6 months
typical time before a security champion program loses more than half its active participation when the program design does not align with how engineers spend their time
4 patterns
structural failures that cause most champion program atrophy: wrong value exchange, wrong meeting format, wrong champion selection, and no visibility of security wins back to engineers
3x
higher sustained participation rate in programs where champion activities map to defined career development outcomes versus programs framed around security team workload distribution
15 minutes
the maximum effective length of a security champion touchpoint in engineering sprint format -- anything longer requires a dedicated meeting slot that competes with sprint work

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

A security champion program that has gone quiet did not fail because engineers do not care about security. It failed because the program was designed for what the security team needed rather than for how engineers actually work.

The typical failure timeline: the program launches with strong executive backing, an enthusiastic kickoff meeting, and 10 to 15 volunteer engineers. Three months in, the monthly security champion meeting is regularly missing half the participants because sprint commitments take priority. Six months in, the Slack channel has been quiet for weeks. The security team is still sending updates but nobody is engaging. Nine months in, the original champion list has not been updated and half the original champions have moved to different teams or left.

The failure patterns are consistent and recognizable. So are the fixes. This guide covers the diagnostic framework for identifying which failure patterns apply to your program, the structural changes that address them, and the indicators that tell you whether the revived program is actually working.

The Four Structural Failure Patterns Behind Most Stalled Programs

Pattern 1: Wrong value exchange. The program was framed as "help the security team by doing security reviews in your team." Engineers correctly recognized this as adding security team work to their sprint without a corresponding benefit. A value exchange that works from the engineer's perspective: "being a security champion gives you early access to security tooling, a direct line to the security team when you have a question, and visibility that supports your career development." The security benefit is real but secondary to the engineer's experience of participating.

Pattern 2: Wrong meeting format. Monthly 60-minute security champion meetings are designed for the security team's reporting cadence, not for engineers. A developer who is mid-sprint cannot commit a recurring hour every month without it causing friction with their manager. The meeting format that sustains participation: 15 minutes async (written update in Slack or Confluence) plus a 30-minute optional deep-dive for champions who want more context, held at a fixed low-conflict time (typically Thursday morning, not Friday afternoon).

Pattern 3: Wrong champion selection. Many programs recruit whoever volunteered, without considering whether those engineers have the leverage to actually implement security practices in their team. A security champion on a team where the tech lead is dismissive of security findings has no path to creating change. Champions should ideally be mid-to-senior engineers with technical credibility in their team, not necessarily the most security-interested junior engineer who volunteered.

Pattern 4: No visibility of security wins. Engineers who identify and fix security issues in their team see no evidence that their work mattered. No recognition, no metrics, no connection between their effort and any observable security outcome. This is the fastest way to extinguish volunteer motivation.

Diagnosing Which Patterns Are Killing Your Program

Before redesigning the program, run a short diagnostic. The goal is to understand which failure patterns apply so the redesign targets the actual problem rather than adding structure that addresses the wrong cause.

Interview five champions -- both active and inactive ones. Four questions:

"What has participating as a security champion done for you in the last six months?" If the answer is "not much" or "I have been able to help the team with a few security questions," you have a value exchange problem. Champions should be able to name concrete career or skill benefits.

"What has been the biggest friction point in participating?" If the most common answer involves meeting scheduling, sprint conflicts, or not knowing what is expected of them between meetings, you have a meeting format and expectation-setting problem.

"When did you last engage with the security team directly?" If most answers are "months ago" or "mostly through the champion meetings," you have an engagement model problem. Champions who only interact with the security team in formal meetings will deprioritize that relationship when sprint pressure increases.

"Can you point to a security improvement your team made because of your champion role?" If champions cannot answer this concretely, the program is not producing outcomes -- which means champions have no evidence of impact to sustain their motivation.

The answers cluster around one or two dominant failure patterns. Redesign those patterns first, rather than rebuilding the entire program.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

The Value Exchange Redesign That Engineers Actually Participate In

The value exchange that sustains champion participation is built around three things engineers care about: skill development that is legible on a resume, direct access to expertise they would otherwise have to wait weeks to get, and recognition that is visible to their manager and peers.

Skill development. Champions get first access to security training budget, certifications, and tool licenses. In concrete terms: budget allocation for SANS or other security training (platforms like SafeStack for Security Champions are purpose-built for this role), a dedicated Slack channel with the security team where champions can ask questions and get answers within 24 hours, and early access to security tool deployments (champions get the tool first, become internal experts, and train their team). These are tangible resume-legible benefits that justify the time investment.

Direct access. When a champion or their team needs a security review, architecture consultation, or threat model session, champions go to the front of the queue. A non-champion team waits for the security team's open review slots. Champions get a dedicated scheduling path. This makes the champion role visibly valuable during the moments when teams actually need security expertise.

Recognition. Security wins attributed to champions are reported to engineering leadership in the security metrics that the security team already sends to leadership. "The payment team identified and patched a SQL injection vulnerability in the reporting API before it reached production -- with the security champion leading the investigation" is a visible outcome for the champion's manager and VP. This visibility supports performance review narratives and does not require separate champion award programs or ceremonies.

Meeting Format and Cadence Changes That Fit Engineering Schedules

The sustainable champion touchpoint cadence has three components:

Weekly 15-minute async update in the dedicated Slack channel. The security team posts: one threat intelligence item relevant to the technologies the champion's team uses, one security tool tip or technique, and one open question or request for champions to share something from their team. Champions respond if something is relevant. No mandatory attendance. The async format means sprint commitments do not create conflict.

Bi-monthly 30-minute optional deep-dive. Every two months, the security team hosts an optional 30-minute technical session on a topic requested by champions: threat modeling a specific architecture, walking through a recent real-world breach relevant to the tech stack, or hands-on time with a new security tool. Optional means engaged champions attend, disengaged ones do not -- and the attendance pattern tells you which champions are still active without requiring you to track attendance formally.

Quarterly security champion impact review. Once a quarter, the security team produces a one-page summary of what the champion program has produced in the last 90 days: vulnerabilities identified, security improvements implemented, security reviews enabled faster, and training completed. This goes to champion managers as part of regular reporting. It is the accountability artifact that keeps the program visible to engineering leadership and gives champion managers a reason to protect champion time.

The total time commitment for an active champion is approximately 30 to 45 minutes per week. That is a defensible time allocation that most engineering managers will not contest if the value exchange is clear.

Refreshing the Champion Roster Without Losing Institutional Knowledge

Champion programs go stale partly because the roster itself never changes. Original champions move to different teams, lose interest, or leave the company -- but the program list is not updated, so the security team is engaging with a list of people who are no longer in the relevant roles.

A sustainable champion roster has two rules: champions are associated with a team or domain rather than with an individual, and the list is reviewed quarterly.

Associating champions with teams rather than individuals means that when a champion moves to a different team, the champion slot belongs to the original team and needs to be filled. The departing champion can nominate a replacement from their old team. The security team confirms the replacement is in an appropriate role (mid-to-senior engineer with team credibility) and runs an onboarding meeting to transfer context. This prevents the "ghost champion" problem where the program has a list of names but many of those engineers are no longer in positions where they can act on champion responsibilities.

The quarterly roster review does not need to be a formal process. A simple check: for each champion slot, confirm the person is still on the relevant team and confirm they have engaged with at least one champion activity in the last 90 days. Champions with no engagement in 90 days get a direct message: "Are you still interested in the champion role? If your priorities have shifted, we can find a replacement." Most of the time, the response is either re-engagement or a graceful exit. Both are better than a ghost champion.

The Metrics That Tell You Whether the Revival Is Working

Three metrics indicate whether a revived security champion program is producing outcomes rather than just participation:

Active champion rate. The percentage of champion slots with at least one concrete security activity in the last 90 days: a security review, a vulnerability identified and escalated, a security training completed, or a question asked through the champion direct channel. A healthy program should have 70% or more active champions. Below 50%, the revival has not yet addressed the participation problem.

Security findings attributed to champions. Security vulnerabilities identified or security improvements implemented where a champion was the initiating actor. This metric requires a tracking convention: when a champion identifies a vulnerability, the finding in your vulnerability tracker is tagged with the champion's name and team. This produces both the impact data for leadership reporting and the recognition artifact that sustains champion motivation.

Security review cycle time for champion teams. Compare the average time from a security review request to completed review for teams that have active champions versus teams that do not. Champion teams should have faster review cycle times because champions handle initial triage and pre-work, and because they go to the front of the scheduling queue. If there is no cycle time difference, the champion program is not producing the operational efficiency it should.

Measure these three metrics at the six-month mark after the revival. If the active champion rate is above 70%, security findings are being attributed at a rate of at least two per active champion per quarter, and review cycle times are 20% or faster for champion teams, the revival has worked. If not, repeat the diagnostic interview process -- the remaining failure pattern has not yet been addressed.

The bottom line

A security champion program that has gone quiet is not a motivation problem. It is a design problem. The four structural failure patterns -- wrong value exchange, wrong meeting format, wrong champion selection, and no visibility of wins -- are each fixable with specific structural changes that do not require additional budget or executive mandate. Diagnose which patterns apply by interviewing active and inactive champions. Redesign the value exchange around engineer career incentives rather than security team workload needs. Shrink the meeting format to fit sprint schedules. Review the champion roster quarterly and associate slots with teams rather than individuals. Measure the three outcome metrics at six months. A security champion program that produces findings, accelerates reviews, and sustains participation is worth the investment. One that has a roster of names who never engage is not.

Frequently asked questions

Why do most security champion programs fail?

Most security champion programs fail due to one or more of four structural problems: a value exchange framed around security team needs rather than engineer career incentives, a meeting format (typically monthly 60-minute sessions) that conflicts with sprint work, champion selection that prioritizes enthusiasm over team credibility and leverage, and no visible connection between champion activities and security outcomes that reach engineering leadership. The failure is structural, not motivational -- engineers who volunteer for security champion roles generally care about security, but programs that do not work with how engineers spend their time will lose participation regardless of initial enthusiasm.

How do I get engineers to stay engaged in a security champion program?

Build the value exchange around three things engineers care about: skill development that is legible on a resume (training budget, certifications, tool access), direct access to security expertise (champions go to the front of the review queue and get 24-hour response in a dedicated channel), and recognition that reaches their manager (security wins attributed to champions appear in security metrics reported to engineering leadership). Engineers who see their champion role supporting their career development sustain participation through sprint pressure. Engineers who see their champion role as volunteering extra work for the security team do not.

What is the right meeting cadence for a security champion program?

Replace monthly 60-minute mandatory meetings with three touchpoints: a weekly 15-minute async update in Slack (security team posts one threat intelligence item, one tool tip, and one question -- champions respond if relevant, no mandatory engagement), a bi-monthly optional 30-minute deep-dive on a topic requested by champions, and a quarterly one-page impact review sent to champion managers. Total time commitment is 30 to 45 minutes per week for active champions -- defensible without competing with sprint work.

How should I select security champions?

Select mid-to-senior engineers with technical credibility in their team rather than whoever volunteers most enthusiastically. A security champion on a team where the tech lead dismisses security findings has no leverage to create change. Associate champion slots with teams rather than individuals -- when a champion moves to a different team, the slot stays with the original team and needs to be filled. Review the roster quarterly: a champion with no engagement in 90 days should be contacted directly and either re-engaged or gracefully replaced.

How do I measure whether a security champion program is working?

Three metrics indicate program health: active champion rate (percentage of champion slots with at least one concrete security activity in the last 90 days -- healthy programs are above 70%), security findings attributed to champions (vulnerabilities identified or improvements implemented where a champion was the initiating actor, tracked in your vulnerability management system), and security review cycle time for champion teams versus non-champion teams (champion teams should show at least 20% faster cycle times if the program is producing operational efficiency). Measure these at the six-month mark after a program launch or revival.

What does a security champion actually do day-to-day?

Active security champions typically do five things: answer security questions from their team in the moment rather than escalating to the security team for routine questions, flag potential security concerns in code reviews before they reach formal security review, serve as the team's point of contact for the security team during vulnerability disclosure, application security reviews, and threat model sessions, complete security training and bring relevant learnings back to their team in sprint retros or tech talks, and participate in the async champion channel by engaging with security updates relevant to their team's technology stack.

How long does it take to revive a stalled security champion program?

Expect 3 to 6 months to see meaningful engagement improvement after implementing structural changes. The first month is diagnostic and redesign: interview champions, identify failure patterns, update the value exchange and meeting format. Months two and three are re-engagement: communicate the redesigned program to existing champions, refresh the roster for ghost slots, and run the new format consistently. Months four through six are the validation window: measure active champion rate, attributed findings, and review cycle times. Programs that address the dominant failure pattern correctly typically see active champion rate above 60% within 6 months of redesign.

Sources & references

  1. OWASP Security Champions Playbook
  2. SAFECode: Practical Security Stories for Development Teams
  3. BSIMM: Building Security In Maturity Model
  4. Google: Engineering Productivity Research on Developer Experience
  5. IEEE: Developer Perceptions of Software Security

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.