SecPrep logoSecPrep

Design a security champions program for a 500-engineer organization.

Key Talking Points

  • Recruit volunteers (1+ per team), not mandates — interested engineers stay engaged; get manager buy-in for dedicated time (e.g. ~10–20%) so it's funded work, not unpaid overtime.
  • Define a clear charter: champions are the local security contact, do first-pass threat modeling and security review, triage findings for their team, and escalate to AppSec when needed.
  • Enable them: onboarding training, a regular cadence (monthly meetups/office hours), a dedicated chat channel/community, and curated content so the program doesn't go stale.
  • Give them real authority and tooling — sign-off on threat models, access to scanners/dashboards — so the role has substance and influence.
  • Incentivize and recognize: career-ladder credit, visible shout-outs, swag, and tying participation to performance/promotion signals; rotate to avoid burnout.
  • Use champions as a force multiplier for paved-road adoption and as a two-way feedback channel from teams back to AppSec.
  • Measure: coverage (% of teams with an active champion), engagement, threat models / reviews done by champions, and downstream risk metrics (fewer escaped vulns in covered teams).
  • Avoid anti-patterns: top-down appointment with no time budget, treating champions as free labor, no incentives, and letting the program decay after kickoff.

A durable champions program recruits willing engineers per team, invests in their training and authority, gives them dedicated time and a community, and is measured by adoption and risk reduction — avoiding the trap of unfunded, top-down 'volunteers'.

References

Practice this in the app →