Skip to content

23.3 Security Champions Programs

Centralized security teams cannot scale to meet the security needs of modern software organizations. When one security engineer supports one hundred or more developers—a ratio common in many organizations—there simply isn't enough bandwidth for hands-on involvement in every team's security decisions. This challenge intensifies for supply chain security, where decisions about dependencies, build configurations, and deployment practices happen continuously across every development team.

Security champions programs address this scaling challenge by distributing security expertise throughout the organization. Rather than relying solely on a central security team, champions programs identify, train, and support developers who take on security responsibilities within their teams. For supply chain security specifically, champions become the local experts who guide dependency decisions, respond to vulnerability alerts, and advocate for secure practices where the work actually happens.

This section provides a blueprint for implementing a security champions program focused on supply chain security—from recruitment through measurement of impact.

The Security Champions Model for Supply Chain

A security champion is a member of a development team who, in addition to their regular responsibilities, takes on security advocacy and activities for their team. They are not security professionals who have been embedded with development teams; they are developers who have received additional security training and serve as bridges between their teams and the security organization.

Champions model overview:

┌─────────────────────────────────────────────────────────────────┐
│                    Central Security Team                         │
│  - Sets strategy and policy                                     │
│  - Provides tools and infrastructure                            │
│  - Handles complex security issues                              │
│  - Trains and supports champions                                │
└─────────────────────────────┬───────────────────────────────────┘
              ┌───────────────┼───────────────┐
              │               │               │
              ▼               ▼               ▼
       ┌──────────┐    ┌──────────┐    ┌──────────┐
       │Champion A│    │Champion B│    │Champion C│
       │ Team 1   │    │ Team 2   │    │ Team 3   │
       └────┬─────┘    └────┬─────┘    └────┬─────┘
            │               │               │
            ▼               ▼               ▼
       ┌──────────┐    ┌──────────┐    ┌──────────┐
       │Developers│    │Developers│    │Developers│
       │ Team 1   │    │ Team 2   │    │ Team 3   │
       └──────────┘    └──────────┘    └──────────┘

Why champions work for supply chain security:

Supply chain security decisions are distributed by nature—every developer adds dependencies, every build pipeline processes external code, every deployment includes third-party components. Champions enable:

  • Local expertise: Someone on the team understands supply chain risks and practices
  • Faster response: Vulnerability alerts are triaged by someone with team context
  • Practical advocacy: Security advice comes from a peer, not an outsider
  • Scalable coverage: One champion per team extends security reach significantly
  • Consistent practices: Champions propagate standard practices across teams

The champion is not:

  • A security gatekeeper who approves every decision
  • Solely responsible for their team's security
  • A replacement for security team involvement on complex issues
  • Someone who does all security work so others don't have to

Champions amplify security team effectiveness; they don't replace it.

Identifying and Recruiting Champions

Champion programs succeed or fail based on who becomes a champion. Recruiting the right people—and making participation attractive—is foundational.

Recruitment criteria:

Criterion Why It Matters
Technical credibility Champions must be respected by peers to be effective
Interest in security Enthusiasm sustains engagement; forced participation fails
Communication skills Champions translate security concepts for their teams
Influence Champions need to change team behavior, not just understand security
Availability Security activities require dedicated time
Tenure Some organizational context helps; very new employees struggle

Recruitment process:

  1. Manager alignment: Secure commitment that the champion will have time allocated for security activities. Without manager buy-in, champions cannot participate effectively.

  2. Candidate identification: Use multiple methods:

  3. Self-nomination (interest is strong predictor of success)
  4. Manager nomination (identifies high-performers)
  5. Security team observation (who already engages with security?)

  6. Peer recommendation (who do team members go to with questions?)

  7. Candidate conversation: Discuss role, expectations, time commitment. Ensure candidate understands what they're signing up for.

  8. Selection: Choose candidates who meet criteria and have genuine interest. Quality over quantity—a few engaged champions outperform many disengaged ones.

  9. Onboarding: Formal introduction to the program, initial training, connection to the champion community.

Recruitment messaging:

Frame the opportunity positively:

Effective: "Join a community of developers building security expertise. Gain skills that advance your career while helping your team ship more securely."

Ineffective: "We need someone on each team to handle security compliance requirements."

Target champion-to-developer ratio (based on industry practice):1

  • Minimum: 1 champion per 15-20 developers
  • Ideal: 1 champion per 8-12 developers
  • Coverage: Every development team should have at least one champion

Organizations with high-risk products or regulatory requirements may need higher ratios. These ratios align with guidance from the OWASP Security Champions program and similar industry initiatives.

Training and Empowering Champions

Champions need more than awareness training—they need skills to act effectively in their role.

Training curriculum for champions (see OWASP Security Champions Guide for additional curriculum guidance):

Phase 1: Foundation (16-24 hours)

Module Duration Content
Champion role and expectations 2 hours What champions do, program structure, resources
Supply chain threat landscape 4 hours Attack patterns, real incidents, risk factors
Secure dependency management 4 hours Evaluation, lockfiles, updates, vulnerability response
Organizational tools and policies 4 hours Your specific tools, policies, processes
SBOM and provenance 2 hours Understanding and using SBOMs
Effective security communication 4 hours How to advocate, influence, and teach

Phase 2: Ongoing Development (8+ hours quarterly)

Activity Frequency Purpose
Champion community meetings Monthly Share experiences, learn from peers
Deep-dive sessions Quarterly Advanced topics, new threats
Incident reviews As needed Learn from real events
Tool training As released Stay current with tooling
Guest speakers Quarterly External perspectives

Phase 3: Specialization (optional)

Champions with interest and aptitude can develop deeper expertise in specific areas: - Build pipeline security - Container and image security - Specific ecosystem security (npm, PyPI, etc.) - Security architecture review - Incident response

Empowerment beyond training:

Training provides knowledge; empowerment provides authority and resources:

  • Access: Champions should have access to security tools, dashboards, and findings
  • Authority: Champions should be authorized to make certain decisions without escalation
  • Resources: Champions should know where to find help when they need it
  • Community: Champions should be connected to each other for peer support
  • Backing: Champions should have explicit support from security leadership

Security champions who receive visible backing from security leadership report greater effectiveness when advocating for security improvements within their teams. The combination of training and explicit organizational support enables champions to influence team practices more successfully than training alone.

Champion Responsibilities and Time Allocation

Clear responsibility definition prevents both underutilization (champions with nothing to do) and overload (champions expected to do everything).

Champion responsibilities for supply chain security:

Core responsibilities (all champions):

Responsibility Activities Estimated Time
Team liaison Answer security questions, escalate issues, communicate policies 2-3 hours/week
Vulnerability response Triage automated vulnerability alerts (e.g., Dependabot, Snyk), guide remediation, track resolution 2-3 hours/week
Dependency guidance Review new dependencies, advise on package selection 1-2 hours/week
Community participation Attend champion meetings, contribute to discussions 2-4 hours/month
Continuous learning Training, reading, staying current 2-4 hours/month

Extended responsibilities (experienced champions):

  • Security architecture review participation
  • Incident response team membership
  • Training content development
  • Tool evaluation and recommendation
  • Mentoring new champions

Time allocation guidance:

Program Maturity Recommended Allocation
Launching 10-15% of champion's time
Established 15-20% of champion's time
Mature 20-25% for core champions

This translates to roughly one day per week for an established champion.

Protecting champion time:

Without explicit time allocation, champion activities become "extra work" that gets squeezed out by primary responsibilities:

  1. Manager agreement: Document time allocation in champion's goals/OKRs
  2. Calendar blocking: Champions block time for security activities
  3. Sprint planning: Include security activities in team capacity planning
  4. Escalation path: Champions can escalate if time is consistently unavailable

What champions should NOT do:

  • All security work for their team (everyone is responsible for security)
  • Approve every dependency decision (this creates bottlenecks)
  • Handle complex security issues alone (escalate to security team)
  • Work unpaid overtime on security activities (time must be allocated)

Recognition and Career Development

Champion programs sustained by obligation alone eventually fail. Champions must see value in participation—through recognition, career development, and intrinsic satisfaction.

Recognition and incentive programs:

Formal recognition:

Recognition Type Implementation
Title "Security Champion" designation in HR systems, email signatures
Visibility Champions highlighted in communications, recognized at all-hands
Achievement badges Visible markers of training completion, contributions
Annual awards Champion of the year, most improved team, etc.
Executive exposure Champions present to leadership, attend security briefings

Tangible incentives:

Incentive Considerations
Conference attendance Send champions to security conferences
Training budget Additional professional development resources
Certification support Fund security certifications (if desired)
Equipment/swag Champion-specific recognition items
Bonus/compensation Some organizations tie champion role to compensation

Career development:

The champion role should support career growth:

Career Development Pathways:

Technical Track:
├── Champion → Senior Champion → Principal Engineer (Security Focus)
└── Skills: Deep technical security expertise, architecture influence

Leadership Track:
├── Champion → Lead Champion → Engineering Manager (Security-Savvy)
└── Skills: People leadership, cross-team coordination

Security Track:
├── Champion → Security Engineer → Security Architect
└── Skills: Full transition to security career

Development activities:

  • Expanded project opportunities (security initiatives, tool evaluations)
  • Mentorship (both receiving and providing)
  • Cross-functional exposure (working with security, compliance, legal)
  • Speaking opportunities (internal presentations, external conferences)
  • Publication opportunities (blog posts, documentation)

Many organizations report that security champions programs have become unexpected talent pipelines, with champions developing skills and relationships that enable career transitions into security leadership roles. The combination of hands-on security experience and deep development context creates a foundation for security careers that few other paths provide.

Preventing Champion Burnout

Champion burnout is one of the most significant threats to program sustainability. Champions who become overwhelmed, overworked, or underappreciated will leave the program—taking valuable security expertise and institutional knowledge with them. Burnout prevention requires proactive strategies, early warning detection, and organizational commitment to sustainable workloads.

Why champion burnout occurs:

Burnout Driver How It Manifests Impact
Unbounded responsibilities Champion becomes the "go-to" person for all security questions, drowning in requests Champion avoids security work, eventually quits program
Insufficient time allocation Security activities squeeze out primary job responsibilities Stress, missed deadlines, manager friction
Lack of recognition Extra work goes unacknowledged or undervalued Resentment, loss of motivation
Isolation Champion feels like they're fighting alone without support Frustration, sense of futility
Constant context switching Security interruptions fragment primary work Cognitive overload, reduced effectiveness
Scope creep Responsibilities expand beyond original agreement Workload becomes unsustainable

Burnout warning signs:

Organizations should monitor for these indicators:

Individual champion indicators: - Declining meeting attendance - Slower response times to security questions - Reduced participation in champion community - Visible frustration or negativity in interactions - Requests to reduce champion responsibilities - Decreased code review activity - Missing training sessions or development opportunities

Team-level indicators: - Security findings increasing for championed team - Escalations to security team rising - Champion's manager reports concerns about workload - Champion's primary work deliverables slipping - Team members bypassing champion, escalating directly to security

Burnout prevention strategies:

1. Enforce time boundaries:

Champion Time Protection:
├── Calendar blocking:
│   └── Champions block dedicated security time that cannot be scheduled over
├── Sprint capacity:
│   └── Security work counts against sprint capacity (not "extra")
├── After-hours protection:
│   └── No expectation of evening/weekend security work
└── Vacation coverage:
    └── Security team provides backup when champion is out

2. Distribute the load:

  • Multiple champions per large team: Teams over 15 people should have 2+ champions who can share the load
  • Specialty areas: Champions can focus on specific domains (dependencies, containers, etc.) rather than being generalists
  • Rotation: For teams with multiple champions, rotate who's "on duty" each sprint
  • Escalation support: Security team commits to rapid response when champions escalate

3. Set clear scope boundaries:

Explicitly define what champions are NOT responsible for:

Champions Do:
- Triage automated security alerts for their team
- Guide teammates on security questions within defined scope
- Participate in champion community meetings
- Review security findings during code review

Champions Do NOT:
- Respond to all security questions in the company
- Personally fix all security issues
- Work security issues outside their time allocation
- Handle complex security incidents alone
- Be on-call for security issues

Document these boundaries and share them organization-wide to prevent scope creep.

4. Provide robust support network:

  • Security team office hours: Regular, scheduled time when champions can get help without formal escalation
  • Champion mentorship: Pair new champions with experienced ones
  • Peer support channel: Active Slack/Teams channel where champions help each other
  • Resource library: Curated documentation, runbooks, and examples that champions can reference
  • Expert access: Clear path to security subject matter experts for complex questions

5. Recognize and reward appropriately:

Recognition alone doesn't prevent burnout, but lack of recognition accelerates it:

  • Regular appreciation: Managers and security leadership publicly thank champions
  • Tangible rewards: Conference attendance, training budget, spot bonuses
  • Career benefits: Champions get first consideration for security-related opportunities
  • Reduced other obligations: If security work increases, reduce other responsibilities proportionally

6. Monitor workload quantitatively:

Track champion time investment and intervene when it exceeds allocation:

Metric Healthy Range Warning Threshold Action Required
Hours per week on security 4-8 hours (10-20%) >10 hours Investigate causes, redistribute work
Security Slack mentions <10 per week >20 per week Remind org of escalation paths
Security PRs reviewed 2-5 per week >8 per week Consider adding co-champion
After-hours security work <1 hour per week >2 hours per week Immediate intervention

7. Provide exit paths without stigma:

Champions should be able to step back without career consequences:

  • Term limits: Consider 12-18 month champion terms with option to renew (prevents indefinite obligation)
  • Graceful exit: Champions can rotate out for any reason without penalty
  • Alumni network: Former champions remain connected, can return if circumstances change
  • Transition support: When champions leave, ensure knowledge transfer to replacement

Burnout recovery process:

When burnout is identified:

  1. Immediate workload reduction: Remove non-essential security responsibilities
  2. Check-in conversation: Security leader or manager discusses what's not working
  3. Short-term solutions: Temporary co-champion, security team takes over some duties
  4. Long-term fixes: Address root causes—insufficient time, unclear scope, lack of support
  5. Recovery period: Give champion breathing room to re-engage gradually
  6. Exit option: Provide honorable exit if needed

Organizational commitment to sustainability:

Leadership must demonstrate that champion wellbeing matters:

Manager accountability: - Managers whose champion reports are held accountable for protecting champion time - Manager performance reviews include how well they supported champion role - Manager training includes champion burnout prevention

Security team commitment: - Security team commits to maximum response time for champion escalations - Security team regularly checks in with champions (not just when problems arise) - Security leadership visible in champion community, accessible for concerns

Executive sponsorship: - Executive sponsor reinforces that champion work is valued and protected - Executive addresses organizational behaviors that create burnout (e.g., constant interruptions) - Executive ensures champion program has resources to support participants

Case study: Burnout intervention:

Organization: Mid-size SaaS company, 400 developers, 35 champions

Problem: Three champions stepped down in one quarter citing overwhelming workload

Investigation: Champions were receiving 40-60 Slack mentions per week, spending 15-20 hours on security (vs. 8 hour allocation), with managers unaware of the burden

Interventions: 1. Created security bot to route questions to security team office hours instead of directly to champions 2. Established "champion on duty" rotation for multi-champion teams 3. Trained managers on monitoring champion workload 4. Added workload metrics to champion program dashboard 5. Security team committed to <4 hour response time on champion escalations

Results: Champion retention increased from 60% to 85% year-over-year; satisfaction scores improved from 3.⅖ to 4.⅕

Remote work considerations:

Remote and hybrid work creates unique burnout risks for champions:

  • Always-on culture: Harder to disconnect when home is work
  • Isolation: Champions miss informal hallway conversations and support
  • Asynchronous communication: Security questions arrive at all hours across time zones
  • Virtual meeting fatigue: Champion community meetings add to already-full video schedule

Remote burnout prevention:

  • Explicit "office hours" when champions are available for security questions
  • Asynchronous-first communication (documented Q&A, decision records)
  • Shorter, more frequent champion meetings rather than long monthly sessions
  • Virtual co-working sessions where champions work together on security tasks
  • Regional champion networks for time zone alignment

Measuring burnout prevention effectiveness:

Track leading indicators of program health:

Indicator Measurement Target
Champion satisfaction Quarterly survey: "I feel supported in my champion role" >⅘
Time allocation accuracy Actual time spent vs. allocated Within 20%
Champion retention rate Year-over-year retention >80%
Burnout-related departures Champions citing burnout as exit reason <10% of exits
Workload distribution Std deviation of security hours across champions Low variance
Manager awareness Manager survey: "I actively monitor champion workload" >90% agree

Measuring Champion Program Impact

Programs without measurement cannot demonstrate value or improve. Champion program measurement should assess both program health and security impact.

Impact measurement metrics:

Program health metrics (Is the program working?):

Metric Target Measurement
Champion coverage 100% of teams Teams with active champion / total teams
Training completion >90% Champions completing required training
Meeting attendance >75% Average attendance at champion meetings
Champion retention >80% annually Champions continuing year-over-year
Champion satisfaction >⅘ Survey results

Security impact metrics (Is security improving?):

Metric Expected Trend Measurement
Vulnerability remediation time Decreasing Average time to close vulnerabilities
Security findings per release Decreasing Scan findings in championed vs. non-championed teams
Dependency policy compliance Increasing % of dependencies from approved sources
Security escalations Appropriate (not too high or low) Issues escalated to security team
Developer security confidence Increasing Survey: "I know how to handle supply chain security issues"

Comparison approaches:

Where possible, compare championed teams to non-championed teams (if any exist) or compare before/after champion program implementation:

Metric Comparison: Before vs. After (12-month period)

                          Before Champions    After Champions    Change
Mean time to remediate:        18 days             9 days         -50%
Critical vulns per team:          4.2                1.8          -57%
Policy compliance:                72%               91%           +19%
Developer security survey:        3.1/5             3.9/5         +26%

Qualitative measurement:

Numbers don't tell the whole story. Also gather:

  • Champion feedback on program effectiveness
  • Development team feedback on champion value
  • Security team perspective on champion contribution
  • Specific examples of champion impact (incidents avoided, improvements made)

Continuous improvement:

Use measurement to improve the program:

  1. Quarterly review: Assess metrics, identify issues, plan adjustments
  2. Champion feedback: Regular input on what's working and what isn't
  3. Program iteration: Adjust training, responsibilities, and structure based on evidence
  4. Success sharing: Communicate wins to maintain support and attract new champions

Recommendations

We recommend the following approaches to security champions programs:

  1. Start with voluntary recruitment: Champions who volunteer outperform those who are voluntold. Create an attractive opportunity, not an obligation.

  2. Secure time allocation upfront: Without explicit time commitment from managers, champion activities become unfunded mandates that fail. Negotiate 10-20% time before recruiting.

  3. Invest in quality training: Champions need real skills, not just awareness. Invest in initial training (16-24 hours) and ongoing development (quarterly).

  4. Define responsibilities clearly: Specify what champions do and don't do. Ambiguity leads to underutilization or burnout.

  5. Provide genuine recognition: Champions contribute beyond their job descriptions. Recognize this through titles, visibility, career development, and tangible incentives.

  6. Build community: Champions learn from each other. Create regular touchpoints, communication channels, and peer support mechanisms.

  7. Measure and improve: Track both program health and security impact. Use data to demonstrate value and drive continuous improvement.

  8. Support champion careers: Make the champion role a career accelerator, not a dead end. Champions who see career value become your strongest advocates and longest-tenured participants.

Security champions programs transform supply chain security from a centralized function that can't scale to a distributed capability that reaches every team. When implemented well, champions become force multipliers—extending security expertise throughout the organization while developing talent and building security culture.

  1. These ratios align with guidance from the OWASP Security Champions program and are based on practitioner experience across multiple organizations. Actual optimal ratios vary based on team structure, product risk profile, and organizational security maturity.