Let's discuss the case of a B2B SaaS company with ~1k employees whose software runs in AWS, 100% developed in-house by tens of engineering teams, and I want to determine how to organize information security inside my company. My understanding is that there would be the following wide domains to cover, roughly:
- Internal company security:
- Security operations (incident response, reviewing AV/EDR alerts, handling phishing)
- Employees security training and awareness
- Securing internal IT infrastructure (servers and workstations, VPN, Office 365…)
- Compliance (SOC, PCI…)
- Application security: baselines, helping teams integrate static/dynamic scanning in their pipelines, managing pentests and remediations…
- Cloud security: architecturing the product in AWS, making sure the configuration is secure, vulnerability management, monitoring, etc.
From my experience, a single team handling all the above is challenging because of frequent context switching, the range of skills needed which is too wide, and the fact that you're easily getting out of touch with all that's happening in the company in various teams. I like [this post](https://j.vehent.org/blog/index.php?post/2019/09/25/Beyond-The-Security-Team) a lot, where the author discusses embedded security teams where you have security people both directly in engineering teams and in a centralized team for governance/compliance, but it lacks some practical ways of implementing it.
Say you have a headcount of 10 people for security (including managers / CISO). How would you go about organizing security teams in such a company? What would be the responsibilities of each team and their communication structure?