Tanya Janca, Founder & CEO, We Hack Purple

Building a Security Champion Program

Tanya Janca Headshot
Images shows a women in a red dress presenting to people sitting down inside a conference booth.

Tanya Janca on why your organization needs security champions –– and the recipe for making them.

What’s a security champion, you ask? Tanya Janca of We Hack Purple stopped by the Juniper booth at the RSA Conference 2022 to explain the who, what, and why of building a security champions program at your organization. Learn everything you need to know about security champions from her short presentation. 

Show more

You’ll learn

  • Why it’s beneficial to have security champions in your organization 

  • How Tanya builds security champions programs 

  • How to encourage people to become security champions 

Who is this for?

Security Professionals Business Leaders


Tanya Janca Headshot
Tanya Janca
Founder & CEO, We Hack Purple

0:06 hi everyone thank you so much for coming

0:07 and thank you for having me because

0:09 there's so many things here i really

0:11 appreciate it so i wanted to talk to you

0:13 about security champions today so first

0:15 i'm going to tell you what security

0:16 champions are supposed to be and then

0:18 i'm going to talk about how i stumbled

0:20 into building a champions program and

0:23 then how i ended up just building tons

0:25 and tons of them for several companies

0:27 so

0:28 i was a dad for a really long time

0:31 and when i switched into security i had

0:33 no idea i was a security champion i was

0:35 really excited i was learning stuff on

0:37 my own i was reading blogs listening to

0:39 podcasts very excited and every time

0:41 there's a security bug i'm like i'll fix

0:43 it i got this i want to talk to the pen

0:44 tester i want to do this i want to do

0:46 that and i got really really excited

0:48 about security and eventually the

0:50 security team said well

0:52 we have an opening do you want to apply

0:54 and i was like

0:57 and surprise i i got it i was the only

0:59 applicant to be clear but

1:01 um so i

1:03 a security champion is supposed to be

1:06 your

1:07 person on every single different team so

1:10 this could be someone on the marketing

1:12 team this could be someone on the sales

1:14 team

1:15 this could be someone on each different

1:17 software development team where you work

1:19 and if you work at juniper there are a

1:21 lot of software developers and network

1:23 engineers

1:25 this person that is on another team

1:28 is your champion and by that i mean they

1:30 sing the praises of security you tell

1:32 them about for instance marketing teams

1:35 you're like gdpr let's not violate that

1:37 every day and get sued it'll be great

1:40 and so you teach some of that and you

1:41 tell them about it and that person

1:43 that's the champion

1:45 does that work for you so

1:48 they communicate on your behalf

1:51 they tend to teach other people

1:53 on their team they're like hey you're

1:55 gonna do that and like put all that data

1:56 into facebook but we didn't ask

1:58 permission for our users to do that so

1:59 we're not allowed doing that so please

2:01 stop

2:03 and then

2:03 in vice versa you teach that person you

2:06 encourage that person you enable that

2:08 person to do their job securely

2:10 and help give them all the tools and

2:12 education they need to help their entire

2:14 team succeed

2:16 and so

2:17 i was a software developer and i

2:18 switched to security but at the same

2:20 company and so all the devs were my

2:23 friends that's who i had lunch with and

2:26 so then i started talking to them and i

2:28 said hey i want to scan your apps with

2:30 this little dynamic scanning tool

2:33 but i don't have time to do all 150

2:35 there's like two or three hundred of you

2:37 there's one of me

2:38 can i show you how and could you scan

2:41 those apps for me and then tell me if

2:43 you need help and i'll be there

2:45 and then before i know it i had one

2:46 person on every single team

2:48 that was my guy or my gal who would help

2:51 me and so then i would

2:53 start meeting with them at least once a

2:56 month if not more and i'd be like hey

2:57 stephanie and how's that secure coding

2:58 library going what's up man

3:01 and i ended up building these really

3:03 strong relationships with the devs that

3:05 were was different because i was on the

3:07 security team and so then when stephane

3:09 who was my secure coding librarian which

3:12 is awesome

3:13 when he would say to his teammate like

3:16 hey

3:17 you didn't scan your app like you're

3:18 supposed to or hey

3:20 like remember she taught us not to do

3:21 that

3:22 that's their peer saying that to them

3:24 instead of the big bad security person

3:26 because when i went on to my next office

3:28 i as the security person the devs didn't

3:30 know me and previously they had been in

3:33 my opinion abused by the previous apsec

3:36 person that yelled no a lot apparently

3:39 and so i had to rebuild trust and again

3:42 reach out to each team find that person

3:44 who wanted to work with me

3:47 and one day i met this guy named ray and

3:49 he has this blog come on in come on in

3:51 there's a seat right there and it has

3:52 your name on it

3:54 but basically my friend ray he writes

3:56 this blog called hellasecure.com

3:59 and he's like oh yeah what you do that's

4:00 called security champions that's what

4:02 you've been doing for years there's a

4:04 name for it

4:06 i was like i thought that was just

4:08 my friend on that dev team and my friend

4:10 from marketing and my friend from sales

4:13 that makes sure that really bad stuff

4:15 doesn't happen to our company

4:17 and so

4:18 eventually like by reading his blog

4:21 reading tons of blogs realizing that

4:22 there was a name for this i started

4:24 helping more and more companies do this

4:26 and i came up with a recipe

4:28 that i'm going to basically

4:30 because we don't have an hour

4:32 and so i want to be respectful of your

4:33 time i'm just going to explain the

4:35 recipe so the first thing i do is i

4:36 invite a whole bunch of people to be

4:38 champions i tell literally anyone that

4:40 will sit still and listen to me if

4:42 there's a

4:43 all staff i'm like hi i have two minutes

4:45 with you and i want to tell you about

4:46 this and i need your help and if you're

4:48 interested email me and so i just tell

4:50 everyone who will listen

4:52 and anyone who's interested in security

4:54 i'm forming this champions team and i

4:56 just need two hours a month from you

4:58 and two hours is like not that scary and

5:01 one of the hours is sort of optional

5:03 basically it's like i want to talk to

5:05 you once a month

5:06 i want to ask how is it going i want to

5:09 ask what you're working on and if you

5:10 need help and i'm going to help you with

5:11 security step and then the other hour is

5:14 i'm going to hold some sort of learning

5:16 thing

5:16 and if you could show up that would be

5:18 grand but if you miss a few i will live

5:21 and so then you have a few people so

5:24 let's say you have like four people but

5:26 you want 20 people

5:27 so continue so step two so first one

5:30 invite people so it's called recruiting

5:33 so whatever you want to call it just

5:34 invite them

5:35 don't force them against their will we

5:37 are adults no one likes that no one

5:39 wants to be voluntold

5:41 so then the second thing you do is you

5:42 engage them so you start learning about

5:45 them asking them about what they're

5:46 working on asking them what's coming

5:48 next what they need help with and

5:49 helping them you start teaching them

5:51 stuff holding lunch and learns or

5:54 presentations or whatever you want to

5:56 call it

5:57 and then more people will come and

5:58 people start talking and they're like

6:00 i'm a security champion and it didn't

6:02 even hurt

6:05 this security person has not yelled at

6:06 me one time

6:08 and that's pretty good right

6:10 and so as you engage them

6:12 and you teach them more

6:14 and you pay attention to them and give

6:16 them your time and attention

6:18 more of them will start to reveal

6:20 themselves and then invite them and so

6:22 at this point hopefully you have a bunch

6:24 of champions but maybe not as many as

6:26 you want you don't have one from every

6:27 team but you have quite a few

6:29 so then the next thing i start doing is

6:31 i start officially teaching them so it's

6:33 like let's say you're in marketing and i

6:35 want you to know these three things i'm

6:37 going to teach you how to do your job

6:39 securely and in hopes that you teach the

6:41 rest of the team

6:42 some things apply to everyone so like

6:44 let's say you have a password manager

6:48 and you want everyone to turn on

6:49 multi-factor authentication that's two

6:51 thumbs up that's even better but you

6:53 would teach everyone that but sometimes

6:55 you just want to talk to software

6:56 developers or network engineers or

6:58 operations folks

7:00 and so you'll have things that are just

7:01 for them

7:02 but as you start teaching them more

7:04 people are going to talk more people are

7:06 going to show up

7:07 and you're going to have that person

7:09 that asks a question every single time

7:12 or that person that emails you or that

7:14 person that shows up all the time you

7:16 should reach out and invite that person

7:18 to be a champion

7:19 sometimes people need a direct

7:21 invitation and this might sound really

7:23 stupid but there's a lot of people

7:25 that have imposter syndrome but who are

7:27 completely amazing and they have not

7:30 received the memo that they are

7:32 completely amazing and sometimes you

7:33 have to deliver that memo to them

7:36 and be like hey so i saw you at all the

7:38 lunch and learns and you ask really

7:39 great questions and you're like always

7:41 on top of all of the security bugs or

7:43 things that are important to you like

7:44 would you like to be a champion

7:46 and some of them will be like oh i don't

7:48 know enough he's like that's cool

7:49 because i'm going to teach you i'm going

7:50 to show you how

7:52 and then

7:53 you might have to massage some of it be

7:54 like it's okay don't worry we can do

7:56 this trust me you're good enough but

7:58 then once you have enough champions and

8:01 you're teaching them regularly all the

8:03 things you need them to know and you're

8:04 talking to them at least once a month to

8:07 see

8:08 so i asked three questions what are you

8:10 working on

8:11 what are you working on next

8:13 and then do you need any help with like

8:15 literally anything i am your buddy and i

8:17 want to help you you're helping me how

8:18 can i help you

8:20 if you can just touch base with each one

8:22 of them once a month and keep doing that

8:25 and then have some sort of learning

8:27 session once a month

8:28 you can have a really good program but

8:30 if you want to have a fantastic program

8:32 so this is the end of the recipe so

8:34 there's three more things

8:36 so i have a question for all of you

8:37 first

8:39 who here has read either an article or

8:42 the book or a blog post or something

8:44 about the five love languages

8:47 okay awesome there was like no one in my

8:48 talk when i did this on monday

8:51 so the five love languages

8:53 are basically how people

8:55 feel that they're loved

8:57 and some of them are wicked

8:59 inappropriate to do at work like

9:01 touching don't do that

9:03 but you can recognize and reward people

9:06 so recognition would be words of

9:07 affirmation

9:08 so for instance you know how you told me

9:10 that your team was doing this thing and

9:12 you were worried about it i came in i

9:14 talked to them we improved it and now

9:16 they're all

9:17 have mfa are doing the thing that i

9:19 really needed them to do without you

9:21 that couldn't have happened so thank you

9:23 putting a note in their performance

9:25 review to thank them for going above and

9:27 beyond and being a champion for you

9:30 it might sound really silly but making

9:32 like a little certificate that goes on

9:34 the wall in their cubicle or like a

9:36 virtual background in zoom or slack or

9:38 whatever the thing is that you use to do

9:39 your meetings

9:40 but to say like this person goes above

9:42 and beyond for the security team and we

9:44 value them and that is recognizing your

9:46 champions and a lot of people

9:49 feel loved when you recognize them i'm

9:52 one of those if my boss is like you did

9:53 a good job i'm like

9:56 and i would like that more than like a

9:58 free dinner or something like that

10:00 that's how i am but the other half of

10:01 people tend to be gift driven

10:04 and so i feel like we can give gifts

10:07 that reinforce the thing we want so for

10:09 instance

10:10 i wrote a book and i happen to think

10:12 it's great and if you come back to the

10:13 juniper

10:16 booth tomorrow and you will get a copy

10:18 of my book i believe

10:19 yeah so they're going to have 50 copies

10:21 i think to give away throughout the day

10:23 so come and say i saw this yesterday

10:25 well hi

10:26 come and say i saw this yesterday and

10:27 that you want a book i'm going to sign

10:29 them all today i mean i'm going gonna

10:31 come in tomorrow morning and sign them

10:32 but i can't actually be here all day

10:35 um but the point is is like if you can

10:37 give them like let's say a ubi key or

10:39 give them a book about security that

10:41 relates to their job or let's say

10:43 they're doing marketing and you give

10:44 them a marketing privacy book or let's

10:46 say you buy them a ticket to rsa there's

10:49 so many things that you can do that is a

10:51 gift but that reinforces your awesome

10:53 message of like i

10:55 i really want you to keep doing cool

10:57 security stuff

10:58 i usually pair privacy with security you

11:00 don't have to do that

11:02 but i find it's pretty nifty to make

11:04 sure that they're obeying privacy rules

11:06 like gdpr

11:08 yeah

11:09 i've been i've been almost bitten a

11:10 bunch of times so i'm like pretty

11:12 nervous about that okay so now we have

11:14 done five of the six things so we have

11:17 recruited people we have engaged them we

11:20 have taught them we have recognized and

11:22 rewarded them

11:23 the last part of the recipe is the

11:24 really hard part

11:26 and that's that you shouldn't stop

11:28 you have to keep

11:30 going you are investing you know who

11:33 here is red like the wealthy barber so

11:35 when i was younger like if you invest

11:37 money now you'll be rich later i'm like

11:38 but i'll be poor now and that sucks

11:41 right

11:42 but if you are investing in these other

11:44 employees

11:46 you're investing in their education

11:47 you're investing in their knowledge

11:48 about security you're investing in these

11:50 processes that help them be better

11:52 champions for you

11:54 don't stop this is the biggest problem

11:56 that happens with security champions

11:58 programs people start they do like 20

12:01 things the first month they do 10 things

12:03 the next month and the third month

12:04 they're exhausted and they don't do

12:06 anything for a year and then i usually

12:08 get some pretty cool consulting hours

12:10 out of it but that's not what i want

12:12 i want all of you to have successful

12:14 programs so if you can

12:16 pace yourself don't do five things the

12:18 first month do one thing for five months

12:21 and then you just did five awesome

12:23 months

12:24 if you can

12:25 share it with another employee so for

12:28 instance

12:29 i like to partner with awesome privacy

12:31 folks i know security is different than

12:33 privacy but i respect what they do and

12:35 so if i'm like you know what my june's

12:37 really crazy because there's rsa i'm

12:39 gonna be busy i'll ask the privacy folks

12:42 can you do a presentation for all the

12:43 security champions

12:46 and then you didn't stop and you didn't

12:47 miss a month if you have to miss a month

12:50 for some reason send them an email and

12:52 this might sound really cheesy but send

12:54 them an email and say hi everyone i hope

12:56 you're having a great summer vacation

12:57 well whatever we're not going to have a

12:59 presentation this month but

13:01 here's a podcast that i thought would

13:02 help you here's a video from rsa of this

13:06 talk that i thought really applied to

13:07 this thing we do at work or here's

13:09 whatever it is and then next month we're

13:12 going to do that i'm going to see you

13:13 all then i'm still here if you need me

13:15 send me a message

13:17 but this is what i have for you for now

13:19 thank you for being a champion i

13:20 appreciate you and then it sounds really

13:22 silly but i like to put a really silly

13:24 meme at the bottom to make sure that

13:26 they read to the end if you've ever seen

13:28 my newsletter if you haven't seen the

13:29 meme that means i know you didn't read

13:31 it

13:32 it works

13:33 and so with that

13:35 i want to thank all of you for coming to

13:37 this i want to thank you for coming to

13:39 see me and i want to ask who has

13:40 questions because i was really fast and

13:42 i bet there's a bunch

13:44 does anyone have any questions well

13:46 thank you how about this thank you

13:48 thank you

13:50 [Applause]

13:54 does anyone have questions you can ask

13:56 there and then i'll repeat it here and

13:57 you don't have to speak into a mic if

13:59 that's scary

14:04 yes so the recipe that i use is recruit

14:08 and so basically it means a lot of

14:09 invitations engage so become interested

14:12 in them become interested in what they

14:14 do pay attention ask them lots of

14:16 questions

14:17 two teach them teach them every single

14:20 thing that you need them to know to do

14:22 their job as securely as you wish they

14:24 would then recognize and reward i put

14:26 them as two separate ones it's important

14:29 you do both because some people it

14:31 doesn't matter how many nice words you

14:33 say if you don't give them a gift they

14:34 don't feel valued and the opposite is

14:37 true i don't want a 200 bonus i get paid

14:40 very well 200 is nothing i want to hear

14:42 my boss say you rock

14:44 and so do both to make sure you hit

14:47 everyone's kind of like feel

14:50 do not do uh the other love languages

14:52 because you might get in trouble

14:54 oh and then the last one is don't stop

14:57 [Music]

14:58 thank you are there any other questions

15:01 does anyone have a program

15:04 at work do they have a security

15:05 champions program yeah

15:07 is anyone thinking of starting one

15:10 [Music]

15:11 i have a blog series of 10 blogs in a

15:14 row where i drag this out with way more

15:16 details and metrics and how to measure

15:18 your program etc

15:20 if you go to wehackpurple.com

15:23 and it's free

15:24 we have purple just as free stuff now we

15:27 got acquired

15:28 that means we don't have to we don't

15:30 have to like make money it's awesome

15:33 thank you everyone so much for coming

15:35 and i think that the juniper people

15:37 probably want to talk to you so thank

15:40 you very very much i really appreciate

15:42 it

Show more