The Four Tribes of Security Champions

Name: The Four Tribes of Security Champions
Duration: 29 min
Description: Security Champions programs are not a monolith — there are four distinct program archetypes, and applying the wrong one to a given organizational culture is a primary reason programs fail. Marisa Fagan presents a research-backed framework that maps security culture to program design, arguing that honest self-assessment matters far more than copying best practices from a conference slide. ---

Marisa Fagan

BSidesSF 2025 — Here Be Dragons · Day 2 · Main

Security Champions programs are not a monolith — there are four distinct program archetypes, and applying the wrong one to a given organizational culture is a primary reason programs fail. Marisa Fagan presents a research-backed framework that maps security culture to program design, arguing that honest self-assessment matters far more than copying best practices from a conference slide. ---

AI review

Fagan synthesizes Hayden's competing cultures framework and the Cigital CISO tribes research into a four-quadrant program design model that is more intellectually rigorous than most champions program talks. The diagnostic-first approach is the right answer to why champions programs fail. Execution at BSidesSF is competent but the content plays better in a workshop format.

Watch on YouTube