Recognizing and rewarding security champions

If you've ever read the book The 5 Love Languages, or articles summarizing the 5 love languages, then you are aware that there are predictable patterns of how people respond to various acts of kindness. Someone's “love language” is the specific type of kindness that they are most affected by.

Tanya Janca
July 14th, 2024
Share

If you've ever read the book The 5 Love Languages, or articles summarizing the 5 love languages, then you are aware that there are predictable patterns of how people respond to various acts of kindness. Someone's “love language” is the specific type of kindness that they are most affected by. For example, someone for whom their love language is “words of affirmation” would respond very well to receiving a glowing performance review, a compliment on a new article of clothing, or accolades from their colleagues about a project they worked on.

The previous article in this series is Teaching Security Champions.

You may be wondering at this point if you accidentally clicked on an article from a women's fashion magazine, not a technical article from We Hack Purple. But please have a bit more faith, and read on.

The 5 love languages are:

  1. Gifts

  2. Words of Affirmation

  3. Physical Affection

  4. Spending Quality Time

  5. Acts of Service

Security Champions at work!

When we are creating a security champions program, it's very important that we ensure they feel appreciated. We don't want them to feel squished into doing two jobs, for only one paycheck. One of the biggest challenges that security team's face when creating a champions program is having it fall apart after the first few months, either due to the security team losing steam, or champions losing interest. We need them to feel very aware of our gratitude, and interested in the program itself, for them to continue to want to serve the security team's agenda.

As you likely already figured out, not all the love languages listed above are work appropriate. We can't run around giving hugs or holding hands with other employees. That said, we can adopt most of them for work situations, so that we can show the champions they matter to us, in appropriate ways, that support our security program.

Below is a non-exhaustive list of several ideas to make your champions feel as valuable as you know they are for your program.

  1. (Security Related) Gifts

  • Physical or digital security-related gifts – books, videos, training, CTFs, perhaps a copy of Alice and Bob Learn AppSec?

  • Create a Certificate to put on their wall.

  • Stickers, posters or any other decoration that is security focused.

  • Tickets to a conference or training.

  1. Words of Affirmation

  • Make sure to put a note in their performance review about them being a champion.

  • Tell their boss every time they do something that makes a big difference.

  • Send them an email and tell them when they did something big, let them know that YOU saw.

  • Recognize them in front of their peers (special virtual background, star on their name is slack, etc.)

  • Digital badges for signature blocks.

  1. Physical Affection

  • High Fives are the only recommended form of physical affection that you should show another employee. High fives signal success, and your approval of whatever they just did.

    • *** And only do this if you are confident that the employee is comfortable. Please be mindful that some religions and cultures do not allow those of the opposite sex to touch each other and be respectful if this applies. Never push physical touching at work.

  1. Spending Quality Time

  • Giving them your time is a reward. When you do, give them your undivided attention (put your phone away), and turn your body towards them.

  • Let them see a new tool first, give them a “sneak preview” ahead of everyone else.

  • Let them help you make decisions. Ask for advice from them and feedback, then take it seriously.

  • Invite them to attend security events with you.

  • Whenever you meet with them, this is quality time. Ask them: What are you working on? What are you going to work on next? Do you need any help?

  1. Acts of Service

  • Help them with more than just security. Are you good at design? Help them with it! Are you great at presentations? Offer to let them practice in front of you. You don't need to do this very often, just once can make a huge impression.

  • Make introductions, where appropriate. “Oh yeah, Chris from QA uses that tool, I'll introduce you so you can learn.”

  • Find answers they need to security questions and problems. Never leave them hanging.

When people feel appreciated and valued at work, they work harder (many studies show this to be true). Your champions already have full time jobs on other teams, they are going above and beyond for you. Let them know that you are very aware of them, by always making them aware of it with your actions, not just your words. See more in the post about (over)communication with your security champions.

About

Semgrep lets security teams partner with developers and shift left organically, without introducing friction. Semgrep gives security teams confidence that they are only surfacing true, actionable issues to developers, and makes it easy for developers to fix these issues in their existing environments.

Featured posts from the Semgrep blog, written by our engineering team

July 31, 2024
AppSec guides, not gates: Introducing secure guardrails with Semgrep
Isaac Evans
May 21, 2024
Rapidly deploy code scans across your organization with Semgrep managed scanning
Pablo Estrada
May 16, 2024
Overrated and underperforming: transitive reachability analysis
Kyle Kelly

Find and fix the issues that matter before build time

Semgrep helps organizations shift left without the developer productivity tax.
Get started in minutes Book a demo