We recently had the incredible opportunity to sit down with Bonnie Viteri on the ScaleToZero podcast. As someone who’s constantly thinking about how to make security programs not just effective, but truly understandable and actionable, Bonnie’s insights were a revelation. She possesses this unique knack for bridging the often-wide gap between highly technical teams, executive leadership, and even the nuances of human behavior in risk management. Our conversation with her offered us a wealth of invaluable insights into the art and science of building and scaling truly impactful security champion programs
You can read the complete transcript of the epiosde here >
Our Guest’s Unexpected Path into Cybersecurity
It might surprise you to hear this, but Bonnie’s journey into cybersecurity isn’t what you’d call traditional. She doesn’t have the typical academic background or classical training in the field. Instead, her roots are in behavioral psychology and criminology. So, how did she end up here? It was a blend of transferable skills, a relentless work ethic, and an insatiable curiosity that always led her to ask: “What could possibly go wrong?” That simple question has guided her further than she ever imagined. She’s been incredibly fortunate to learn from some truly remarkable mentors and brilliant minds, absorbing their knowledge and passion. It’s because of them that she can genuinely say she wakes up every morning excited to do what she loves. While many in this domain have academic backgrounds perfectly aligned with it, sometimes, as she’s found, a diverse perspective can be a tremendous asset.
Unpacking the Role of a Security Champion
Our primary focus for the podcast was, of course, the security champion program—specifically, how to build one that genuinely works. Bonnie emphasized that security champions are far more than just a box to tick; they are absolutely essential for building influence and acting as vital ambassadors. Their role is to bridge the understanding between security, development, and even leadership teams.
As Bonnie explained, and reflecting the industry’s evolving view, security champions are essentially members of the development team who extend the reach of the security team. They are the eyes and ears on the ground, often the first to spot potential issues that might need deeper security expertise. While they certainly need to be well-versed in security frameworks and best practices, their core mission is about integration and execution, not merely compliance. They have the unique ability to translate complex requirements, whether from NIST or ISO27001, into practical, scalable security strategies. This not only enhances overall security posture but also positions security as a genuine competitive advantage. They act as critical conduits to their respective teams, actively supporting the “shift left” initiative by embedding security considerations much earlier in the development lifecycle.
Spotting the Right Talent for a Security Champion
When looking for an ideal security champion, Bonnie stressed that one thing stands out above all else: a genuine passion for security. Sometimes, these individuals naturally emerge, simply because they’ve expressed curiosity about cyber-related topics they’ve stumbled upon. The perfect champion is someone deeply embedded within the development team, possessing a solid understanding of their specific tech stacks. This blend of technical knowledge and a true passion for security allows them to grasp how security concepts directly interact with their team’s goals, processes, and culture. If that passion is there, the rest, as Bonnie noted, can absolutely be taught.
Bonnie vividly remembered her time working with 116 engineers at Yahoo. What she witnessed wasn’t so much unexpected growth, but rather individuals slowly realizing their own “secret powers.” They might have initially harbored doubts or felt unsure about how to approach certain security-related situations.
For example, one champion was technically brilliant in security and infrastructure but struggled with the confidence to present his solutions to leadership. In such cases, a gentle nudge, a bit of focused help, and consistent positive reinforcement can truly empower them. Reminding people of their inherent strengths can have an incredible impact, transforming them into influential forces who can articulate complex ideas clearly, back them with solid facts, and contribute at the highest levels. It’s all about being their cheerleader and providing that crucial push.
And speaking of Yahoo, their security team is famously known as the “Paranoids.” Bonnie shared that this moniker originated way back in 1996 when they first started building the security team, and it just stuck, becoming an iconic brand identity.
The Dynamic Evolution and Far-Reaching Influence of Security Champions
The evolution of a security champion within an organization is a dynamic process, and it varies significantly depending on the specific context. This is something Bonnie observed frequently during her time at Yahoo. By intentionally setting them up for success and equipping them with initial conversation documents that they could easily adapt, she helped them grow into genuine influencers, rather than just “worker bees.” If a program merely aims to offload security tasks onto champions, it’s almost certainly doomed to fail.
Instead, the real key is to understand why champions want to be part of the program and what they hope to learn. Providing them with key talking points for daily stand-ups, crafted responses for leadership about the program’s relevance, and metrics that clearly demonstrate its business alignment and impact—this empowers them. It’s also absolutely crucial to celebrate their achievements, consistently emphasizing that they achieved these milestones, not simply the security team. This approach profoundly fosters their growth and inspires their teams to integrate security into their daily habits. The more you give, the more you undeniably get back, and Bonnie has seen this principle pay dividends tenfold.
The Pillars of a Thriving Security Champions Program
The enduring success of any security champions program, Bonnie explained, rests on several core principles, which, as she’s come to understand, are intrinsically linked to the program’s continuous evolution.
- Foundational Planning: This initial phase is critical. It involves clearly defining the program’s purpose, identifying the specific need it addresses, securing an enthusiastic executive sponsor, envisioning its ideal end state, and carefully outlining the qualities of the ideal champions sought.
- Evolutionary Design and Scaling for Purpose: Once that foundational planning is solidly in place, the program transitions into designing itself, optimizing that design for maximum impact, and crucially, scaling for purpose. Scaling for purpose is a true game-changer. When approaching leadership, instead of simply asking for 20% of a team member’s time, it’s strategic to emphasize how the program aligns directly with broader business, product team, and security team objectives. Taking this holistic view allows for defining clear program goals for the year and then strategizing precisely how champions will influence their teams to naturally integrate these goals into their daily workflows. Listening intently to leaders’ current pain points and then proactively offering tangible solutions—that’s how you truly earn their attention and commitment.
Securing executive sponsorship early on is absolutely vital for the program’s success. As an organization naturally expands and matures, the security champion program must also evolve, typically on an annual basis. This necessitates continuous planning, meticulously setting clear success metrics, and consistently communicating those metrics. The buy-in from executive leadership is profoundly significant, and equipping them with concise, high-level information for their own strategic conversations is indispensable. Leading such a program, Bonnie noted, is not for the faint of heart, as security can often, unfortunately, be perceived as a bureaucratic roadblock, leading to inevitable pushback.
Bonnie shared that her North Star for scaling a champions program at Yahoo was the massive migration of all their data from on-premise infrastructure to the cloud. This monumental effort required a stringent security review for every single product. They meticulously structured the program not for champions to conduct these reviews directly, but to empower them to influence the entire process. They provided them with comprehensive training on the review process, delivered targeted security training, and furnished them with every necessary resource. The true measure of success emerged when champions began to genuinely own the process and deeply understood its underlying importance. This demonstrated a clear, measurable return on investment: product teams experienced less friction and faster migration times, resulting in more securely implemented products, and critical security recommendations were seamlessly integrated into their daily workflows. The program became a self-sustaining ecosystem where champions no longer required constant guidance. In contrast, the biggest misstep Bonnie has observed in other programs is the tendency to treat champions merely as task executors rather than empowering them as genuine influencers.
Crafting Programs at Different Scales
While Bonnie hasn’t personally built a security champion program from the ground up at a startup, she can clearly identify two significant differences between established, legacy companies like Yahoo and agile startups. At Yahoo, the program carried a long history, with previous iterations that hadn’t quite hit the mark. Her challenge was to meticulously research why those programs faltered and then shift leadership’s perception by approaching the issues from an entirely different angle.
Startups, on the other hand, often enjoy the advantage of starting “greenfield.” The initial objective is typically to disseminate the foundational message that security is, in fact, everyone’s shared responsibility. From there, you move into meticulous foundational planning: carefully selecting candidates, determining the optimal number of champions based on the organization’s size, and diligently guiding the program through its evolutionary stages. A recurring challenge she has encountered with startups, based on her consulting experience, is the tendency not to allocate sufficient resources to the program lead. If a lead is given only 10% of their time to dedicate, it’s highly probable they’ll only generate a 5% return. The key is to find a truly passionate lead.
Leading a security champions program is a unique and rewarding experience because it allows you to beautifully merge the roles of an individual contributor (IC) and a manager—getting hands-on with the technical aspects while simultaneously leading and inspiring a passionate group.
Orchestrating Security’s Harmony with Business Outcomes
A truly crucial aspect of any successful security champions program, Bonnie stressed, is its direct alignment with overarching business outcomes. This connection is absolutely essential for securing executive buy-in, necessary funding, and critical resources. Her personal “secret sauce” for this, which she playfully calls “witchcraft,” actually boils down to meticulous yearly planning. It involves deeply understanding the business strategy, the product strategy, and the security strategy, and then weaving them together to craft a cohesive program strategy. This demands continuous research and, most importantly, sincere, almost excessive communication. Asking genuine, open-ended questions, even to a CEO about their most pressing pain points, can be incredibly effective. It’s all about speaking their language, understanding their preferred communication styles and their unique challenges, and always, always following up on those issues.
Annual surveys for both security champions and their leaders are an invaluable tool, even when the feedback is challenging to hear. Bonnie shared that her surveys consistently achieved a remarkable 98% response rate because participants knew she genuinely cared about their input and would unequivocally act on their feedback. So, to effectively align with business goals: conduct thorough research, engage in those sometimes difficult but necessary conversations, actively solicit feedback, and consistently present clear success metrics to demonstrate the program’s tangible improvement year over year.
Measuring Progress and Articulating ROI with Clarity
Metrics are the absolute bedrock for demonstrating tangible progress and unequivocally proving ROI, especially for the “non-believers.” As her good friend Dustin Lehr, with whom she’s currently collaborating on a gamification case study, would often ask, “How do we make our security champion programs more data-driven and demonstrate clear ROI for the non-believers?” Bonnie’s answer is always straightforward: to have metrics, you first have to make metrics. This loops us right back to that foundational planning and the cyclical stages of the program: design, grow, engage, implement, execute, and then continuously optimize for the future.
Aligning the program directly with the overall business plan for security, by engaging with CISOs or CTOs as needed, is paramount. Once you have your well-defined metrics, which will undoubtedly vary for every company, program, and unique culture, you need to report them with maximum impact. This involves establishing an executive steering committee comprising key engineering leadership, developers (including non-champions who possess a deep understanding of tech stack needs), security Subject Matter Experts (SMEs), and your executive sponsor, with the CISO as an optional but highly recommended invitee. Sean Attic at Yahoo, for instance, was incredibly active and consistently attended their end-of-year readouts. Present these metrics using clear, compelling graphs and well-structured decks, always preparing yourself for challenging questions about the baseline and being ready to powerfully demonstrate growth.
Cultivating an Engaging and Evolving Program
A security champions program is never a “set it and forget it” endeavor, Bonnie emphasized; it’s a continuous, dynamic, and cyclical activity. The content itself needs to be refreshed annually to remain relevant to both evolving threat landscapes and the company’s ever-changing needs. Focus intently on the specific threats that are actively targeting your company, whether it’s sophisticated phishing attempts, smishing, or perimeter vulnerabilities, and then meticulously align your program goals accordingly.
Engagement is naturally fostered through consistent touchpoints, regular check-ins, and meaningful one-on-one conversations. With 116 engineers at Yahoo, Bonnie made it a point to know each and every one personally—their individual goals, their aspirations, their dreams, and fundamentally, why they chose to be a part of the program. Nurturing these individual aspirations is absolutely key. As she always advocates, give more than you ask for.
Keeping security champions not just engaged, but genuinely happy, as Anshuman Bhartiya once asked, is entirely about continuously nurturing those relationships. Those 15-minute one-on-one check-ins, while easily pushed aside in a busy day, are precisely where profound relationships are built and sustained. Understand what they want to gain from being in the program. If they express a desire to speak at a conference, actively help them prepare and find opportunities. If they’re aiming for a promotion, guide them through the necessary steps and facilitate discussions with their leaders. If they’re considering a switch to security, help them explore the diverse pillars of the field and provide resources for their research. The more genuine questions you ask and the more dedicated time you invest, the deeper their engagement will become.
Bonnie distinctly recalled one champion who was initially very difficult to engage; she explicitly stated her boss made her join. Over the course of nine months, through consistent check-ins and Bonnie’s genuine interest in her growth, she became a fervent believer in the program’s inherent value. Frankly, challenging individuals can often be a strong motivator for her!
Burnout is a very real concern in our fast-paced tech environment, especially when champions are balancing their primary roles with additional security work. As a lead, the most critical thing you can do is be consistently supportive. Bonnie would always tell champions that if they truly didn’t have time for a security task, they could simply move it to “done” and just let her know why, or she would proactively check in to see if they were okay. Offer empathy, genuine care, kindness, and unwavering support. If a normally active champion suddenly goes quiet, reach out; sometimes, a listening ear is truly all they need.
Recognition, Gamification, and the Power of Community
Recognition and heartfelt appreciation should be the very bedrock of the entire program. These champions are voluntarily dedicating extra time and effort to learn new skills, influence their teams, and step outside their comfort zones. Every single accomplishment, no matter how small, should be enthusiastically celebrated. Elevate their achievements to leadership, shout them out on the company intranet, help them craft compelling resume blurbs, award them LinkedIn badges, or involve them in case studies and further security work if they express interest.
Regarding gamification, Bonnie is genuinely excited to be working on a case study with Dustin Laird and Catalyst to explore its effectiveness in this context.
Community building should ideally happen organically. Bonnie suggests bringing in topics and speakers that champions genuinely want to hear about—information often gleaned from insightful end-of-year surveys. Consistent chatter in dedicated Slack channels also plays a crucial role in maintaining active involvement. The investment you consistently put in will inevitably yield a significant return. Public recognition is absolutely vital, as it allows others to see the immense value of the program and makes champions feel deeply appreciated for their voluntary efforts.
Cultivating a Security-First Culture Through Collaboration
Ultimately, the enduring success of any security program hinges critically on the organization’s underlying security culture and the seamless collaboration between the security team and all other teams—engineering, leadership, finance, and beyond.
Breaking down existing silos and fostering truly effective collaboration is a multifaceted endeavor. Some teams inherently prefer to work in silos, and certain security efforts, due to their highly sensitive nature, must remain confidential. Understanding your company’s unique culture is paramount. When embarking on a collaborative effort, Bonnie advises asking: Why are we doing this? How will this specific initiative make your team’s life easier? What are the absolute key points we need to convey? What’s the overarching vision we’re working towards? Who absolutely needs to be in the room, and if not them, who would be a highly effective stakeholder?
Bonnie recalled consulting numerous individuals—champions, leaders, cloud SMEs—to prioritize cloud migration security alerts and recommendations. A curious mind, she’s found, goes a very long way, but so does structure. Never schedule a collaborative meeting without a clear, concise agenda; it’s the quickest way to have your efforts overlooked. Earn respect, consistently deliver on your promises, always follow up, be genuinely appreciative, pay it forward, and own your mistakes openly. If something isn’t working, pivot quickly and decisively. Building credibility and political capital are incredibly difficult to obtain but remarkably easy to lose, so unwavering consistency is paramount.
Challenges in fostering collaboration often boil down to one core issue: communication. Programs frequently falter when there’s a profound lack of open communication, or when teams simply assume what others want instead of taking the crucial step of asking directly. Don’t be afraid to be the “squeaky wheel” sometimes, framing your efforts as unequivocally beneficial to others.
Frame it in their language: for leadership, talk about dollars and cents; for product teams, discuss mean time to resolution or their specific development language. It has genuinely taken her a decade to truly learn “engineer speak.” She no longer views these as insurmountable challenges, but rather as exciting opportunities to overcome. As a CTO from Facebook once wisely stated, “communication is the job.” It’s about using the language they understand and appropriate metrics to collaborate with maximum effectiveness.
Bonnie’s Top Recommendation for Continued Learning
For anyone looking to significantly improve their communication skills, particularly when navigating difficult discussions, Bonnie cannot recommend “Crucial Conversations: Tools for Talking When Stakes Are High” by Stephen Covey enough. This book profoundly emphasizes the importance of creating a safe space for open dialogue, genuinely understanding diverse perspectives, and actively collaborating towards common goals. It provides an incredibly powerful and poignant framework for navigating those tough conversations in a way that truly fosters understanding, builds stronger relationships, and consistently leads to superior problem-solving.
