From the latest Security Champions Podcast
When Mike Burch first started the Security Champions Podcast, he had one simple goal: build a space where people could talk openly about secure coding, developer security culture, and of course, security champion programs.
Over time, these conversations grew into something bigger and eventually sparked the idea for the Security Champions Summit: the first conference focused entirely on the people driving change from within.
In the latest podcast episode, Mike and I unpacked the entire journey of bringing the summit to life: how the idea started, what it took to make it real, what we learned along the way, and what the future holds. In this blog, I’ll summarize some of our thoughts, but tune in to the episode for the full picture.
The idea for the summit came from a simple realization Mike shared during the early part of the discussion: almost every area of cybersecurity has its own conference... except for security champions!
There are plenty of meetup discussions, webinars, and podcasts that focus on the concept, but there were no large-scale events for people leading or participating in champion programs. We wanted to fix that and give the community a place to connect, share ideas, and learn from each other.
When Mike first brought the idea to me, I’ll admit my first thought was, “How come no one’s done this before?” My second thought: “This has to go right.”
It wasn’t just another event, it was a milestone during a growing movement. If we launched it poorly, it could set the entire conversation about champions back a step.
As we planned the event, one thing became clear: launching a conference is a lot like launching a security champions program.
You only get one chance to make a good first impression. If people show up and it doesn’t land, you might need to completely redesign and rebrand before they’ll give it another shot.
That parallel guided our approach. We focused on clarity of purpose, real value, and community over promotion. We wanted people to walk away knowing this wasn’t a vendor event... it was a safe and genuine space for real connection.
One of our first big decisions was about the audience. Should the summit focus on the people running programs, or the champions themselves?
Even actual champion programs are not just about what the program leaders need to design and manage them, they're about the champions involved in them, the ones stepping up to make security a shared responsibility.
In the end, we chose both. We planned for sessions that helped leaders build and scale programs, and others that helped individual champions grow in their craft and influence.
We also talked a lot during the episode about what makes engagement so hard, whether you’re running a champion program or an event.
People’s attention is limited. You can’t force participation. You have to earn it.
That’s why we applied some of the same principles I use when talking about behavioral science in security: designing to pique curiosity, creating a sense of ownership, and working hard to make it easy for people to get involved.
That’s also why we aligned the summit with Cybersecurity Awareness Month, not because awareness should happen once a year, but because timing matters and many leaders are looking for activities and events to promote during this time.
When it came time to find speakers and collaborators, I leaned heavily on the trusted relationships I’ve built over the years.
A catchphrase lesson I share often, and mentioned again on the podcast:
“Don’t make the first time you meet someone be when you need something.”
The summit came together because of relationships built long before there was anything to ask for. This kind of trust is what makes communities, and security programs, sustainable. Focus on helping people and doing things for others, and it'll bring benefits down the road.
The first Security Champions Summit was a bit of an experiment, and it worked.
Not because everything went perfectly (it didn’t) but because it proved that the community of champions, and champion program builders, is real, passionate, and ready for its own dedicated forum.
As Mike said during the episode, “We're trying to make a real thing of this. We want to do this every year.”
I couldn’t agree more.
The Security Champions Summit isn’t the finish line. It’s the start of something ongoing: a growing space for those of us who believe that when people beyond the security team feel ownership in security, everything changes.
-- Dustin Lehr (LinkedIn)