Automation Over Administration
In the article “The Engagement Design Advantage,” (here) I spoke about the “administrative nightmare” of tracking points and badges manually. If your Program Lead is spending 80% of their time updating spreadsheets and 20% talking to people, the program is upside down.
Investing in tools and automation (like the Katilyst platform) isn’t just about efficiency—it’s about survival. Automation allows you to scale from 10 to 100 Champions without increasing the headcount of the security team. It turns “tracking” into “insights,” giving you the metrics you need to prove value to leadership instantly.
4. The Partnership: Don’t Struggle in a Vacuum
One of the biggest blunders I see is the “internal-only” ego. Many teams try to build everything from scratch—onboarding kits, training modules, gamification logic—only to realize they’ve reinvented a very square wheel.
There is no shame in external partnerships. Whether it’s leveraging specialized platforms or consulting with experts who have seen the “Top 10 Blunders” of champion programs firsthand, these partnerships provide a shortcut to maturity. If your program isn’t living up to expectations right away, don’t give up. Instead, refine the design. Sometimes, an external perspective is exactly what’s needed to transform a struggling initiative into a thriving culture.
The Bottom Line
A good Security Champion program is expensive—not necessarily in dollars, but in attention, intention, and consistency.
If you are unwilling to dedicate a leader, provide the right tools, and seek help when you’re stuck, you aren’t building a program; you’re just hosting a series of meetings. But if you invest in these resources, you won’t just have a list of volunteers—you’ll have a resilient, self-sustaining community that can help you shift your culture to serve as your organization’s strongest line of defense.
Want to share your own viewpoint or case study about security champions to post on this site? Contact me on LinkedIn and let’s chat! — Dustin Lehr
