Sportsbet has stood up a ‘security champions’ program, recruiting 42 senior staff to act as security ambassadors, asking questions of project teams and performing threat modelling.
The company, which has about 500 technology workers split between Melbourne and Cluj in Romania, took inspiration from AWS’ own security guardians program.
Guardians, in the AWS model, “make sure that security considerations for a product are made earlier and more often, helping their peers build and ship their product faster, [and] also work closely with the central security team to help ensure that the security bar at AWS is rising.”
Champions within Sportsbet have a similar role.
Head of security solutions and AppSec Gene Penman told AWS’ annual re:Inforce security summit that before the champions program, there were “too many occasions where projects would come to us five minutes before go-live, asking for a security approval, with little to no consideration of our security requirements [and] no threat modelling done.”
“It's really frustrating for us in security, but it's also frustrating for the business,” Penman said.
“Nobody wins in these situations.”
'Friends of security'
Sportsbet has 25 delivery teams “running hundreds of concurrent initiatives”, each operating with a high degree of autonomy.
There was some informal security capability in some teams, but it varied; Sportsbet saw an opportunity to formalise and build on that.
“[There was] one key behaviour that we want to scale more across our teams," Penman said. "We wanted more people across more of our teams to ask these questions more often: What are we building? What could go wrong? And what are we doing about it?
“That's threat modelling at its essence. But more importantly, it's just good, secure thinking. It's the kind of thinking that happens early and often, in design, and not in a review meeting five minutes before they want to go live.”
In the third quarter of last year, Sportsbet kicked off a pilot of the security champions program, with 10 engineers or developers that were already seen informally as “friends of security”.
“These are BAs [business analysts], engineers, senior developers, who just get it. They raise security questions early, they coach others in their teams on the right approach, the right way to do things; they take pride in the platform health of their stack and they engage with us [central cyber] proactively.
“These ‘friends of security’ were doing more of what we wanted, but they were doing it off the side of their desk. They weren't formally recognised or supported, and there just wasn't enough of them.
“So, we leaned into [their presence]. What if we could turn these organic behaviours into a structured, supported, distributed model that embeds security in every team?”
The security champions pilot became a way “to support staff that were already doing the right thing, already influencing secure delivery from within.”
Inside the pilot
Security solutions advisor Paul Johnson said the pilot ‘champions’ committed two hours a week to the program.
They underwent a “timeboxed onboarding program … aimed at achieving the baseline level of knowledge”, and were given access to a wiki and their own Slack channels to communicate with one another.
Johnson estimated it would take eight weeks to give a recruit “the foundational knowledge” to understand their role; “from six to 12 months to get to an intermediate level, where the champion was actively engaging with us and providing real value back to the security team, helping to cut down that security assessment time and providing that valuable tangible input back to us”; and “12 months to become an influencer and a mentor” to new ‘champions’."
Threat modelling at Sportsbet is aligned with the STRIDE model - which stands for spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.
Making security 'feel better'
Johnson said the pilot achieved positive results and even led to some innovation in how threat modelling was performed in one part of the business.
“We had one of our champions, they work within a developer agility platform, and based upon now understanding threat modelling, they were able to go and create a custom plug-in that enabled threat modelling within that platform, which was a fantastic outcome,” Johnson said.
The threat modelling performed by ‘champions’ means that the central cyber team now typically has more information at its disposal when it comes time to perform a formal security review.
Johnson said that translates to “at least two hours” saved per review.
Security issues are also being identified and mitigated early in the development cycle.
“An engineer performed threat modelling on a system that hadn't gone live yet, but what we found was there was a third-party tool scraping data on our frontend that we didn't expect,” Johnson said.
“It wasn't within any of the initial designs but they had found it via threat modelling, and it saved us launching a product and having a third-party scrape data that we didn't expect and we didn't want [to be] scraped.
“That was able to be remediated before we went to production. It was a great outcome.”
While some outcomes of the ‘champions’ program could be quantitatively measured, Johnson also said that qualitative measures were an important metric.
“Some people in a business might say: ‘Oh, it's all about the hard metrics, we need numbers’. I disagree - I think for a security champions program, about 50 percent of it is the ‘feeling’ as a security team,” Johnson said.
“Does it feel better? Has the quality of engagements improved? Are [delivery teams now] providing the artifacts that we want - the threat models, the design documents, HLDs [high-level designs] - without [us] having to ask?
“Are security questions being surfaced more often? Do [teams] feel comfortable asking instead of just waiting till the last minute and avoiding us?”
Johnson said that some lessons had come out of the ‘champions’ program so far.
One was the need to insulate the ‘champions’ from being treated as “minions” of the security team.
He noted a case internally where the ‘champions’ were directly prompted to undertake work that was beyond their remit, which necessitated a “reset” of the “baseline expectation” on the ‘champions’.
“The learning here is technology-wide communication about the dos and don'ts of your ‘champion’, so that there isn't this false messaging around minions,” Johnson said.
“They're not minions. They're people and they've got a job to do, but a very defined one.”
_page-0001.jpg&w=100&c=1&s=0)
.png&w=120&c=1&s=0)
Tech in Gov 2025
Forrester's Technology & Innovation Summit APAC 2025
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
.jpg&h=271&w=480&c=1&s=1)
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
