How to Track Points in a Security Champion Program đ
- Marisa Fagan
- 24 hours ago
- 4 min read
Updated: 47 minutes ago
Keeping track of security champions' progress can feel like herding cats đ±- but it doesn't have to be that difficult! One of the most effective methods for keeping track of champion behaviors is with a points system. This scalable approach allows you to assign and measure points earned by security champions for completing security-related tasks at work. Not only does this system provide valuable recognition of individual contributions, but it also helps drive the adoption of key security behaviors across your organization with an incentive structure. Win-win!
Why Use a Points System? đ€
The goal here is to motivate and recognize security champions with a clear structure they can understand. Creating simple measurement data to support your security initiatives is also an added benefit to this system. The same data that shows a champion their accomplishments over time is also useful to establish metrics for the program. A points tracking system can be tracked manually with a spreadsheet if the group is small enough (< 25 people) but we recommend investing in automation tools to save time when the spreadsheet becomes unwieldy.
For example, security champions are often encouraged to conduct lightweight threat modeling exercises. If a system assigned the champion 100 points for every completed threat model, the champion could show a hefty score of 500 points to a manager at the end of the year and the security team could count each reported threat modelâs points towards the total impact of risk reduction incentivized by the program.Â
Setting Up Your Program đ ïž
The consulting team at Katilyst has crafted a template used by companies of all sizes and industries to set up a points tracking system. Hereâs how you can do it too:
Define Your Vision: Start with a clear picture of what goals you want your Security Champions Program to achieve. For inspiration, check out the Security Champion Success Guide.
Map Your Goals to Behaviors: Identify 10â20 behaviors that align with your programâs goals. Think about what behaviors you want to encourage, and how champions can realistically contribute. (Don't get caught up in figuring out how to track the instances of these behaviors just yet...) Check out this template as an example.
Assign Point Values: Be strategic! Actions that are easier or less impactful should have lower point values. Start with trivial actions first, then build up to more complex or valuable tasks.
Behaviors | Points |
Attend Champion Meeting | 20 |
Post a Question or Article in Slack Channel | 20 |
Complete Secure Coding Training | 20 |
Share What You Learned With Your Team | 30 |
Report Potential Security or Privacy Concern | 100 |
Read Security Related Book | 200 |
Mentor Another Champion | 200 |
Complete a Threat Model Template | 500 |
Choose Your Tracking Tools: Whether itâs a spreadsheet or a more sophisticated tool, decide how you will log points. You might need a mix of manual tracking and automated solutions. Automation can be easy to create for sources like Jira that have built-in functions. Another solution is a self-reporting form. Be sure to consider the user experience when building a self-reporting process. If the process creates friction, like opening a web page to report their progress in a form, only use this option for very important behaviors.
Plan for Recognition: Rewards donât have to be swag. Consider using the SAPS framework to offer Status, Access, Power, or Stuff as incentives. Make sure champions can see their progress, and understand the rewards structure too!
Use SAPS to give a diverse set of rewards to your Security Champions. Take it to the Next Level: A popular way to organize the recognition for earning points is with a "leveling system". For example, once a champion has earned 200 points for various behaviors, then they would level up from a "Green Belt" level to a "Blue Belt" level. This system helps solidify the amount of work a champion has put into the program and provides a fun visual badge of achievement, more so than just a number. Your levels can be named anything you like. This is a great part of the program design to get creative with!
Using Your Points Program Effectively đŻ
Here are some pro tips to keep your program running smoothly:
Give Points That Matter: Itâs fine to award points for those security tasks that are just part of the job, but avoid giving credit for meaningless actions. Keep it relevant!
Communicate Clearly: Make sure everyone knows how the program works and why itâs valuable. Create a glossary of the behaviors and their point values.
Set Realistic Goals:Â Stretch goals are great north stars, but be reasonable with expectations. Start small.
Reward Top Performers: Make recognition consistent and public to keep motivation high. Publish a leaderboard only if your culture supports it.
Review and Refresh: Reevaluate your point values yearly and introduce new actions to maintain engagement over time.
Final Thoughts đĄ
The Security Champion Points System isnât just about tracking metrics - itâs about fostering a culture of security awareness and rewarding the people who help make it happen. By implementing this strategy, your organization can encourage consistent, proactive security practices without overwhelming your champions, and maintain a program that will stand the test of time.
Ready to give it a go? Let us know how youâre tracking your championsâ progress! đ
Commentaires