👋 Hello all! So, how big is your security organization and how are responsibilities split across teams?

I’ve been through I don’t know how many reorgs and seen quite a few place, and while some patterns emerge it’s always interesting to see how Security is split up.

In my current company we evolved from:

  • 6ppl: one security team
  • ~12ppl: one security team, distributed between two locations
  • ~12ppl: infrasec team, appsec team
  • ~30ppl: infrasec team, dir team, appsec team, risk/audit team
  • ~60ppl: infrasec team, dir team, corpsec team, appsec tooling team, appsec consulting team, risk/audit team, compliance team
  • Zui
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Hi! 60 people is impressive! I’m at a startup, so we’re a lot smaller than that, but at least we have one!

    Oh btw it’s either “how does … look” or “what does … look like”, but never “how does … look like” 🤓

    • 0xCBEOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Ah-a TIL 😄 thank you, fixed

  • hawx
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    We have one team with ~ 10 people

  • Xavier AsheM
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I work at a top-10 US bank. If you add our contractors, we have nearly 1000 people in the cyber org. I have 26 people in my direct report org and 235 in my dotted-line org. The 26 folks in my direct report org only do firewall policy changes.

    • 0xCBEOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      it’s impressive! How does your infrastructure looks like? Is it 100% on prem?

      • Xavier AsheM
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Not completely. We have about 50% of workloads on-prem, 25% in IaaS, and 25% in SaaS. We’re slowly moving to the cloud, but only when it makes sense. We only build cloud-native apps.