CISO AppSec Guide: People and Organisation

From OWASP
Jump to: navigation, search

< Back to the Application Security Guide For CISOs

Part V: People and Organisation

V-1 Executive Summary

After setting up the program, strategy, risk management and policies, let's turn to the people and the organisational structures that can support and enhance the Application Security Strategies.

CISO-Guide-PPT-orga.jpg

V-2 Organisation

Organisation Structures Variance

In order to analyse what would be good and effective organisation structures, it is useful to analyse the different dimensions of various best practices and their success criteria, strengths and weaknesses. Organisation Structures can vary greatly from one organisation to the other. And further reviews did show that even if functions my carry the same name, they may still not actually carry the same responsibilities, capabilities or capacites.

Such criteria for organisational structures can be based on

  • historical reasons (e.g which department first started to care about Security or simple political calculations).
  • company culture (what organisational structure fits best with the company culture)
  • individual leader’s abilities and preferences (often if some department leader has a background in one specific area, that may be randomly added into the security functions and equally if the leader is sceptical about some areas, he may decide to leave such functions separately...

Frameworks: Organization Design Principles

Synergies

  • Maximise synergies with related functions
  • Customer Value
  • Avoid conflicts of interest


  • influenced by history and personal strengths of some of the managers
  • more mature organizations less concerned with conflicts (as these can be resolved through other means), more oriented towards organizational synergies…

V-3 People and Education

VA Metrics.jpg

Issue SDLC metrics.jpg