Skip to main content
Passwork LogoPasswork LogoSecurity champion course

What is a Security Champion

You've probably noticed the pattern. A developer commits an AWS key to GitHub. Someone clicks a phishing link. An ex-employee still has admin access three months after leaving. The staging server hasn't been patched since 2022.

Everyone knows these things are problems. Nobody has time to fix them. The CTO is busy with product. The team leads are buried in sprints. And hiring a security specialist? That's a six-figure salary you don't have.

This is where the Security Champion model comes in. You take someone already on the team — a developer who's curious about security, a DevOps engineer who's tired of cleaning up messes, a sysadmin who keeps noticing vulnerabilities — and you give them permission and time to actually do something about it.

Not a full-time security role. Just a few hours a week, with clear scope and management support. That's enough to close the biggest gaps and build habits that stick.

Signs your company needs a Security Champion

You probably need one if any of these sound familiar:

  • Nobody knows which SaaS tools the company actually uses
  • Former employees might still have access to production systems
  • Secrets live in Slack messages, shared docs, or .env files in repositories
  • The last security discussion was "we should really do something about that"
  • You've lost a deal because you couldn't fill out a vendor security questionnaire
  • Everyone uses the same password for the shared admin account
  • Backups exist but nobody has tested if they actually restore

If you recognized three or more of these, you're running on luck. A Security Champion can turn that around.

What a Security Champion actually is

A Security Champion is a technical employee who takes on security as an additional responsibility. Not their main job — an extension of it. They spend a few hours a week on security tasks, act as the first point of contact for security questions, and help the team build better habits.

The key word is "practical." Champions aren't security experts writing academic policies. They're engineers who understand the product, know the team's workflow, and can implement changes that actually get adopted.

What they do:

  • Implement quick fixes: MFA everywhere, secrets out of code, access reviews
  • Spot risks in pull requests and infrastructure changes
  • Translate security requirements into tasks developers understand
  • Run short training sessions (15 minutes, not 2 hours)
  • Write policies people actually read (one page, not twenty)
  • Know when to escalate and when to handle things themselves

What they don't do:

  • Take responsibility for all security in the company
  • Replace a security team or consultant for complex issues
  • Conduct penetration tests or formal audits
  • Make compliance decisions alone
  • Fix every vulnerability personally

The role works because it's bounded. A Champion who tries to do everything burns out within months. A Champion with clear scope can sustain the work for years.

Why SMB companies are attacked more, not less

There's a persistent belief that attackers focus on big targets. Banks, retailers, government agencies. Why would anyone bother with a 30-person startup?

Here's why: they're not bothering with you specifically. They're scanning the entire internet.

Automated tools run 24/7, looking for open ports, known vulnerabilities, leaked credentials. They don't check company size. They don't care about revenue. They just exploit whatever they find.

And when they find something, small companies are easier to compromise:

No monitoring. Large companies have security operations centers watching for suspicious activity. You probably don't look at your logs at all.

Weak authentication. Enterprise has mandatory MFA, SSO, password policies. You have a shared Google account with a password someone set in 2019.

No incident response. When something goes wrong, enterprises have playbooks. You have panic.

Valuable data anyway. Customer databases, API keys, cloud credentials, GitHub tokens — all sellable. Your 500 customers are worth money to someone.

The uncomfortable reality: small companies aren't too small to be targets. They're the preferred targets because they're easier.

What changes when you have a Security Champion

Let me describe two versions of the same company.

Without a Champion: Developer commits AWS credentials. Nobody notices for three days until the $12,000 bill arrives. Panic. Manual cleanup. Nobody knows if the attacker did anything else. No process changes afterward — everyone's too busy with the next sprint.

With a Champion: git-secrets runs on every commit and blocks the push. Developer gets a helpful error message explaining what happened. The Champion has already written a doc on how to rotate credentials. Incident avoided. No drama.

Or consider client security questionnaires. Without a Champion, these are terrifying. Does the company have MFA? Who knows. Access review process? We should probably have one of those. Incident response plan? Let me write something real quick...

With a Champion, you have answers. Not perfect answers — nobody expects ISO 27001 from a 40-person company — but honest answers backed by actual practices. You win deals you would have lost.

Real examples

The $8,300 wake-up call

A 12-person startup. A developer accidentally pushed AWS keys to a public repository. The company had no secret scanning, no alerts, nothing.

Within 24 hours, someone found the keys and spun up EC2 instances for crypto mining. The bill: $8,300.

After the incident, the company's most security-aware developer volunteered to become their Champion. First week: git-secrets installed everywhere, GitHub MFA mandatory, key rotation documented. Total cost: zero dollars and about 6 hours of work.

Two years later, they've had zero credential leaks.

The lost contract

A 35-person agency competed for a $50,000/year contract with an enterprise client. The security questionnaire asked basic questions: Do you use MFA? Do you have an access review process? Do you test backups?

The honest answers were no, no, and no.

They lost the deal. The client went with a competitor who could answer yes.

The agency's senior developer took on the Champion role. Two weeks of focused work: MFA on all critical systems, quarterly access review calendar, backup testing documented. They won the next similar deal.

The ransomware that didn't hurt

A 20-person design studio got hit by ransomware through a phishing email. Half their files were encrypted.

But their Champion had implemented the 3-2-1 backup rule: three copies, two different media, one offsite. And — critically — they'd tested restoration twice.

Recovery took 40 minutes. The company lost less than a day of work. Without backups, they would have lost months of client projects.

Talking to leadership

Security Champions often struggle here. Technical problems feel solvable. Convincing leadership feels political.

But it's simpler than you think. Don't talk about security. Talk about money and risk.

Arguments that work:

  • "We can't win enterprise deals without basic security measures. Here's an example where we lost."
  • "A credential leak last year cost a similar company $15k. We have the same vulnerability right now."
  • "I can fix our three biggest security gaps with 4 hours per week. Zero additional cost."
  • "Clients are starting to ask for SOC 2. We're not ready. I can get us closer."

Arguments that don't work:

  • "We should improve our security posture."
  • "Best practices recommend..."
  • "Other companies are doing this."

Be specific. Be concrete. Tie everything to business outcomes.

Workshop: your elevator pitch

Before you approach leadership, you need a 60-second explanation of why the company needs a Security Champion and why it should be you.

Use this structure:

Problem: "We have [specific gap] that creates [specific risk]."

Example: "Last month we couldn't answer basic questions on a client security form. We might be losing deals we don't even know about."

Solution: "A Security Champion — someone who spends a few hours a week on security basics."

Ask: "I'd like to take this on. I need [X hours/week] and support from [leadership/IT/whoever]."

Write your version. Practice it out loud. Time it — if it's over 90 seconds, cut something.

Your assignment

  1. Identify two specific security gaps in your company (not abstract — concrete)
  2. Connect each gap to a business risk (money, reputation, deals, time)
  3. Write your 60-second pitch
  4. Find someone to practice on before you deliver it for real

Conclusion

Small companies don't need perfect security. They need someone paying attention. Someone who closes the obvious gaps, builds basic processes, and catches problems before they become incidents.

That's what a Security Champion does. It's not a full-time job. It's not a career change. It's a developer or ops engineer who cares enough to make things better, a few hours at a time.

If you're reading this and thinking "that sounds like something I could do" — you're probably right. The next chapter covers what the role actually looks like day-to-day, and how to define boundaries so you don't burn out.

© 2017–2026 Passwork
Company
About usPrivacy policyISO 27001 certificateRelease notesRoadmapBlog
Browser extension
Google ChromeMozilla FirefoxMicrosoft EdgeApple Safari
Mobile application
App StoreGoogle Play
For business
TeamsSmall businessBusiness and corporatesEnterpriseOn-premise solutionPassword sharing toolSecret management
Help
User manualTechnical documentationHelp center