Published on
Reflections on the latest Security Champions Podcast episode
This year was a turning point for the Security Champions Podcast, and for me! I have been fortunate in joining Michael Burch as co-host after joining Security Journey earlier this year, and for our last episode we turned a full season of conversations into a highlight reel about the human side of security: where it shines, where it breaks, and where it becomes glue that holds teams together.
Below is a recap of the moments from the episodes throughout the year that stuck with me, including the lessons I’ll be carrying into next year.
Here they are, by episode, enjoy!
1. Michael Erquitt: AI didn’t “eat” development, it changed the work
Mike and Michael kicked off 2025 with the AI threat landscape and a simple observation that still rings true even now, almost a year later: a growing share of code writing is being handled by AI while engineers spend more time on design, review, and system thinking. That’s exciting, but it can also be concerning. Burch and Erquitt predicted some bumps, and indeed, a few incidents this year had AI’s fingerprints on them.
Takeaway: Treat AI like a talented junior dev that never sleeps: it has amazing velocity, but still needs architectural guidance, guardrails, and review. And if we want resilient systems, our training and processes must now bias toward design literacy, code review, and safe-by-default scaffolding.
Watch the Episode
Read the Blog
2. Adam Bruehl: Medicine’s security reality check
Mike and Adam’s conversation on secure code in medicine hit on a personal level. The tech is breathtaking, but the operational security still isn’t quite where it should be. Hospitals run life-critical workflows on creaky protocols and fragmented systems. They even discussed actual human deaths tied to cyber incidents—stark reminders that safety goes beyond the cyber world and into the physical.
Takeaway: If you’re in healthcare, prioritize threat modeling with clinicians at the table, invest in compensating controls for legacy protocols, and measure outcomes in patient safety as much as technical risk reduction.
Watch the Episode
3. Roger Grimes: Q-Day - the Y2K of crypto
Mike’s conversation with Roger Grimes helped us reframe quantum risk. While Y2K had a date, Q-Day doesn’t. That uncertainty is precisely why we need to move now before it’s too late by building an inventory of crypto usage in your environment and creating a retirement plan for brittle algorithms. Waiting for it to become urgent is a recipe for failure.
Takeaway: Build a post-quantum migration runway as soon as possible. It’s coming sooner than you think. Humans, of course, procrastinate on invisible risks, but leaders can help drive the changes needed to prepare.
Watch the Episode
4. Me and Mike: Soma cubes, nudges, and the real source of engagement
Shortly after officially joining as co-host, Mike and I jumped on an episode and went full behavioral science: intrinsic vs. extrinsic motivation, prompts, and nudges. The point: lasting engagement comes from meaning, autonomy, and progress, not from compulsory checkboxes.
Takeaway: If you want developers to take action, behavior requires motivation + ability + prompts (B=MAP). Give them ownership, make the secure path the easy path, and use timely prompts that help folks get involved in a way that will help them and their team.
Note: You may have heard me talk about this in detail in the past when discussing the eight Octalysis core drives: meaning, accomplishment, creativity, ownership, social influence, scarcity, curiosity, loss avoidance. You must use the right motivator at the right time. Curiosity may hook people initially, but meaning and a sense of purpose keep them engaged. More on Gamification and Octalysis here: https://www.youtube.com/watch?v=8EZY2U8ZhJw&t=1069s
Watch the Episode
5. David Kosorok: Focus on stickiness to mature in security
During my chat with David, he laid out how to make AppSec stick: connect across the org, create visible wins, and make sure leadership understands the impact with honest metrics. His superpower is making people feel real ownership over security outcomes, leading to real culture change.
Takeaway: Show progress, don’t simply talk about it. If your AppSec program can point to fewer production fire drills and faster, safer releases, your “security narrative” writes itself.
Watch the Episode
Read the Blog
6. Jacob Salassi: End-to-end ownership (and no “suffering without agency”)
Jacob’s pragmatism really resonated with me: engineering should own the product end-to-end—testing, security, all of it. What he won’t tolerate is people suffering without agency: being accountable for risks they can’t influence. He also shared how far automation can take threat modeling when you do it thoughtfully.
Takeaway: Align responsibility and control. If you expect secure outcomes, give teams the knobs, the data, and the time to achieve them.
Watch the Episode
Read the Blog
7. Eva Benn: Identity, emotion, and how messages land
Eva connected identity to cybersecurity in a way I won’t soon forget. People remember how you made them feel, not your slide of do’s and don’ts. If we want durable behavior change, we need education that connects with emotion: impactful stories, strong relevance, and a message that reflects the listener’s identity.
Takeaway: Teach to solidify identities. “People like us build secure software like this” is way more powerful than annual “check-the-box" training.
Watch the Episode
Read the Blog
8. Ariel Shin: From breaker to builder and the value of “glue work”
Ariel’s journey from the offensive side to the defensive was fascinating, and I really enjoyed our conversation about glue work: the connective tissue that keeps teams aligned and shipping safely. AppSec teams often are the glue, and we’re in a unique position to spot overlaps between teams and speed up the flow of good ideas across boundaries.
Takeaway: Recognize and highlight the important glue work that AppSec performs, but be careful not to over-index on it as an individual contributor, especially early in your career.
Watch the Episode
Read the Blog
9. Me and Mike: The Security Champion Summit: community has a compounding effect
In this episode, we discussed one of my favorite events of the year: The Security Champions Summit, which connected ~250 people (far beyond expectations!) to share stories, trade ideas, and build community. We offered a behind-the-scenes look at planning and running the event, with not everything going perfectly, but the hard work paid off, and the energy was unmistakable.
Takeaway: Security champion programs thrive when they’re built using the principles of successful communities of practice: regular get-togethers, recognition / incentives, and shared goals that amplify impact.
Watch the Episode
Read the Blog
10. Mark McMillan: Use the carrot, not the stick
We closed the season with Mark, whose security champion program at Rocket hums with both trust and, believe it or not, fun! His energy is inspiring, and his philosophy mirrors my own: ditch shame and build trust by turning honest mistakes into teachable moments, inviting the people who’ve stumbled to join us in becoming long-term advocates.
Takeaway: Psychological safety isn’t just a “nice to have.” It’s a prerequisite for building strong connections, transparency, and learning.
Watch the Episode
Read the Blog
What this year’s episodes solidified for me:
- Security’s greatest opportunity is still people. Central to our strategy in AppSec should be designing experiences that motivate, lower friction, and prompt timely action to effectively reduce risk at our companies.
- Influence beats authority. Those who enable others, align incentives with agency, and measure outcomes that matter to their stakeholders end up being the most successful in our field.
- Champions are how you cross the chasm. Find the allies that exist across our companies, invest in their growth, and build a community that carries the security message farther than we on the security team alone ever could. You can learn more about security champions and how to build your own program here.
To everyone who listened, shared, and showed up—thank you. And to our guests who prepared deeply and gave generously by sharing your experience and insights: you made this season what it was. I can’t wait to build on this momentum next year!
Happy holidays to you all, and here’s to more empathy, more agency, and more secure software built by people who feel proud of the part they play.
Recent posts by Dustin Lehr
The Security Champions Podcast 2025: A Year-in-Review
Reflections on the latest Security Champions Podcast episode
Leading with the Carrot: Building Security Culture, Not Just Compliance
Reflections on my Security Champions Podcast episode featuring Mark McMillan
Behind the Scenes of the First Security Champions Summit
From the latest Security Champions Podcast When Mike Burch first started the ...
