Building a Security Champions community
One Security Champion can start a security program. But one person can't scale across an entire company. To truly embed security into every team, you need a network of champions—people who advocate for security in their own teams while you coordinate the overall effort.
This chapter covers how to grow from "I am the Security Champion" to "We have Security Champions."
Why a community matters
The scaling problem
As a single Security Champion, you face limits:
| Challenge | Reality |
|---|---|
| Capacity | You can review some code, not all code |
| Coverage | You can't be in every team's planning meeting |
| Context | You don't know every team's tech stack deeply |
| Availability | You take vacation; security questions don't stop |
| Trust | Being the "security person" creates distance |
A network of champions solves these:
- Security presence in every team
- Domain expertise in each area
- Distributed capacity for reviews
- Continuous coverage
- Local trust and relationships
The force multiplier
With 5 Security Champions across a 100-person company:
- Every developer has a champion they can reach in their team
- Security reviews happen within teams, not as external gates
- Security becomes "how we work" not "what that team does"
- You shift from doing security to enabling security
What is a Security Champion (in a network)?
In a network model, champions are volunteers who:
| Responsibility | Time commitment | Support needed |
|---|---|---|
| Be the security point of contact for their team | 1-2 hrs/week | Training, escalation path |
| Participate in security code reviews | As needed | Review guidelines, tools |
| Raise security in planning and design | During normal work | Threat modeling templates |
| Attend champion community meetings | 1 hr/month | Facilitation, content |
| Share security updates with their team | 15 min/week | Curated updates to share |
| Report security concerns and incidents | As needed | Clear reporting channel |
| Be an advocate, not an enforcer | Ongoing | Cultural support |
Total commitment: 10-20% of their time, not a full-time role.
Champions vs. security team
| Security Champion | Security team (if you have one) |
|---|---|
| Part-time, embedded in their team | Full-time security focus |
| Domain expertise in team's area | Broad security expertise |
| First point of contact for team | Escalation point for champions |
| Knows team's priorities and constraints | Sets company-wide standards |
| Advocate and enabler | Policy owner and enforcer (when needed) |
In small companies without a security team, the original Security Champion (you) takes on the coordinator role while other champions handle team-level work.
Recruiting champions
Who makes a good champion?
Look for:
- Interest in security — They ask security questions already
- Respect from peers — Their team listens to them
- Technical competence — Strong engineer/operator
- Communication skills — Can explain, not just dictate
- Willingness — This is volunteer work; enthusiasm matters
Don't recruit:
- People who just want a title
- Those mandated by their manager
- Junior developers (not enough context yet)
- People too busy with other responsibilities
Recruitment approaches
Approach 1: Open call
Send an announcement describing the program and inviting volunteers:
Subject: Security Champions Program — Join Us
Hi team,
We're building a network of Security Champions across the company.
Champions are engineers who help their teams build secure software
and are the first point of contact for security questions.
What you'll do:
- Be your team's security point of contact
- Participate in security code reviews
- Raise security in design discussions
- Join monthly champion meetings
What you'll get:
- Security training and certifications
- Direct line to security resources
- Recognition as a security leader
- Skills valuable for career growth
Time commitment: ~10% of your time (4 hours/week)
Interested? Reply to this email or talk to [Security Champion name].
Approach 2: Targeted recruitment
Identify individuals you've noticed asking good security questions or showing security awareness. Approach them directly:
"I've noticed you often bring up security in code reviews. We're building a Security Champions network, and I think you'd be great for it. Interested in learning more?"
Approach 3: Manager nomination
Ask team leads to nominate candidates. This ensures manager buy-in but may produce reluctant volunteers. Always verify the nominee is genuinely interested.
Getting manager buy-in
Champions need time from their regular duties. Get manager support upfront:
Subject: Security Champions Program — Time Commitment
Hi [Manager],
[Employee name] has expressed interest in becoming a Security Champion.
This involves:
- ~4 hours/week for security activities
- Monthly 1-hour champion meetings
- Quarterly half-day training
In return, [team] gets:
- Embedded security expertise
- Faster security reviews (internal, not external gate)
- Reduced risk of security issues reaching production
- A team member with growing security skills
Can we count on your support for [Employee]'s participation?
Training new champions
New champions need to be effective, not just enthusiastic.
Champion onboarding program
Week 1-2: Foundations
- Company security policies and procedures
- Current security program overview
- Key tools and how to access them
- Escalation paths and contacts
Week 3-4: Technical skills
- Secure code review basics
- Common vulnerability patterns (OWASP Top 10)
- How to use security scanning tools
- Threat modeling introduction
Week 5-6: Soft skills
- How to give security feedback constructively
- Handling pushback from developers
- Balancing security with delivery
- When to escalate vs. handle locally
Week 7-8: Practical application
- Shadow existing champion in reviews
- Conduct first reviews with supervision
- Present at first community meeting
- Pair on a security improvement
Onboarding checklist
## Security Champion Onboarding
Champion name: [Name]
Team: [Team]
Start date: [Date]
Mentor: [Existing champion]
### Week 1-2: Foundations
- [ ] Read security policies and handbook
- [ ] Get access to security tools (list tools)
- [ ] Meet with Security Champion coordinator
- [ ] Understand incident reporting process
- [ ] Review recent security incidents/findings
### Week 3-4: Technical skills
- [ ] Complete OWASP Top 10 training
- [ ] Learn to run SAST/DAST tools
- [ ] Practice vulnerability identification
- [ ] Introduction to threat modeling
### Week 5-6: Soft skills
- [ ] Read "Giving constructive feedback" guide
- [ ] Discuss common champion challenges with mentor
- [ ] Role-play difficult conversations
### Week 7-8: Practical application
- [ ] Shadow 3 security reviews
- [ ] Conduct 2 reviews with mentor support
- [ ] Participate in first community meeting
- [ ] Complete one security improvement for team
### Graduation
- [ ] Champion confirmed comfortable with role
- [ ] Mentor sign-off
- [ ] Added to champions communication channels
- [ ] Announced to company
Training resources for champions
| Topic | Resource | Format |
|---|---|---|
| OWASP Top 10 | OWASP Top 10 Project | Free, web |
| Secure coding | OWASP Secure Coding Dojo | Free, hands-on |
| Code review | OWASP Code Review Guide | Free, PDF |
| Threat modeling | Threat Modeling Manifesto | Free, web |
| Security Champion role | OWASP Security Champions Guide | Free, web |
| Practical training | PortSwigger Web Security Academy | Free, hands-on |
| Certifications | CompTIA Security+, GIAC | Paid |
Internal training development
Create company-specific training:
## [Company Name] Security Champion Training Curriculum
### 1: Our Security Program (2 hours)
- Company security policies
- How we handle incidents
- Our tech stack security considerations
- Key contacts and escalation
### 2: Code Review for Security (4 hours)
- Using our SAST tools
- Common issues in our codebase
- Review workflow and SLAs
- Giving feedback effectively
### 3: Threat Modeling (3 hours)
- When to threat model
- Our threat modeling template
- Workshop: Model a feature
### 4: Champion Scenarios (2 hours)
- Role-play: Developer pushback
- Role-play: Balancing speed and security
- Role-play: Escalating to security team
Running the champion community
A community needs care and feeding to stay active.
Community structure
Program Coordinator (you / original Security Champion / CISO) — coordinates, trains, and supports champions across teams.
Each team has a dedicated Champion who works directly with their team's developers. The coordinator doesn't need to be in every team conversation — champions handle security locally and escalate when needed.
Monthly champion meetings
Regular meetings keep the community connected. 1 hour monthly works well.
Meeting agenda template:
## Security Champions Monthly — [Date]
### 1. Updates from coordinator (10 min)
- Company security news
- New policies or tools
- Upcoming initiatives
### 2. Metrics review (5 min)
- Vulnerabilities by team
- Review completion rates
- Incident summary
### 3. Knowledge sharing (20 min)
- Rotating: one champion presents a topic
- Recent interesting finding
- New technique or tool
### 4. Challenges and asks (15 min)
- What's blocking you?
- What support do you need?
- Cross-team issues to discuss
### 5. Open discussion (10 min)
- Questions
- Suggestions for program improvement
Communication channels
| Channel | Purpose | Frequency |
|---|---|---|
| #security-champions (Slack) | Champion-to-champion chat | Ongoing |
| #security-general (Slack) | Anyone with security questions | Ongoing |
| Monthly meeting | Formal sync and training | Monthly |
| Champion newsletter | Updates, curated reading | Bi-weekly |
| Champions wiki/docs | Procedures, templates, resources | As updated |
Keeping champions engaged
Champion burnout is real. Combat it with:
Recognition:
- Call out champions in company announcements
- Celebrate security improvements they drive
- Include in performance reviews (with manager)
- Champion of the quarter/year awards
Growth:
- Fund certifications and training
- Send to security conferences
- Invite to architecture reviews
- Path to senior roles or security team
Value:
- Make their work visible to leadership
- Ensure their feedback shapes policy
- Give them early access to new initiatives
- Ask for their input on security decisions
Community:
- Social events (virtual or in-person)
- Shared learning opportunities
- Cross-champion pairing on projects
- Annual in-person gathering (if remote)
Dealing with inactive champions
Sometimes champions go quiet. Handle this gracefully:
First: Check in privately. Is everything okay? Are they overloaded? Has interest waned?
If capacity issue: Reduce expectations or find a temporary replacement. Being a champion isn't forever.
If interest issue: Thank them for their service and transition out. Find a new champion for their team.
Never: Shame inactive champions. Life happens. Make it easy to step back gracefully.
Scaling the program
From 1 to 5 champions
Phase 1: Establish credibility (alone)
- Prove the concept works
- Build initial processes and documentation
- Create the "champion toolkit"
Phase 2: Recruit 2-3 more
- Start with most security-aware teams
- Onboard and train personally
- Iterate on training based on feedback
Phase 3: Build the community
- Start monthly meetings
- Create communication channels
- Develop knowledge-sharing cadence
From 5 to 15+ champions
Scale challenges:
- You can't onboard everyone personally
- Inconsistent champion quality
- Community becomes impersonal
- Coordination overhead grows
Solutions:
-
Tiered structure:
- Senior champions mentor new ones
- Regional/department champion leads
- Reduce your direct reports
-
Self-serve training:
- Recorded onboarding modules
- Self-paced exercises
- Mentor assignment, not personal onboarding
-
Specialized roles:
- Some champions focus on code review
- Others on cloud security
- Others on incident response
-
Metrics and accountability:
- Track champion activity (reviews, escalations)
- Identify and address gaps
- Celebrate high performers
Measuring community success
| Metric | How to measure | Target |
|---|---|---|
| Coverage | % of teams with a champion | 100% |
| Activity | Reviews per champion per month | >2 |
| Engagement | Meeting attendance | >80% |
| Quality | Issues found by champions | Trend up |
| Retention | Champions staying >1 year | >70% |
| Satisfaction | Champion survey scores | >4/5 |
Common challenges
"Nobody wants to be a champion"
Possible causes:
- Security seen as thankless
- No time given by managers
- No clear value proposition
Solutions:
- Make benefits clear (career growth, recognition)
- Get leadership to mandate protected time
- Start with one or two enthusiastic volunteers
- Make early champions visibly successful
"Champions don't do anything"
Possible causes:
- Unclear expectations
- No accountability
- No support or training
- Champions feel powerless
Solutions:
- Define minimum expectations clearly
- Regular check-ins with coordinator
- Provide tools and templates for common tasks
- Celebrate when champions make impact
"Champions and teams conflict"
Possible causes:
- Champions seen as gatekeepers
- Poor communication skills
- Unrealistic security expectations
- No executive backing for security
Solutions:
- Train champions on constructive feedback
- Position as enablers, not blockers
- Help prioritize (not everything is critical)
- Get leadership to publicly support security
"Champion knowledge is uneven"
Possible causes:
- Inconsistent training
- Self-teaching with gaps
- Different experience levels
Solutions:
- Standardized onboarding curriculum
- Ongoing training program
- Pairing experienced with new champions
- Regular knowledge-sharing sessions
Champion toolkit
Provide new champions with ready-to-use resources:
## Security Champion Starter Kit
### Quick reference
- [ ] Security policies (link)
- [ ] Incident reporting form (link)
- [ ] Escalation contacts (names + channels)
- [ ] SLA table for vulnerabilities
### Code review
- [ ] Secure code review checklist
- [ ] OWASP Top 10 quick reference
- [ ] Common vulnerabilities in our stack
- [ ] SAST/DAST tool guides
### Communication
- [ ] Security announcement templates
- [ ] How to explain vulnerabilities to devs
- [ ] FAQ for common questions
### Threat modeling
- [ ] Threat modeling template
- [ ] STRIDE quick reference
- [ ] When to threat model (guidance)
### Training resources
- [ ] Recommended courses (links)
- [ ] Company security training
- [ ] CTF platforms for practice
Champion activity tracker
Help champions track their work:
## [Champion Name] Monthly Activity Log
Month: [Month Year]
Team: [Team Name]
### Reviews conducted
| Date | What reviewed | Findings | Outcome |
|------|---------------|----------|---------|
| | | | |
### Questions answered
| Date | Question topic | From | Time spent |
|------|---------------|------|------------|
| | | | |
### Issues raised
| Date | Issue | Severity | Status |
|------|-------|----------|--------|
| | | | |
### Training/learning
| Date | Topic | Time spent |
|------|-------|------------|
| | | |
### Highlights
- [Notable accomplishment this month]
### Needs
- [Support or resources needed]
Gamification and motivation
Keep champions engaged with friendly competition and rewards.
Champion leaderboard
Track and display (with consent):
| Champion | Reviews | Issues found | Training hrs | Streak |
|---|---|---|---|---|
| Alice | 12 | 3 | 8 | 6 mo |
| Bob | 8 | 5 | 4 | 4 mo |
| Carol | 15 | 2 | 12 | 8 mo |
What to track:
- Reviews completed
- Security issues identified
- Training hours completed
- Consecutive active months
- Team engagement (questions answered)
Recognition program
| Achievement | Criteria | Reward |
|---|---|---|
| First review | Complete first security review | Certificate, swag |
| Bug hunter | Find 5 security issues | $100 bonus, recognition |
| Mentor | Onboard a new champion | Mentor badge |
| Streak master | 12 consecutive active months | Conference ticket |
| Champion of quarter | Most impactful contribution | $500 bonus, spotlight |
Monthly spotlight
In company-wide communications:
## Security Champion Spotlight: [Name]
This month we're recognizing [Name] from [Team] for their work
catching a critical authentication bypass before it reached
production. Their thorough review during the feature development
saved us from what could have been a significant vulnerability.
[Name] has been a Security Champion for [X] months and has
reviewed [Y] features and identified [Z] security issues.
Thank you, [Name], for helping us build secure software!
Expert tips
Start with volunteers, not voluntolds
The best first champions are people already doing champion-like work informally. Formalizing what they already do is easier than creating new behavior.
Quality over quantity
3 active, effective champions beat 10 inactive ones. Don't recruit for coverage before you can support them.
Make champions look good
When a champion catches an issue, credit them publicly. When the program succeeds, highlight individual contributions. Champions who feel valued stay engaged.
Build in breaks
Security Champion burnout is common. Build in:
- Rotation options (champion for 2 years, then break)
- Deputy champions who can cover
- Reduced expectations during crunch times
Learn from champion departures
When someone leaves the program, do an exit interview:
- What worked well?
- What could be improved?
- Why are you leaving?
- What advice for your replacement?
Workshop: champion community program
Part 1: Design your program (1 hour)
-
Define champion role for your company
- Responsibilities
- Time commitment
- Reporting structure
-
Create recruitment criteria
- What skills/traits matter?
- How will you assess candidates?
-
Draft initial communication
- Announcement to company
- Manager buy-in request
Deliverable: Champion program design document
Part 2: Build onboarding (2 hours)
-
Outline onboarding curriculum
- Weeks 1-2: Foundations
- Weeks 3-4: Technical
- Weeks 5-6: Soft skills
- Weeks 7-8: Practical
-
Create/curate training materials
- Link to existing resources
- Draft company-specific content
-
Build onboarding checklist
Deliverable: Onboarding program and checklist
Part 3: Plan community operations (1 hour)
- Set up communication channels
- Create monthly meeting template
- Define success metrics
- Plan first 3 months of meetings
Deliverable: Community operations plan
Part 4: Recruit first champion (ongoing)
- Identify candidate(s)
- Have initial conversation
- Get manager buy-in
- Begin onboarding
Deliverable: First champion recruited and onboarding
How to explain this to leadership
The pitch:
"I can't be the only person thinking about security. To truly embed security in how we work, we need Security Champions in each team—developers who are the first point of contact for security questions. They're volunteers, part-time, but they give every team local security expertise."
The ask:
"I need permission to recruit 3-5 volunteers and have their managers allocate 10% of their time (~4 hours/week) to security activities. I also need $2,000-$5,000 for training and certifications."
The value:
- Security reviews happen faster (within teams, not across teams)
- Security issues caught earlier (by people who know the code)
- Security culture embedded (not just enforced from outside)
- Scale without hiring (volunteers, not headcount)
The risk of not doing this:
- Security Champion is a single point of failure
- Security remains external to development
- Reviews become bottlenecks
- Coverage gaps as company grows
Metric to track:
"I'll measure: champion coverage (% of teams), issues found by champions, and developer satisfaction with security support."
Conclusion
One Security Champion can start a program. A network of champions can change a culture. The coordinator's job shifts from doing security to enabling others to do it — which is harder, slower, and more lasting.
What's next
Next: career development and next steps — what you've built, where it takes you, and what to do next.