Security Champions: Advocates for cybersecurity in development teams

In our software development projects today, we have team members with different roles: developers who generate code, testers who check whether requirements are met, digital designers who create a good user experience, and platform engineers who set up the infrastructure.

However, there is a critical gap: no one explicitly takes on the task of ensuring cybersecurity in the system. The security champion fills this gap as a dedicated role. Typically, a team member takes on this role in addition to their existing duties as a developer, architect or tester. In this way, they ensure the development of a secure and robust product from within the team.

Security Champions create a culture of cybersecurity within the team and ensure that security is deeply integrated into the development process.

• They raise awareness of security and motivate team members to address security issues early and continuously.
• They establish a security-by-design approach and ensure that the development team has the right tools.
• They challenge the team and ensure that security is prioritised appropriately.
• They support the team and share their knowledge and best practices on security.

This makes Security Champions the central point of contact for the team, customers and other stakeholders for all security-related issues.

Security champions improve security design by organising or performing protection needs analysis, threat modelling and risk assessment. From this, they derive security measures and write security and abuser stories or security perspectives for user stories.

They ensure that implementation is secure. A security champion introduces secure coding practices to the development team and checks the design and code for security. Setting up and operating a vulnerability management system is another important task.

To verify security, they talk to testers about appropriate testing measures, assess the need for penetration tests, organise these and set up dynamic application security tests. But it can also be really fun to hack your own system. See the article by my colleague Philippe Schrettenbrunner, ‘Have you broken anything today?’.

Last but not least, operations must also be secure. The Security Champion supports the team in setting up secure development and runtime environments and ensures that security incident management and emergency recovery are guaranteed.

This portfolio of tasks requires a broad range of knowledge. How do Security Champions find their role?

In our view, every team member can be a security champion. You don't have to be an expert from the outset, as long as you are passionate about security and enjoy educating yourself and others.

Coaching is essential during the induction process. Newly appointed security champions are assigned an experienced colleague who acts as a sparring partner.

In addition, we have compiled a wealth of information on actions and measures for a secure development lifecycle in our cybersecurity knowledge database, complete with background information and links to further resources. And in our Champions League, the community of security champions, colleagues can exchange ideas and share best practices.

Security champions are an excellent way to integrate cybersecurity deeply into development projects. It is important to build the process step by step. Trained security champions do not fall from the sky. Employees who are new to this role do not have to implement all of the measures described above from the outset. They can start with the first steps and learn more with each sprint, introducing more measures into their team. In this way, they contribute to developing a secure system right from the start.