It is very important that security champions are given the time, the focus, the mandate and the information required to do their jobs.
The good news is that now that you have security champions (at least one per team), their work will allow you to see the difference between the multiple teams and the parts of a company who are able to make it work, and those who are struggling make it happen.
The key activity of the security champions is to participate in the security of his project: review code, fixing code, writing tests, knowing what is going on, maintaining the JIRA tickets, creating Threat Models, basically being involved in the security practices of the teams. This ultimately leads to better code, better project briefs, up-to-date documentation and tests for the application
Security champions should be able to spend at least one day a week on those activities which, although easy for management to accept, are in fact much harder to put into practice. In the beginning, Security Champions will barely be able to spend a couple hours a week.
One of the things you want to make sure you look at from a central point of view is exactly who is doing this kind of work, and who is actually able to spend the time doing it.
The good news is these things can be measured and tracked from the point of view of all the teams.
(from Software Quality book)
