This is a small side-quest. My first risk blog post is coming, but side-quests are more fun.

I was asked the other day, what I thought a security team should look like. Off the top of my head, I focussed on the things that have impact — AppSec, DevSecOps, Governance & Audit, Risk, IAM.

Later, I had a shower-thought (as reddit calls them), and ended up needing to sketch out what I thought a more comprehensive answer would be.

Subscribe now

Since then, I’ve spent more time that I should trying to plot this out in a chart that doesn’t suck, since to do data-driven diagrams in LucidChart you need a bloody expensive plan, which I no longer have. Google Sheets failed catastrophically do draw this out for me, too.

With Gemini’s help (as ChatGPT generated invalid mermaid code for me), here’s a mermaid (referral link) data-viz:

  • as an image:
  • here’s the link if you want to explore a bit more (zoom etc):

https://www.mermaidchart.com/app/projects/6b563634-efca-458e-8be3-6c483e087568/diagrams/cb6390ca-f213-4b1c-9ca9-96f3f886c9a3/version/v0.1/edit

To help add context, for each role, I’ve arbitrarily mapped these to the six functions of the US-NIST CSF (obviously, in 2024-2025, a federal standards organization is going to publish their document as a PDF not in HTML. How 1997):

  • Govern (yellow)
  • Identify (blue)
  • Protect (purple)
  • Detect (orange)
  • Respond (red)
  • Recover (green)

Part of why I’m sharing this is to hopefully get some feedback / opinions. Jump down to the comments, or participate on LinkedIn comments

Hopefully you’ll see some dotted lines for where things interact.

A few of my thoughts are:

  • Operations (or customers/client) should own incidents, SLAs, SLOs, SLIs etc
  • Corporate IT belongs under a CIO (when you’re about 500-750 people), but otherwise CTO
  • Data also sits under CIO/CTO (although not abundantly clear here, I admit) —unless you’re a data business, in which case you probably have a Chief Data Officer
  • In a modern organization, everyone should interact with others — silos don’t help (apart from focus). Org charts don’t really communicate this especially well and I don’t understand mind-maps.
  • CISO is a chief officer and should not be subordinate, especially where there could be a (perceived) conflict of interest in line managers.
  • You might not have a Chief Legal Officer / General Counsel — you don’t always need one.
  • You might not have a Chief Privacy Officer, but if you’re in GBEU, you need a Data Protection Officer (by law). https://www.hewardmills.com/differences-between-a-data-protection-officer-and-a-chief-privacy-officer/ is an explainer of the differences between the two.

Dear reader, WDYT?

Leave a comment