Role, responsibilities, and expectations
Three months into being a Security Champion, a developer was drowning. He'd taken on secret scanning, access reviews, vulnerability patching, policy writing, and incident response. He was putting in long weeks — and most of it wasn't even his actual job.
The team assumed he was handling security. He assumed he had to handle everything. Leadership assumed someone was finally taking care of this stuff. Everyone was wrong.
He burned out. The security improvements stalled. The company was back to square one, except now everyone was afraid to touch the role.
This chapter is about not becoming that person.
The core problem: undefined scope
When a company says "we need a Security Champion," they usually mean "we need someone to make security happen." That's not a role. That's a wish.
Without clear boundaries, you'll absorb every security-adjacent task that nobody else wants. Someone finds a vulnerability? That's your problem. Client asks about our backup policy? Ask the Champion. Suspicious email? Champion will know.
And since security touches everything, "everything" becomes your job.
The fix isn't working harder. It's defining — in writing — what you do and don't do, then getting leadership to agree to it.
What a Security Champion week actually looks like
Forget the job description. Here's what Champions typically spend time on:
Monday: Review PRs from last week, flag anything that stores credentials wrong or opens unnecessary ports. Takes 30 minutes. Send a Slack message about a dependency update that's been sitting for two weeks.
Tuesday: Quarterly access audit day. Pull the list of who has access to production, AWS, and GitHub admin. Compare to current employees. Find three people who left months ago and still have access. Create tickets to remove them.
Wednesday: Join the architecture discussion for a new feature. Ask two questions about how auth tokens will be stored. Nobody had thought about it. Good — now they will.
Thursday: Someone asks about a phishing email. It's real phishing. Help them report it, reset their password, check if they clicked anything. Write a 3-line Slack post warning others.
Friday: Update the SaaS inventory with two tools someone started using. Check if the backup recovery test happened this month (it didn't). Ping the person responsible.
Total dedicated security time: maybe 4-5 hours. The rest of the week, you're doing your actual job. That's sustainable. That's the goal.
The two things you actually do
Strip away the job descriptions and frameworks, and Champions do two things:
1. Notice things other people miss.
You're looking at the same PRs, the same infrastructure, the same Slack channels as everyone else. But you're asking different questions. "Where do these credentials come from?" "Who can access this?" "What happens if this service goes down?"
That's not extra work. It's a lens you apply to work you're already doing.
2. Make sure security tasks don't get forgotten.
The access review that's been on the backlog for six months? You're the one who keeps bringing it up. The MFA rollout that stalled? You're asking what's blocking it. The backup that hasn't been tested? You're scheduling the test.
You don't have to do all these tasks yourself. You have to make sure they happen.
Setting boundaries that stick
Here's a template you can actually use. Fill this in and share it with your manager or CTO:
I will:
- Review PRs for obvious security issues (secrets, auth problems, exposed data)
- Maintain a list of who has access to what
- Run a quarterly access cleanup
- Keep the SaaS inventory updated
- Make sure our security scanners are running and someone looks at the results
- Answer security questions from the team
- Run one 15-minute training per month
- Write simple policies when we need them
I won't:
- Be responsible for all security in the company
- Fix every vulnerability myself (I'll make sure they get fixed)
- Write compliance documentation for ISO/SOC2 (we need a consultant for that)
- Handle legal questions about data privacy
- Manage incidents alone (I'll coordinate, not execute)
I need:
- 4 hours per week dedicated to Champion tasks
- Authority to create security-related tickets
- Access to admin consoles for audit purposes
- Support from leadership when I flag risks
We'll review this quarterly.
Get this agreed in writing. When scope creep starts — and it will — you have something to point to.
How to say no without burning bridges
Champions who can't say no don't last. But saying no badly creates enemies.
When someone asks you to fix something yourself:
Don't say: "That's not my job."
Say: "I can help figure out the right approach, but someone from the team should implement it. Want me to write up what needs to happen?"
When leadership piles on tasks:
Don't say: "I don't have time for this."
Say: "I can take this on, but something else has to come off my plate. Which of these current tasks should I pause?"
When a security issue feels urgent but isn't:
Don't say: "This isn't a real priority."
Say: "This is real, but here's how it compares to the other things we're tracking. Want to reprioritize?"
The pattern: acknowledge, redirect, offer an alternative. You're not blocking — you're helping people think through what they're asking.
The Champion is not the security team
This is worth repeating because it's the most common failure mode.
A Security Champion is a force multiplier. You make the team more aware, help catch problems earlier, and keep security tasks from falling through the cracks.
You're not a security team of one. If the company needs:
- A penetration test → hire a consultant
- SOC 2 certification → hire a compliance firm
- 24/7 incident response → that's a full-time role (or several)
- Complex threat modeling → bring in expertise
Your job is to handle the 80% of security work that doesn't require deep expertise. The other 20% needs specialists. Knowing which is which is part of the role.
A week that went wrong (and how to fix it)
Here's what an overloaded Champion week looks like:
Monday: Wake up to three Slack messages about different security concerns. Spend the morning triaging instead of doing planned work.
Tuesday: Discover a critical CVE in a library you use. Drop everything to patch it across four repositories.
Wednesday: Leadership asks for a security assessment for a client meeting tomorrow. Stay late writing something.
Thursday: Access review was supposed to happen. Postponed because you're still dealing with CVE fallout.
Friday: Someone reports a potential breach. Spend the day investigating. Miss dinner with friends.
What went wrong? Everything was treated as urgent and everything landed on one person.
The fix:
- Triage ruthlessly. Not every security issue is drop-everything urgent. Most can wait a day or two.
- Delegate implementation. You found the CVE — great. The team patches it. That's their job.
- Push back on surprise deadlines. A security assessment for tomorrow's meeting? That needed a week's notice.
- Schedule the important stuff. Access review goes on the calendar. It happens even when fires are burning.
Building the role profile with your team
Don't create your role definition alone. You need buy-in from the people who will work with you.
Here's a simple process that works:
Step 1: List what's broken (15 minutes)
With your team lead or CTO, answer:
- Where do we have obvious security gaps?
- What security tasks keep getting postponed?
- What questions does nobody know how to answer?
Write everything down. Don't filter yet.
Step 2: Split into three buckets (10 minutes)
| Bucket | Meaning |
|---|---|
| Champion handles | Straightforward, recurring, doesn't need deep expertise |
| Champion coordinates | Multiple people involved, Champion keeps it moving |
| Needs external help | Too complex, too specialized, or too much liability |
Be honest. Most Champions try to put too much in buckets one and two.
Step 3: Pick your first quarter's tasks (10 minutes)
Choose 5-7 things from the first two buckets. These are your Champion responsibilities for the next three months.
Everything else? Explicitly out of scope. Write it down.
Step 4: Get sign-off
Send the list to your manager or CTO. Get a written "yes, this is the scope."
Now you have something to point to when requests come in that don't fit.
Artifact: your role definition document
Here's a template to fill out:
Security Champion Role Definition
Name: [Your name]
Team: [Your team]
Time commitment: [X] hours per week
Reporting to: [Manager/CTO]
Primary responsibilities (this quarter):
- [Specific task]
- [Specific task]
- [Specific task]
- [Specific task]
- [Specific task]
Coordination responsibilities:
- [What you'll keep track of but not do yourself]
- [What you'll remind others about]
Explicitly out of scope:
- [What you won't do]
- [What needs external help]
Support needed:
- [Access/tools/time/authority you need]
Review date: [Date for next scope review]
What success looks like
After three months with clear role boundaries, you should see:
- Security tasks getting done without crisis mode
- The team handling more security work themselves (because you trained them)
- Fewer "Champion, can you handle this?" requests for things outside your scope
- Leadership understanding what you do and don't do
- You still having energy for your actual job
The goal isn't perfect security. The goal is sustainable progress. That requires boundaries.
Conclusion
The Security Champion role fails when it becomes "do all the security." It works when it becomes "help the team do security together."
Your job is to define clear boundaries, get agreement from leadership, and defend those boundaries when scope creep starts. The role profile document is your tool. Use it.
Next chapter: how this role accelerates your career — and what paths it opens up.