Companies between 20 and 100 employees know security matters, but they can't justify a dedicated security hire. So security becomes "IT's problem" or "everyone's responsibility"—which usually means it's nobody's responsibility.
There's a better approach: Security Champions.
What a Security Champion Actually Is
A Security Champion isn't a security expert. They're someone in your organization—a developer, an ops person, a team lead—who takes on security advocacy as part of their existing role.
They don't replace security expertise. They extend it. They're the person on each team who:
- Asks "did we think about security?" before shipping
- Answers basic security questions from colleagues
- Escalates issues they can't handle
- Represents their team in security discussions
- Helps translate security requirements into team practices
Think of them as security liaisons embedded in the teams that build and operate your products.
Why This Works for Small Companies
Enterprise companies have Security Champions programs because central security teams can't be everywhere. Small companies need them for the same reason—except instead of a central team that's spread thin, they have no central team at all.
A Security Champion program gives you:
Distributed awareness — Security considerations reach every team, not just the teams that happen to talk to the one security-minded person.
Early issue detection — Champions catch security issues in planning and development, not just in production.
Cultural change — Security becomes part of how teams work, not an external review that happens at the end.
Compliance support — When auditors ask about security training and awareness, you have documented evidence of ongoing engagement.
Career development — Champions build valuable skills and often grow into security roles.
Identifying Potential Champions
Look for people who:
- Already ask security questions naturally
- Care about doing things right, not just fast
- Have credibility with their peers
- Can explain technical concepts to non-technical audiences
- Show curiosity about how attacks actually work
Champions don't need to be the most senior person on a team. Often mid-level folks with energy and curiosity make better Champions than senior engineers who are too busy with other responsibilities.
Critically: Champions should volunteer, not be voluntold. Forced Champions become resentful Champions, and resentful Champions don't actually champion anything.
What Champions Actually Do
Here's a realistic scope for a Security Champion in a small company:
Weekly:
- Monitor team communications for security questions and answer or escalate
- Share relevant security articles or updates in team channels
Monthly:
- Lead a brief security topic in team meetings (5-10 minutes)
- Review upcoming work for security considerations
- Connect with other Champions to share learnings
Quarterly:
- Participate in security reviews or tabletop exercises
- Update team on any policy or procedure changes
- Report on team security metrics (if tracked)
This is maybe 2-4 hours per month—material but not overwhelming.
Enabling Your Champions
Champions need support to be effective:
Training — Basic security awareness isn't enough. Champions need deeper knowledge about secure development, common attack patterns, and your specific tech stack. Consider:
- SANS courses (expensive but thorough)
- OWASP training materials (free)
- Vendor-specific security training for your cloud platform
- Regular learning time budgeted into their work
Access — Champions should know who to escalate to when they're out of their depth. If you have a vCISO or security consultant, Champions should have direct access.
Authority — Champions need the ability to slow down or stop work that raises security concerns. Without this authority, they're just observers.
Recognition — The Champion role should be visible and valued. Include it in performance reviews. Celebrate Champions who catch issues early.
Common Failures
Picking the wrong people — Technical skill matters less than communication skill and credibility. A brilliant engineer who can't influence others won't be effective.
Over-scoping — Don't expect Champions to become security engineers. They're advocates, not experts.
Under-supporting — Champions without training or escalation paths burn out. They need resources.
No executive backing — If leadership doesn't visibly support the program, it becomes optional and fades.
Static membership — Champions should rotate to prevent burnout and spread knowledge. Two-year terms work well.
Starting Small
You don't need Champions on every team to start. Begin with:
- Identify 2-3 natural Champions who already exhibit the behaviors
- Formalize their role with a clear scope document
- Give them basic training and an escalation path
- Meet monthly as a Champion cohort to share learnings
- Expand gradually as you prove value
A three-person Champion program that actually functions is better than a twelve-person program that exists only on paper.
The Larger Goal
Security Champions aren't the end goal—they're a step toward a security-conscious culture where everyone considers security naturally.
When Champions are working well, security questions become normal. Developers think about input validation automatically. Ops folks question access requests. Product managers include security in requirements.
That cultural shift is what actually protects your organization. Champions are how you get there without a dedicated security team.
Need help designing or launching a Security Champion program? Our security awareness training and GRC advisory services support Champion enablement. Let's talk.
