Created
July 14, 2025 22:56
-
-
Save jonathanhle/a94718771d3ab46c9f745cba729040ae to your computer and use it in GitHub Desktop.
Revisions
-
jonathanhle created this gist
Jul 14, 2025 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,93 @@ # Security Organization Structure (Reference Model) This document outlines a structured and scalable security organization suitable for a high-growth, cloud-native technology company with significant infrastructure, regulatory obligations, and user-facing product surface area. The organization is designed for ~1,000 employees and ~150β200 engineers, and it aims to cover the entire security lifecycle: from build-time controls to runtime detection, incident response, compliance, and onchain or product-specific risk. --- ## π² Security Org Tree with Inline Role Scopes ### π Notation Each role in the org tree is followed by a `(num)` indicating **recommended headcount for that function**. ``` CSO/ βββ Deputy-CSO-or-CISO (1) β Strategic leadership; separates governance from execution βββ Security-Engineering (30) β Builds and defends core systems: AppSec, Infra, IAM, Crypto β βββ Application-Security (7) β Secures code, libraries, pipelines, and partner teams β β βββ AppSec-Engineers (3) β SAST, secure reviews, bug triage, developer enablement β β βββ Threat-Modeling (1) β Architecture analysis and attack surface definition β β βββ Partner-Security (1) β Embedded security with product teams β β βββ CI-CD-Security (2) β Protects the build pipeline, secret scanning, signing β β βββ Pipeline-Hardening (1) β Controls for Jenkins/GitHub/GitLab workflows β β βββ Build-Signing-Tooling (1) β SLSA/Cosign, enforce artifact integrity β βββ Infrastructure-Security (10) β Hardens infra runtime: cloud, containers, K8s, network β β βββ Cloud-Security (2) β IAM boundaries, SCPs, IaC policies β β βββ Host-Hardening (1) β Hardened AMIs, OS security, EDR config β β βββ Network-Architecture (1) β Segmentation, egress policies, bastion/ingress rules β β βββ PKI-Engineering (2) β Internal CA, mTLS, cert rotation, SPIFFE/SPIRE β β β βββ Internal-CA (1) β Vault/StepCA management β β β βββ Cert-Lifecycle-Automation(1) β Rotate, revoke, alert β β βββ Container-Security (2) β Image scanning and runtime protection β β β βββ Image-Scanning (1) β Build-time SBOM/Vuln checks β β β βββ Runtime-Enforcement (1) β Admission controls, runtime constraints β β βββ Kubernetes-Security (2) β Cluster policy, RBAC, and control plane protection β β βββ Admission-Control-Policy(1) β OPA, Kyverno, baseline guardrails β β βββ K8s-RBAC-Hardening (1) β Audit roles, limit escalation β βββ IAM (4) β SSO, JIT, Secrets, Identity lifecycle across internal systems β β βββ Directory-Integration (1) β Okta/GWS/AAD SCIM connectors β β βββ RBAC/JIT-Access (1) β Role enforcement, TTL-based elevation β β βββ Secrets-Management (2) β Vault, AWS KMS, secure workflows β βββ Cryptography (4) β Custody keys, MPC infra, HSMs, threshold signing β βββ MPC-Platform (2) β Key orchestration and custody workflows β βββ Key-Lifecycle/HSMs (2) β Signing infra, key splits, storage logic βββ Security-Operations (16) β Detect, respond, and automate against real threats β βββ Threat-Detection-and-Response (7) β Detection logic, SOAR, threat intel β β βββ Detection-Engineering (3) β SIEM pipelines, detections-as-code β β βββ Threat-Intel (2) β Actor mapping, TTPs, intel feeds β β βββ SOAR-Automation (2) β Triage orchestration, auto-response playbooks β βββ Incident-Response (5) β On-call, IR plans, forensics, containment β β βββ On-Call-IR (2) β Triage, escalation, coordination β β βββ Forensics/RCA (2) β Artifact handling, root cause β β βββ Tabletop-Exercises (1) β IR maturity, team drills β βββ Insider-Threat (4) β DLP, high-risk access, behavioral monitoring β βββ DLP-Monitoring (2) β GWS/DLP, SaaS monitoring β βββ Privileged-Access-Analytics (2) β Detection for abuse of access βββ GRC-and-Compliance (6) β Controls, policy, audit, vendor risk β βββ Audit-Readiness (2) β SOC2, ISO27001, SOX testing β βββ Risk/Control-Mapping (2) β NIST, CIS, CSA CCM frameworks β βββ Vendor-Risk (1) β Third-party assessments and onboarding checks β βββ Policy-and-Awareness (1) β Internal policy docs and security training βββ Trust-and-Safety (5) β User trust, abuse prevention, fraud response β βββ ATO-Detection/Mitigation (2) β Detect account takeovers, enforce MFA challenges β βββ Abuse-Detection (1) β Scraping, spam, and API abuse β βββ Customer-Escalation-Support (2) β Handles inbound security tickets w/ CX βββ Blockchain-Security (4) β Smart contract risk, onchain analytics, bridge security β βββ Smart-Contract-Review (2) β Manual audits, fuzzing, static analysis β βββ Protocol/Bridge-Analysis (1) β Risk scoring of L1/L2 chains and bridges β βββ Onchain-Threat-Detection (1) β Real-time detection of illicit activity βββ Security-Partners (3) β Embedded security engineers within core teams βββ Embedded-Infra-Squad (1) β Works with platform, DevOps, cloud teams βββ Embedded-Product-Squad (1) β Partners with feature teams on secure design βββ Launch-Threat-Assessment (1) β Reviews high-risk launches and changes ``` --- ## π Security Headcount vs Company Size (Recommended) | Company Size | Engineers | Recommended Security HC | % of Eng | |------------------|-----------|-------------------------|----------| | ~1,000 employees | 150β200 | 60β70 | 30β40% | | ~500 employees | 75β100 | 30β40 | 35β40% | | ~250 employees | 35β50 | 15β25 | 40β50% | --- ## π How to Use - **Phase hiring**: prioritize InfraSec, AppSec, TDR, IAM, GRC β then scale out crypto/onchain/security partners - **Use the tree** to define ownership boundaries, accountability, team charters, and hiring plans - **Adapt to org size**: each sub-tree is independently scalable by company maturity