Safeguard
Culture

What Is a Security Champions Program?

AppSec teams are outnumbered 100 to 1 by developers. A security champions program is the only staffing model that scales — here is how to build one that lasts.

Yukti Singhal
Head of Product
6 min read

A security champions program is a formal network of developers — one or two per team — who take on a part-time security role inside their own squad: triaging findings, reviewing risky designs, and acting as the first point of contact between engineering and the central security team. Champions stay developers; they are not transferred into security. The model exists because the staffing math never works otherwise: most organizations run one application security engineer for every 100 or more developers, and no central team at that ratio can review every design, triage every scanner finding, and answer every "is this safe?" question.

Why Do Companies Need a Security Champions Program?

Three structural problems push organizations toward the model:

  • The ratio problem. A central AppSec team of three cannot be in three hundred stand-ups. Champions distribute security judgment to where the code is actually written, so the central team handles the hard 10 percent instead of the routine 90.
  • The context problem. A security engineer parachuting into an unfamiliar codebase misses what a resident developer sees instantly — which service handles payment data, which "temporary" endpoint never got removed, which findings from the SAST pipeline are real versus noise in this particular repo. Champions triage with context that outsiders cannot fake.
  • The culture problem. Security requirements imposed from outside a team read as friction; the same requirements voiced by a respected teammate read as engineering judgment. Champions change who says the sentence, which changes how it lands.

The payoff shows up as shorter remediation times (findings get triaged in-team the day they appear, not when the monthly review reaches that repo), fewer vulnerabilities escaping to production, and a security team that finally has bandwidth for threat modeling and architecture work.

What Does a Security Champion Actually Do?

The role only works when it is concrete and time-boxed — typically 10 to 20 percent of a champion's week, agreed with their engineering manager. A workable responsibility set:

  1. First-line triage. Review new scanner findings for the team's repos, mark false positives, and prioritize what is real before it hits the sprint board.
  2. Security review of designs and risky PRs. Not every PR — the authentication changes, new external endpoints, new dependencies, and data-handling paths.
  3. Escalation routing. Know what the central team must see (new attack surface, suspected incidents, architectural decisions) versus what the squad can settle itself.
  4. Local advocacy. Bring security items into sprint planning, keep the team's threat model current, and socialize new policies before they become blocking gates.
  5. Feedback upstream. Tell the security team which rules generate noise and which controls create friction — champions are the sensor network, not just the enforcement arm.

What champions should not be: unpaid incident responders, scapegoats for their team's vulnerabilities, or a substitute for hiring actual security engineers.

How Do You Start a Security Champions Program?

Recruit volunteers, not conscripts. Nominated-by-manager champions with no interest in the domain quietly do nothing. Advertise the role, describe the time budget honestly, and select for curiosity and standing within the team over seniority.

Get the time commitment in writing. The single most common failure mode is champions doing security work on top of a full sprint load. The program sponsor should secure explicit manager sign-off on the percentage, and it should survive quarter-end crunch.

Train for the role, not for a certification. Champions need practical skills: how to read a finding and its data-flow trace, how to threat-model a feature in 30 minutes, how the organization's specific stack gets attacked. Hands-on material — vulnerable-app labs, capture-the-flag exercises, courses like those in the Safeguard Academy — beats slide decks every time.

Give them real authority and real access. Champions need standing to mark findings as false positives, accept low risks within policy, and block a merge when something is clearly wrong. A champion with responsibilities but no authority is just a messenger, and good engineers resign from messenger jobs.

Build the community layer. A monthly champions guild call, a dedicated chat channel with the security team, early previews of policy changes, and visible recognition — conference budget, a line in performance reviews, internal badges. Recognition is not decoration; it is the compensation for the 15 percent of their week the program consumes.

How Do You Measure Whether the Program Works?

Measure outcomes per team, not champion activity:

  • Mean time to triage and to remediate findings in champion-covered teams versus uncovered teams — the gap is the program's clearest ROI number.
  • Finding escape rate: vulnerabilities discovered in production or by pentest that a review should have caught.
  • False-positive turnaround: how fast noise gets marked, which tracks whether triage is actually happening in-team.
  • Engagement health: champion retention year over year, guild attendance, and voluntary applicants per open seat. A program nobody wants to join is already dead.
  • Security debt trend per team: backlog age and severity mix, trending down.

Expect a ramp, not a step function — most programs need two or three quarters before the remediation-time gap becomes visible. Publish the numbers to engineering leadership either way; champions programs die of invisibility more often than of failure. For adjacent culture-building material, see the write-ups on the Safeguard blog.

FAQ

How many security champions do you need?

One per team is the working standard, two for teams larger than about ten engineers so the role survives vacations and attrition. Coverage matters more than density: a champion on every product team beats three champions clustered on the platform team.

Are security champions paid extra?

Usually not in salary, but effective programs compensate in other currencies: protected time, training and conference budget, explicit recognition in promotion criteria, and early influence over security policy. Programs that offer none of these recruit poorly and churn champions within a year.

What is the difference between a security champion and a security engineer?

A security engineer's full-time job is security; a champion is a developer who spends 10 to 20 percent of their time as their team's security point person. Champions extend the security team's reach — they do not replace it.

How long does it take to launch a security champions program?

A pilot with three to five volunteer champions, defined responsibilities, and initial training can launch in four to six weeks. Organization-wide rollout, with a guild rhythm and metrics, typically takes two to three quarters.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.