Virtualization Technology News and Information
VMblog Expert Interview: Secure Code Warrior Explores the Most Important Security Investment - People


As organizations define their security maturity pathway and implement a realistic training program to improve software security, many companies overlook the importance of the PEOPLE who will be supporting and propelling their program forward. This year, in partnership with Evans Data Corp, Secure Code Warrior surveyed 1,200 developers globally and found that a large majority of developers (66%) expect security to become more of a priority over the next 12 to 18 months, while 82% of hiring managers expressed an interest in hiring developers who knew security over those who did not.

VMblog sat down with Pieter Danhieux, Co-Founder and CEO of Secure Code Warrior to discuss the need and the importance for organizations to have developer Security Champions in place to help build a positive, security-first culture.

VMblog:  Who is the ideal Security Champion?

Pieter Danhieux:  The ideal Security Champion should be a developer who is passionate about security and skilled in interpersonal communications. Their responsibility as a champion is to help their fellow developers improve their skills and thus the security maturity of the entire organization. Champions take a hands-on, technical role in helping their fellow developers; however, they should not be positioned as the security lead within the developer team. An organization should look for someone with a training-positive attitude that is excited about the idea of training and upskilling their fellow developers and open to new ideas and opportunities to learn and help their teammates thrive.

It's important to note that a right-fit security champion isn't necessarily the "best" at security within the team; while they certainly need high competence in that area, passion and a security-first mindset are paramount and won't necessarily be found in the person with the best on-paper secure coding skills.

VMblog:  What is their role as Security Champion?

Danhieux:  Because a Security Champion is working at the heart of development teams, they have a unique perspective and can play a valuable role in building engagement around training by: 

  • Helping identify vulnerabilities within their teams or applications
  • Encouraging peers to participate in tournaments, training, and assessments
  • Identifying areas for improvement and work with security executives to bring solutions that address persistent challenges

VMblog:  What are the different traits of a successful Security Champion?

Danhieux:  When choosing a Security Champion, it is important to find the developers who have shown an aptitude for secure coding and ones that go above and beyond.

We found that the most successful Security Champions have the following characteristics:

  • Positive and approachable with great communication skills
  • Passionate and enthusiastic about security
  • Interested in building secure coding skills (their own and others)
  • Organized and proactive
  • Motivated, and committed to refining their skills, empowering others to do the same
  • Works well in collaborative environments

VMblog:  How do you find the perfect Security Champion?

Danhieux:  There are a number of ways to find Security Champions that show an eagerness to learn and engage in secure coding.

Competitions and Tournaments

Secure Code Warrior is leading the way in cultivating this positive, security-first culture through friendly, interactive competitions. We just had our second annual Devlympics secure coding competition, which runs on Secure Code Warrior's Learning Platform, giving organizations and developers around the world the opportunity to test their skills against vulnerabilities in code and put their secure coding skills to work. This is a great opportunity to find security champions as you look for developers who are particularly excited, asking lots of questions, engaged in the idea of learning and encouraging those around them.

During the tournament, we had several users posting on our Discord channel that they wished they'd taken the day off so they could play longer, and there were many who were eager to encourage those who were still deciding whether to take the plunge and participate. I'd certainly be looking towards people like that as potential champions if they were in my organization.

General Recruitment Opportunities

After a successful competition, you will have a better idea of what to look for and even possibly have some candidates in mind. Other things you can do to recruit a security champion are:

  • Consider sending a survey to your development teams. This method lets interested parties nominate themselves for the position
  • Nominate developers that are particularly active with your current trainings

Other Tips and Recommendations

Here are a few other tips we've found helpful to consider for a Security Champion program. 

  • Have at least one champion per geographic region or programming language
  • Go with a reasonable ratio of champions to developers (1 champion per 50 developers)
  • Develop a Security Champion persona so you have a good idea of how to find future or additional champions quickly
  • Once a champion is chosen, leadership should send an email to development teams to acknowledge the selection
  • Invite Security Champions to a kick-off meeting to review organizational goals and how they can help or suggest ways to achieve them

With solid Security Champions in the mix, everyone can look forward to better engagement and overall security positivity at the ground level where it matters most. 

VMblog:  How will a security champion improve your organization's security-first culture? How do they make a difference?

Danhieux:  Security Champions make everything better. They help promote the shift towards a positive security-first culture within the development teams. Not every company chooses to use a champion program, but we've noticed much stronger results for those that do. Any organization that is fortunate enough to have a good handful of developer Security Champions will find their security maturity levels rising much faster as it helps to build a positive, lasting security-first culture.


Published Wednesday, November 02, 2022 7:30 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2022>