Thank you very much to everyone who came to my talk at OWASP Global AppSec in Barcelona! It was so lovely to have the chance to speak to so many of you, and to share our experiences around security champion programs — especially the ways they can go wrong, and how to avoid those situations. Below are my slides, in PDF. You can also see a recording of me giving the same talk at NDC Security, in Oslo, Norway, at the end of this post. I plan to be at the next edition of OWASP Global AppSec in Washington, DC, USA in November 2025, and the next edition of NDC Security conference in Manchester, UK in December 2025. Will I see you at one of these events? If so, please say hello!
Title: Security Champion Worst Practices
Abstract:
Security champion programs are all the rage right now, but they aren’t a magic bullet; they are a lot of work and more than half of them fail. We want to scale our security programs and improve security culture and communication, but what happens when our champions are less-than-enthused? There’s no support from management? We can’t get enough buy-in? Let’s look at when things go wrong with security champion programs, with this list of worst practices — and how to avoid each one.
Download the slides here.
Photos!
