What is a security champions program, and how do you build and sustain one?

A security champions program embeds a designated engineer on each dev team to be the local security point of contact — scaling a small AppSec team's reach without owning every team. Build it by recruiting volunteers (not mandates), giving them training, a private community/channel, and real influence (e.g. threat-model sign-off, triage authority). Sustain it with recognition, time allocation, a clear charter, and regular content so it doesn't go stale. Anti-patterns: appointing champions top-down with no time budget, treating them as unpaid security labor, no career incentive, and letting the program decay after launch. The goal is to make security a distributed property of engineering, not a gate.