You need to start somewhere. And if your goal is too much too soon according to time and resources, then the dev team will correctly push back and find their way! Maturity models offer a way to define a set of intermediate goals to increase the maturity, in this case of the security champion programme. But what is a security champion? really anyone that is willing to talk about security, at least at the beginning, communication and mutual trust is key. Dev teams have to receive added value from security practices, not impediments. Closer team collaboration is also key for DevSecOps programmes. Here is an example, the first phase is really to find the people to talk and have mutual trust with...and in structured organizations may be as well challenging. Here's a Wardley Map about the maturity evolution and dependencies of the security champion "assets". Note: Vertical axis represent visibility, low to high. The horizontal axis represents maturity: Weak to Expert.