I hear the term security champions being thrown around quite often and how important it is for some to start building the program. I’ve seen different companies approach the topic very differently with some succeeding and some outright failures. Some have started with initiatives to train their entire development organization to understand security a little better before heading down this path. Some have asked for volunteers and incentivize them to help be part of the team and help build the process. Others may go ahead and just select individuals themselves and “volunteer” them to be the bridge for the teams.
My question for you all is, what has your experience been like? Is there a method that works better than others? What are some great ways to start this discussion with various teams and how do we get them more engaged? Where should a company start when thinking of building a Security Champions program? Are the any specifics that need to be considered before starting these conversations?