Despite their importance for application security (AppSec), there’s no formal definition of a security champion because it may vary by organization. But there’s one constant: you don’t have to be a security professional to join in. The term “security champion” has evolved in recent years to be more inclusive of employees who aren’t necessarily experts, expanding to those who have an interest in security. So a security champion isn’t someone who wins hacking contests (though that’s certainly a plus) but one who champions the security message wherever they are in your organization.

A security champion is someone who serves as both mentor and cheerleader of sorts, engaging with and encouraging all employees to learn, adopt, and remain committed to security protocols. These champions may not have as deep an understanding of security as someone in infosec or IT, but they know enough to answer basic questions and serve as a bridge between the infosec gurus and the ordinary employees.

InfoSec Institute

In short, security champions are far-reaching as another line of defense between your sensitive data and the bad guys. They’re also natural communicators as they help amplify critical security messages throughout various teams – which is something organizations can’t skimp on when it comes to weaving security into modern software development. 

Taking the load off dedicated experts

In today’s breakneck world of software production, where developers need to finish apps yesterday, teams can’t halt projects to wait for security testing results or figure out a miscommunication about a flaw. Just as your developers are focusing on building apps and can’t know every nuance of security, so it’s not the job of security engineers to shadow programmers at every step of development. And with siloed teams still found in many tech organizations, you need a group of dedicated employees who can help keep everyone on the same page regarding application security and – yes – champion the security mindset across development teams.

This is even more crucial with the ongoing cybersecurity skills gap exasperating existing pain points in IT. But with security champions supporting those critical teams throughout the organization, you can close gaps in security and catch more problems before they become budget-busting breaches or major stress points that threaten to send your most talented workers off to greener pastures. 

Who can call themselves a security champion, anyway? 

Security is everyone’s job now, and with more APIs, components, and applications permeating our daily lives (did you know more than two-thirds of the world’s population use mobile phones and mobile apps?), it’s no longer a nice-to-have but a must-have. Anyone can be a security champion. Though they’re often developers, it’s not an exclusive club, and organizations should encourage everyone to get involved. Anyone from QA testers to operations managers and marketing specialists building microsites should have the opportunity to lean in as a security champion. 

Application security is about far more than running a scan and moving on; for a company to close all of its gaps, every employee needs to know the risks and what they can do to help reduce them. While it isn’t necessary to be a security expert as a champion, having an interest in the importance of threat and vulnerability management is vital, as is awareness of modern security tools like dynamic (DAST) and interactive (IAST) analysis. Armed with that awareness, security champions can act as a bridge between teams.

It’s also critical that your champions understand your specific apps and know the unique risks they present both internally and externally. For more technical employees, the security team should have an easy way to train selected champions on what to look out for and how to remediate (or prevent) common issues. By investing a little time into training, your security engineers will free up far more time to focus on high-severity security flaws and other critical problems that create risk or stifle innovation.

The recipe for an effective security champion

We’ve established that security champions don’t have to be experts in DevSecOps or penetration testing as long as they have a clear understanding of security needs – but which skills are indeed critical? It might look different for every organization based on goals, scalability, and security posture. Still, there are a handful of competencies and traits that add up to make an effective security champion: 

• Clear communication skills help break down silos and raise awareness around security issues, encouraging others to join the program. 
• A desire to learn more about secure coding and web application security through continued education helps them stay updated on the latest trends and best practices. 
• Serving as a resource for technical questions that might not have an obvious resolution ensures they connect the right teams to escalate security issues. 
• Inspiring team members to take security seriously mitigates the risks presented by products and services in an effort to improve security company-wide.
• Helping to review code for security issues relieves stress when time is short, deadlines are looming, and DevSecOps professionals are too busy to investigate. 

This type of program is a strategic way to move beyond the age-old conflict of security vs. development in software and ensure that security is truly everyone’s job at the end of the day. When used holistically with efforts to integrate security into development, that human element has a chance to shine as silos melt away and communication becomes king. Balance is critical when selecting champions, too – having at least one champion for every team of engineers gives both security and development a bird’s-eye view of risk from project to project so they can communicate clearly cross-functionally. 

But don’t go crazy with headcount for your program at first. Less is more when you’re just starting out. The excitement of joining such a crucial team is real, but it’s important to aim for a slow roll-out of the program with clearly defined goals, so you don’t cause more pain points for often overworked teams.

How champions help with threat and vulnerability management 

Security champions programs are relatively straightforward, but a program that delivers real results in threat management shows leadership that you know what you’re doing and encourages more employees to join the cause. Start by defining which issues you want security champions to be responsible for – from code reviews to sharing best practices – and clearly outline those expectations in a shared document. Program managers should also consider:

• Using threat modeling within the program as a way to uncover vulnerabilities at the design level and implement better security controls. 
• Inviting volunteers as a way to get started while also proactively reaching out to those who might be less outspoken to achieve a diverse skill set. 
• Keeping everyone involved and engaged by setting up sessions for games like Capture the Flag (CTF) or team outings to improve relationships.
• Offering training and educational opportunities outside of work to keep employees engaged with security trends and enhance common best practices. 
• Engaging the Scrum team whenever possible to adopt their best practices and more effectively plug into existing processes and workflows.

Another critical aspect of program efficiency is tracking success closely and setting relevant KPIs so that you can prove threat management wins up the chain. Depending on your security goals, success may be measured by:

• The number of bugs or vulnerabilities you’ve tracked, reported, and fixed as a team of champions – and if that number is improving over time.  
• Stories or internal case studies of success from security champions who have been in the program for a while and have helped tackle difficult issues. 
• The improvement in work/life balance and whether or not developers and security professionals are spending less personal time resolving issues. 
• How engaged the members of your security champions program are, including any questions or ideas that arise around improving security posture. 

And of course, a great metric to track is the number of security champions within your organization. If the number continues to rise, you know you’re doing it right. And with secure coding best practices in place, modern scanning tools running consistently, and a successful security champions program all working in tandem, the path to improved threat management and security posture is clearer. As you build your program, read our white paper on enterprise web security best practices to learn more about cultivating a successful security process that checks all the right boxes.