👋 Hello all! So, how big is your security organization and how are responsibilities split across teams?
I’ve been through I don’t know how many reorgs and seen quite a few place, and while some patterns emerge it’s always interesting to see how Security is split up.
In my current company we evolved from:
- 6ppl: one security team
- ~12ppl: one security team, distributed between two locations
- ~12ppl: infrasec team, appsec team
- ~30ppl: infrasec team, dir team, appsec team, risk/audit team
- ~60ppl: infrasec team, dir team, corpsec team, appsec tooling team, appsec consulting team, risk/audit team, compliance team
I work at a top-10 US bank. If you add our contractors, we have nearly 1000 people in the cyber org. I have 26 people in my direct report org and 235 in my dotted-line org. The 26 folks in my direct report org only do firewall policy changes.
it’s impressive! How does your infrastructure looks like? Is it 100% on prem?
Not completely. We have about 50% of workloads on-prem, 25% in IaaS, and 25% in SaaS. We’re slowly moving to the cloud, but only when it makes sense. We only build cloud-native apps.