Published on
Reflections on my Security Champions Podcast episode featuring Mark McMillan
Mark McMillan is running a security champion program that isn’t just checking boxes... it’s working. After his memorable appearance at The Security Champions Summit, I invited Mark onto the latest episode of the podcast to go deeper and unpack what makes his approach work and what the rest of us can learn from it.
What really struck me is how Mark leads: not through authority or credentials, but through presence, personality, and persistence. His path into cybersecurity wasn’t linear. He started in journalism, moved into communications, and somehow found his way into the world of security awareness. But what seems like an unconventional background is exactly what makes him so effective. He brings a deep understanding of how people listen, what motivates them, and, maybe most importantly, how to make complex or intimidating topics feel safe to engage with.
Security Awareness that Actually Supports People
When most people hear “security awareness,” they think of annual trainings, compliance modules, and phishing simulations that trigger a mandatory training punishment if you click the wrong thing. That’s... not really inspiring. And frankly, it's why many awareness programs are tuned out or resented.
Mark’s approach is entirely different.
He sees awareness as a service. His team is there to support people. To meet them where they are, reduce obstacles in their day-to-day work, and help them build confidence in navigating security risks. It’s not about policing behavior. It’s about helping people succeed.
One line that stuck with me was when Mark said, “We're here to help you with cybersecurity no matter the issue. If we don't know, we can connect you with the person that does.” This sounds simple, but how many security teams actually operate that way? With openness, responsiveness, and a bias toward partnership instead of punishment?
The mindset that “we're here to support, not scold” permeates his entire program. And it shows in the results.
Rethinking Remediation: Why the Carrot Works
We spent a good chunk of the conversation talking about remediation. What do you do when someone fails a phishing simulation, not once, but maybe two or three times?
Traditionally, that triggers the stick. More training. More lectures. Sometimes even an escalation to their manager or HR. Sometimes making an example of them by dismissing them. It’s rooted in the belief that the best way to improve behavior is to apply pressure and “shame” to make someone feel bad enough that they won’t do it again.
But Mark is flipping that logic entirely.
He starts by shifting the tone. When people show up to a remediation session, he doesn’t walk in like an authority figure delivering judgment. He walks in smiling... smiling! He treats people like his most important customers... like they matter. He makes it clear from the beginning that this isn’t about impersonal lecturing. It’s about learning, together.
And yes, sometimes it’s even fun. He introduces games, rewards, and recognition. He looks for opportunities to encourage, not embarrass. To reward progress, not penalize imperfection. He might tell a personal story, like the time he fell for a phishing email about Bring Your Dog to Work Day. It’s funny, but it’s also disarming. It levels the field. People stop feeling like they’re under review, and start realizing they’re just people, like all of us, who made a mistake and now have a chance to learn from it.
That kind of environment doesn’t just feel better. It works better. People remember the session. They talk about it. They internalize the red flags. Because it’s no longer something being done to them, it’s something they’re engaged in.
Relatability as a Leadership Skill
One of the most powerful insights from our conversation came from how Mark connects with his audience. He doesn’t just teach security concepts, he brings himself into the room in a way that makes the material feel human. He’s not afraid to admit past mistakes. He models what learning looks like.
And that vulnerability is contagious.
When the person leading the session shares a story about a time they messed up, you can almost feel the room exhale. And what happens next is even more fascinating: even senior leaders in the room start sharing their own stories. That authenticity spreads and suddenly it's not just the "security guy" talking. It’s a collective experience, rooted in shared vulnerability and a common goal.
This isn’t just feel-good storytelling. There’s solid behavioral science behind it. Vulnerability, especially from people in positions of influence, creates psychological safety. And psychological safety is what opens the door for real learning, reflection, and behavior change.
The Champions Program: Focus on the People, Not Headcount
Eventually, our conversation turned to the mechanics of the Champions Program itself. Mark made a point that I think more programs need to hear: the quality of your champions matters far more than the quantity.
It’s not about having a massive list of people who once attended a meeting. It’s about building a connected, energized group of people who believe in what they’re doing and want to support others. His champions aren’t just proxies for security. They’re trusted peers who amplify the culture of care and ownership he’s cultivating.
Mark also talked about the importance of leadership support. It’s not just about getting permission, it’s about active promotion and sponsorship. It’s ensuring security champions are recognized, supported, and given time and space to actually engage in the role.
Mark also mentioned that he brings in guest speakers to keep things interesting, keeping the tone conversational, even playful whenever possible. And he treats feedback as fuel, constantly looking for ways to improve the program instead of defending the status quo.
In other words, he treats the Champions Program like a product. One that’s constantly iterating based on what people need and how they respond.
Applying the Awareness Mindset to Developers
As someone who spends most of his time thinking about secure development practices, I couldn’t help but draw parallels. The carrot-over-stick approach that Mark uses in awareness programs absolutely applies to the developer space as well.
I’ve seen too many cases where developers are shamed for introducing vulnerabilities, as if their intention was to maliciously create insecure code. What happens next is predictable: they become defensive and disengaged. They stop sharing. They stop reporting. And the security posture suffers.
But if we take the time to sit down with them, to genuinely seek to understand, as Mark says, we open up a very different kind of interaction. One where the developer is invited to retrace their steps, reflect on their decisions, and ultimately uncover the problem themselves. That insight, that “aha” moment, is so much more powerful than any externally imposed correction.
And at that point, you’ve won a champion for your cause. One who is now much wiser than before, and because of how you treated them, more motivated to help others avoid similar mistakes.
Final Thoughts: People Are the Solution, Not the Problem
One of the biggest myths in cybersecurity is that people are the weakest link. It gets repeated all the time: in conference talks, vendor slides, even internal meetings. But it’s an unhelpful frame. When we start from the assumption that people are the problem to be solved, we design programs that are reactive, rigid, and disconnected from how people actually think and work.
Mark’s approach challenges that narrative in the best way possible.
He shows that when you trust people, relate to them, and support them with humility and clarity, they respond. They show up. They share. They start to care. Not because they’re forced to, but because they feel part of something.
That’s how effective culture is built: through relationships that compound over time.
Security isn’t about controlling human behavior. It’s about influencing it, and that starts with understanding. Understanding the pressures people face, the constraints they operate under, and the motivations that actually move them.
Mark’s program is rooted in the belief that security is a shared responsibility, and that people don’t need to be perfect to contribute. They just need to be seen, supported, and given the chance to grow.
If we can do that consistently, across our organizations, we’ll not only see fewer incidents; we’ll see more ownership, more collaboration, and more creativity.
And that’s the kind of culture where security doesn’t feel like a tax — it feels like a team effort.
--Dustin Lehr (linkedin)
Recent posts by Dustin Lehr
Leading with the Carrot: Building Security Culture, Not Just Compliance
Reflections on my Security Champions Podcast episode featuring Mark McMillan
Behind the Scenes of the First Security Champions Summit
From the latest Security Champions Podcast When Mike Burch first started the ...
Proving the Power of Prevention
THIS ARTICLE ORIGINALLY APPEARED ON LINKEDIN.COM Quantifying Productivity Gained ...
