top of page

Adding Security Champions to Divide Responsibilities Multiplies Collaboration and Subtracts Friction

  • Writer: Sammy Migues
    Sammy Migues
  • 6 days ago
  • 3 min read
BSIMM Security Champions


I first wrote about security champions in 2008, though we called them the "security program satellite" back then. We saw these teams emerging in the early BSIMM data; pioneers like Adobe, Google, and Microsoft were deploying them to help their AppSec programs scale.


What began as a luxury item for very large organizations 20 years ago has become a force-multiplying operational necessity today.


The group now known as Black Duck recently released BSIMM16, the latest edition of the highly-regarded annual report on the state of application security. With data from 111 firms gathered through in-person interviews and artifact reviews, the report offers a stark look at what separates the leaders from the laggards.


Amongst its insights, one thing is certain: Security champions are a common denominator of success.


Full disclosure: While I led BSIMM technical efforts from 2008 to 2022 and contributed to the 2023-2024 reports, I am not affiliated with Black Duck. I continue to conduct BSIMM assessments and help organizations build champion programs.



The Reality of Scale


To understand why champions matter, look at the sheer physics of the modern development environment. The 111 firms in BSIMM16 manage, on average:


  • 33.5 AppSec team members (Median: 10)

  • 2,038 Developers (Median: 650)

  • 820 Applications (Median: 100)


That is a massive amount of surface area for a small central team to cover. Out of these 111 firms, 46 had no security champions, while 65 had built programs totaling 6,498 champions. Coverage varied for those 65 firms, with smaller orgs (< 650 devs) averaging a 1:6 Champion-to-Dev ratio, and larger orgs (>650 devs) averaging a 1:17 Champion-to-Dev ratio. This approach allows the AppSec program to live where the work happens (in the engineering world) rather than shouting from a central silo.



The Correlation: Champions = High Performance


BSIMM16 divides firms into three tiers based on their activity scores (the number of BSIMM security controls they’ve successfully implemented). The correlation between "doing AppSec well" and "having a champions program" is undeniable:



To put a fine point on it, the bottom 20% of the BSIMM16 data pool of 111 firms includes only seven that also have a champions program, and the average score for those seven firms is just over 23. The average score for the firms with a champions program in the top 20% is over 80, or about 3.5 times the number of security controls implemented.


The takeaway: If you want to be in the top tier of AppSec programs globally, a champions program isn't just a "nice to have," it is essentially a statistical requirement.



Work Smarter, Not Larger


The data also debunks the myth that you need a massive central team to be effective. In fact, the top 20% of firms actually have smaller central AppSec teams relative to their developer count (a ratio of 2.7) compared to the bottom 20% (ratio of 6.8).


From the security controls perspective, we again see a stark contrast. The bottom 20% by score (22 of 111 firms) have an average score of 22.4 and the top 20% have an average score of 76.9. You might argue a bit about correlation and causation, but you can’t argue with the results.


How do they get more done with fewer central bodies? They empower the perimeter. The high-scoring firms have a champions-to-developer ratio of 12.3, nearly triple that of the low-scorers.



Age, Wisdom, and Survival


AppSec programs get wiser as they age. In BSIMM16, 55% of organizations that are on their first measurement lacked a champions program. However, for organizations that have been through the assessment multiple times, 84% have built a champions team.


Whether they build them because they are "older and wiser" or because the champions program is what allowed them to survive long enough to grow old is up for debate. I personally believe a champions program is a fundamental requirement for long-term program viability.



The Cost of Doing Business


Let’s be realistic: Security Champions programs are not free. Starting one without a named leader and an approved budget is a mistake. To succeed, you must provide:


  1. Tailored Training: Ongoing skill-building that makes sense for their specific engineering stack.

  2. Integrated Tooling: Tools that live within their CI/CD toolchain, not separate "security-only" portals.

  3. Executive Support: This cannot be bootstrapped by one proactive volunteer; it requires organizational "teeth."



Conclusion: The Translation Layer


Twenty years ago, it was easier to teach an engineer about security than it was to teach a security auditor about the SDLC. While the "security" persona has evolved to be more technical, the need for a translation layer remains.


A skilled security champions team understands that software must have good hygiene, and they also understand that features must ship for the company to succeed. They reduce friction, provide context for vulnerabilities, and turn security processes that could be roadblocks into into a natural byproduct of engineering. A security champions program is an excellent way to stretch your application security dollar.


bottom of page