In the Security Champion Program Success Guide blog, I invite security industry professionals to offer their opinions, thoughts, experiences, and viewpoints about Security Champion programs in order to expand our collective knowledge and encourage healthy conversation. In this post, Jacob Garrison explains how he used the concepts he learned as a snowboard coach to make learning fun for his champions. Enjoy! — Dustin Lehr
Ten months ago, I had a vision: There must be a way to make security education fun.
How did this change my thinking? Before I dive into the details, you should know some facts about my background that inspired my unique approach.
The Inspiration
I’ve been a part-time snowboard coach for seven years. And, believe it or not, there are grueling certification exams for snowboard instructors. I had a miserable time during training; my favorite hobby had become a chore due to the rigorous training structure. After hundreds (maybe thousands) of hours of training for those exams, I reached the “fully certified” status and began teaching others how to pass.
Now, if it’s possible to burn out on a fun and objectively awesome sport, imagine how frustrated people become when learning a complex technical subject.
So, in the various training programs I’ve created since then, I’ve used the philosophy of: “Trick them into learning.” And I promise it’s not malicious, despite its name.
A Snowboarding Example of “Tricky” Learning
Independent leg movement is a crucial skill for making efficient turns on a snowboard. To teach leg movement, many instructors shout phrases like, “Bend your front knee” or “Flex your front ankle,” but those commands are usually ineffective. So, instead, I use a more lighthearted approach.
Freestyle maneuvers are intentionally stylish movements on a snowboard; they’re also an effective way to reach the desired outcome of independent leg flexion. I casually introduce these “fun” movements to guide students in the correct direction.
Here’s a photo of one movement to help visualize. If you feel like Googling the maneuvers, look up the ollie, nosepress, and tailpress.
Typically, the students comment about feeling like “one of those cool snowboarders they see on TV.” There’s been a positive correlation between learning these movements and the ability to make efficient turns.
Yes, it’s important to learn details. Yes, some pieces are boring. But it’s a leader’s responsibility to deliver knowledge in engaging ways that drive towards the desired outcome. Sometimes, “tricks” are your friend.
Plus, once you demonstrate how fun actions improve the overall ability level, the value you bring to the individuals becomes obvious. Always, always, always make your contributions to your students clear.
Enter: The Monthly Nerd-Out
So, after meeting Dustin Lehr and hearing him talk about building security champions, I decided to create a security champions program at my company.
It’s worth mentioning that I work at a software security vendor. Our engineering team has a massive security focus, with security built into the culture. But there’s always room for company-wide improvement.
I created a program for Security Awareness Champions (the non-technical folk who aren’t creating software). Drawing from my snowboard coaching strategy, I decided on my desired outcome: build lifelong learners of security.
Selling this program to an audience of non-technical employees was easy because the value was tied directly to their knowledge, success, and growth. In fact, my main selling points continue to be:
- You’ll understand your customers (Buzzwords will become performable actions)
- You’ll become more efficient at your job (Value propositions will become clear)
- You’ll grow in your career (You’ll bring extra knowledge to current and future employers)
Every single invitee (12 people, if I remember correctly) accepted and attended the first session. Nothing about the email was groundbreaking, so I believe the high attendance rate resulted from the internal relationships. These people either: 1) trusted me to deliver some value or 2) felt peer pressured by everyone knowing each other personally at a small company.
Lessons Learned From the First Session
It was absolutely crucial that the first topic intrigued people. I opted for a hands-on example of how CI/CD allows software to change in front of our eyes – something that happens daily and is vital to understanding the software security problem.
In the beginning, we talked about theory. Everyone looked bored. That was my indication to pivot and begin the live exercise early.
People tuned into the meeting once we started playing with the delivery pipeline I built using Github and Vercel. We pushed some breaking changes and hotfixes. The attendees became increasingly stoked as the lab progressed. Some interesting quotes from the first session include:
- “It’s really that easy?”
- “I’m going to push more things to production, then add ‘Software Engineer’ to my LinkedIn.”
- “So how do people know if they made a mistake?”
That last question was a home run. Continuous delivery isn’t a security topic on its own. Yet, the attendees could see past the subject matter and extrapolate the consequences of a mistake. And they did it in a fun manner, rather than death-by-powerpoint.
My big takeaway was to focus on the live walkthrough first and talk about the theory later. That way, I can keep participants engaged and “trick” them into learning. In this case, the “trick” is to get them actively involved so the knowledge is tied to an experience.
How the Security Champions Program has Evolved
Admittedly, I wasn’t sure what to expect from the first session. It was pleasing to see the participants displaying ownership and engagement.
In the sessions since then, the participants regularly ask questions beyond my knowledge, allowing us to learn together. The process has proven that you don’t need to be an expert to make an impact on others. You just need to care.
In the eight or so sessions so far, we’ve covered the following:
- CI/CD, Source Control, and Repositories
- API Authentication and Authorization
- Web Traffic Encryption
- SQL Injection
- and more!
The attendance rate varies by month, but it’s consistently been between 50 and 80%.
One interesting point is that I haven’t attempted to formalize the program with extrinsic rewards – not even snacks! The intrinsic motivation to improve as a professional has sufficed thus far.
Creating a more established security champions program for a wider audience is on my to-do list, but you all know how priorities get rearranged at scrappy startups.
Will the “Fun” Security Champion Model Work For You?
Knowing everyone in your organization and interacting with them on a personal level is a startup privilege – this isn’t realistic for larger organizations. I expect many of you reading this will require an added layer of formality and communication with managers to build your security champion program.
Also, creating a lab each month is a lot of work. I’m fortunate in that I can often repurpose items I build in my day job, but it still requires effort after hours. If you can’t find the resources to create your own labs, there are sites (such as TryHackMe) that you could go through as a group.
However, maintaining an engaging environment is absolutely necessary. Here are some key points that have helped me:
- Ask for topics of interest.
- Start with walkthroughs before you get into the underlying theory.
- Allow the conversation to drift (so long as it’s security-related).
- Ask the champions to summarize their lessons learned each session.
- Offer suggestions for self-studying between meetings.
- Keep it light-hearted and fun (crack some jokes, talk about silly mistakes from your past).
- Make the experience feel like a game.
One final point is that everyone must feel welcome at these meetings. When people are brave enough to ask a question or admit they don’t understand something, you should thank them for contributing to the group. Allowing other members to answer those questions or speak on a topic can further help with empowerment.
The approach discussed above has helped my team expand their knowledge and grow as professionals. Hopefully, it inspires your security champions program.
Want to share your own viewpoint or case study about security champions to post on this site? Contact me on LinkedIn and let’s chat! — Dustin Lehr
