Published on
THIS ARTICLE ORIGINALLY APPEARED ON LINKEDIN.COM
Bridging the Unique Contributions of Both Security Engineers and Software Engineers
Anyone who's worked at the intersection of software development and security for any length of time knows this hard truth: the relationship between these two worlds is often strained. Even though both teams share the same ultimate goal—building and delivering reliable, resilient software—they often end up at odds. Security pushes for fewer vulnerabilities and tighter controls; developers push for speed, flexibility, and delivering features that drive business value.
Over time, this natural tension can calcify into frustration, mistrust, and what many call a "broken marriage." In fact, a recent talk from OWASP Global AppSec SF 2024, “Escaping Vulnerability Hell: Bridging the Gap Between Developers and Security Teams” by Ahmad Sadeddin highlighted this issue quite well. In summary, security teams feel outnumbered and overwhelmed, while developers feel misunderstood and bombarded by noisy, unhelpful findings. AI may be making promising strides in vulnerability detection, but the human relationship challenges remain largely unsolved.
This is where security champion programs can make a meaningful difference—if they're implemented with care.
The Real Challenge Isn't Technical
Too often, we treat security purely as a technical problem. If we could just find the perfect scanner, the most advanced AI model, or the most airtight process, we'd finally "fix" security. But security is ultimately a human problem—one rooted in organizational behavior, incentives, and culture.
Security professionals often ask why developers keep introducing vulnerabilities despite training and tooling. Developers, on the other hand, ask why security keeps sending them alerts that are either false positives or so lacking in context that they're effectively useless. Here’s a video that captures this conflict quite well, in my opinion 😉: https://youtu.be/r0XqK_Y_abQ?si=-zrIvtgah90EXDvv
What both sides are experiencing is a breakdown of trust, shared language, and mutual understanding. This isn't something a tool can fix on its own. It requires people embedded within both worlds who can translate, empathize, and collaborate.
The Champion Program Advantage
Security champion programs succeed not because they solve staffing shortages, increase security team headcount, or turn developers into full-time security experts overnight. They succeed because they create a bridge between development and security cultures.
Security champions are developers who volunteer or are selected to serve as liaisons between their development teams and the security organization. They're uniquely positioned because they already have credibility and context within their own teams, while also receiving additional training, access, and partnership from the security organization.
Through this bi-directional relationship, they can:
- Help roll out security initiatives by translating them into language and workflows their teammates actually understand.
- Offer insight to security teams about real-world development constraints.
- Advocate for better tooling, processes, and training that reflect how developers actually work.
This translation function is one of the most powerful aspects of a champion program—and one that no static code scanning tool can replicate.
Champions will also, over time, be able to offer high-level guidance on how to find, fix, and prevent vulnerabilities within the specific context of their team’s workflows. With the security knowledge they gain, they’re in a strong position to recognize when deeper expertise is needed and to proactively facilitate engagement with the security team. This isn’t about turning developers into security professionals—it’s about empowering them to guide their teams with clarity and confidence.
That said, it’s a common misconception that champions are meant to fill gaps caused by underfunded or understaffed security functions. They are not. Champions serve a unique and valuable role as cultural influencers and capability enhancers. But it still takes highly skilled and dedicated security professionals to implement and maintain a complete cybersecurity capability.
Avoiding the Biggest Pitfall: The Crumple Zone Effect
In the talk I referenced earlier (watch here), someone raised a deeply insightful concern: "How do we keep security champions from becoming the next crumple zone?" In other words, how do we prevent them from simply absorbing the burden that security teams can't handle, becoming overwhelmed and ineffective?
This is the fatal trap that many champion programs fall into. It's tempting for short-staffed security teams to offload all the threat modeling, vulnerability triage, design reviews, and other time-consuming operational work exclusively onto the champions, leading them to feel overworked, under-resourced, and ultimately disengaged.
Instead, what’s needed is a clear, well-defined set of responsibilities that reflects a relationship of mutual ownership between both security and engineering teams.
A security champion’s role is to amplify security awareness, advocate for secure design, and help integrate security controls in the development lifecycle. They are force multipliers for security culture who are in a unique position to bridge the gap between their team and the security team—not replacements for security experts, and not the only people on their team who should perform security-related tasks.
Here's how champions can play a meaningful role in addressing operational responsibilities alongside their teams, without becoming overloaded:
- Facilitating early conversations: Champions help ensure that security is considered during design and planning stages, reducing the number of vulnerabilities introduced downstream and ultimately saving time and money for the business.
- Acting as first-line advisors: When their teammates encounter security issues, champions can provide direct guidance based on their knowledge or determine it’s time to bring in additional help and connect them quickly with security experts.
- Promoting paved paths: Champions advocate for reusable secure patterns, libraries, and frameworks that prevent classes of vulnerabilities from arising in the first place.
- Participating in targeted initiatives: Champions may recommend and participate in focused technical debt or security remediation sprints or campaigns, ensuring the scope is appropriate and well-defined.
- Influencing process improvements: Champions surface recurring issues that indicate systemic problems, driving broader process or tooling changes to improve secure development practices across teams.
In this way, champions help their teams address vulnerabilities more efficiently by reducing ambiguity, improving knowledge, and accelerating access to the right resources—without being personally responsible for triaging or fixing every issue themselves.
Again, champions are not there to fill gaps caused by underfunded or understaffed security functions. Champions serve a unique and valuable role as cultural influencers and capability enhancers, but it takes highly skilled and dedicated security professionals to implement a complete cybersecurity capability.
Building Motivation Through Meaningful Participation
Intrinsic excitement and active participation in champion programs are voluntary by definition. To sustain engagement, champions must see personal value in the program. This value doesn't have to come from expensive material rewards. What champions often find most motivating is:
- Gaining meaningful skills that advance their careers.
- Becoming recognized internal leaders and trusted advisors.
- Playing a visible role in improving the quality and resilience of their team's work.
- Having a real voice in shaping security practices and tooling.
Culturally appropriate extrinsic motivational elements—such as points, levels (belts), and badges—are also effective, especially to assist with tracking actions, behaviors, and contributions that can help with allocating recognition.
Offering variety in how champions can contribute helps avoid burnout and keeps the experience fresh. Some may enjoy running brown-bag sessions; others may thrive on influencing architecture decisions or collaborating on secure coding libraries. The program should evolve to meet these different interests and skill levels.
Starting Small and Growing Responsibly
Champion programs don't need to launch at full scale to be effective. In fact, starting with a small, highly motivated group of early adopters is often the best way to validate the program design, identify gaps, and build early success stories that inspire others to join.
From there you can:
- Expand into new teams as business value is demonstrated, and leadership support grows.
- Evolve roles over time as champions gain experience.
- Introduce leveling systems and advanced pathways for deeper technical and leadership education.
- Continuously gather feedback and refine program elements.
The most successful programs I’ve seen are living systems, not static projects, and the program administrators are dedicated to learning, adapting, and maturing the program alongside the organization.
Security and Development: Partners, Not Opponents
At the heart of all this is a simple truth: security and development cannot exist as opposing forces if we expect to build resilient, trustworthy software at scale.
Champion programs work because they shift the dynamic from "security vs. development" to "security with development." They create trusted relationships, shared language, and aligned goals. And they do it by focusing on people, process, and technology—in that order of priority.
The technical challenges we face in application security are real and evolving. Today, even in the age of AI, cultural challenges continue to be our biggest obstacle. Champion programs, thoughtfully designed and responsibly managed, offer a proven way to lean in, face these challenges head-on, and overcome them.
-- Dustin Lehr
FREE stuff:
The Security Champion Program Success Guide to help you build your own security champion program: http://securitychampionsuccessguide.org
The Tactical AppSec Champions' Field Guide to help support them in their role: https://info.securityjourney.com/tactical-appsec-field-guide
The Let's Talk Software Security virtual open discussion community - join to take part in topic-driven conversations every month: https://www.meetup.com/lets-talk-software-security
Recent posts by Dustin Lehr
Security Champions are Not the Answer to Your Staffing Shortages
THIS ARTICLE ORIGINALLY APPEARED ON LINKEDIN.COM
From Soft Skills to Hard Data: Measuring Success of Security Champions and Culture Change
The Application Security Endgame For software-centered businesses, Application ...
Building Elite AppSec Teams: A Conversation with David Kosorok
This article was written by Dustin Lehr, cohost of The Security Champions Podcast.
