Security champions
Introduction
Security champions are embedded advocates who help integrate secure practices into day-to-day delivery. Acting as a bridge between engineering and security teams, they promote awareness, support early risk identification, and help ensure that security is considered throughout the software delivery lifecycle.
Security champions are not expected to be security experts, but they SHOULD have a strong interest in secure development and be supported with training and guidance.
Guidance
Teams MUST:
- nominate at least one security champion per delivery team
- ensure champions act as a liaison between delivery and security functions
- support champions with time and access to relevant training
Champions SHOULD:
- participate in threat modelling, architecture reviews and incident response
- contribute to security awareness and knowledge sharing within their team
- attend regular security syncs or communities of practice
Champions MAY:
- help review security tooling and processes
- contribute to secure coding standards and documentation
Measurement
Use these indicators to assess the presence and effectiveness of security champions in teams.
| ID | Indicator | GREEN | AMBER | RED |
|---|---|---|---|---|
| SC-1 | Security champion role is active | Named, trained and actively engaged | Named but not actively involved | No champion assigned |
| SC-2 | Participation in security syncs | Attends monthly or more | Attends occasionally | Does not attend |
Published: 24 July 2025
Last updated: 7 August 2025
Page Source