Generally, security team size would always lean for any type, kind or size of the organization :-), however, we are seeing a change in the trend, thanks to high-profile and increasingly sophisticated data breaches every other day and new privacy regulations being enforced across the world. I will try to summarize the key roles and responsibilities of the security team specifically for a cloud-based product organization.
Head of Security and Compliance(CISO):
- Ensure Security and Compliance programs are aligned with business objectives, company culture and changing priorities. This would help achieve the right balance between restrictions and convenience for all the departments, and security and compliance efforts are seen as a business enabler as against traditional view of a blocker for speed of product/feature delivery and innovation
- Be informed about engineering and product backlogs and key new features, so that security and compliance planning and start ahead in time and there won’t be surprises at both the ends.
- Help security engineer/s and compliance specialist/s with conflicting priorities
- Have a healthy and curated external sources to stay updated with the latest breaches, attack and defence trends, upcoming regulations, commercial and open-source products etc. To filter the overwhelming feed of this information and focus on things that matter, you should know your business, industry and current and upcoming technology stacks of your organization.
Security Engineer: Works with the engineering team to integrate security at various SDLC phases
- Define relevant secure coding and design guidelines
- Manual code reviews for sensitive/critical components of the product which touch the sensitive data and functions of the product
- Stay updated about the latest architectural evolutions likes micro-services, dockers, containers, distributed applications, serverless, come up with approaches to securing them.
- Work with Compliance Specialist to understand the requirements and automate not just security but compliance checks and evidence generation, as much as possible
- Awareness among engineering teams about Secure Coding and Secure design guidelines by picking up relevant checks from OWASP Top 10, and SANS 25 guidelines, CVEs and CWEs. Understand these sources to the core, so that it can be applied whenever required.
- Penetration Testing of Application, Network and System, essentially using automated tools to catch at least the low hanging fruits
- Sit through critical engineering meetings and ensure security is considered at all the phases
- Keep a very good understanding of the product internals, external connections, integrations help Compliance Specialist in his tasks
- Maintain a good rapport with engineering managers and architects to make security part of the day to day activities. Make Security part of the definition of done, Namely: Sprint Planning and Estimation, Functional Specifications, Technical Specifications, Stories for Security and Compliance(take inputs from Compliance Specialist) Ensure Security testing in Unit/Regression/Functional/User-acceptance tests, Sign-off the feature/sprint release from a security perspective.
Compliance Specialist: Keep updated with currently applicable and upcoming security and privacy regulations like ISO, SOC 2, GDPR, Privacy Shield, CCPA, PCI, HIPAA, etc
- Acts as a bridge between third-party and regulatory auditors and internal stakeholders
- Sync up with Security Engineer to ensure SDLC security compliance requirements are met
- Establish and maintain a rapport with all departments across the organization, to implement applicable compliance requirements and creates awareness across organization about applicable compliances and regulations. The key departments and activities are as below:
- Infra and DevOps(Cloud & on-premise): Compliance against benchmark(e.g. CIS), Secure Configurations, logging and monitoring across application, network and system environments
- Products, Engineering and Support: Include security and compliance requirements at Planning and Design Phase. Threat Modeling for new products and features, both security as well as non-compliance risk. Coordinate and plan mandatory third-party penetration tests.
- HR: Awareness Training, NDA agreements, Background Checks, Disciplinary actions and breach of compliance
- Admin/Facilties: Mandatory Physical/Facility Security requirements to meet compliance
- Finance and Legal: Compliance bridge between various Terms of Service, Purchase orders and Privacy Agreements. Perform security and privacy assessment of third-party vendors who are connecting to your product and handling some of your customers data
- Marketing: Security, compliance and breach notifications related customer communication. Appropriate Content on Corporate Website like Privacy Policies, Technical and Organization Controls.
- Sales, Account Executives: Security questionnaires and queries from customers, Maintain external facing security documentation
Cloud Infra / DevOps Security(example AWS):
- Network Security: VPC, VPN (Corp to VPC), NACLS, Security Groups, VPC/S3 Endpoints to restrict traffic within Cloud Service Provider.
- Endpoint/Server Security: Anti-malware, Inspector, Guard-duty
- Data Security: Encryption, Key Management(rotation, revocation), Macie
- IDAM: Granular Controls for Console Access, API access, Roles( EC2, S3, Serverless)
- Logging, Monitoring ( CloudTrail, CloudWatch, Config, SIEM)
- WAF, DDOS protection (Managed Shield, Third-party DNS-level WAF)
- Security Controls for Dockers, Kubernetes (Clair, Scan Docker repo)
On Premise IT Security:
- Network Security: Firewall, Network Segregation, WiFi Security
- Workstation Security: Full Disk Encryption, Antivirus, Removable media control
- IDAM: Internal Applications, SSO integrations, Onboarding and Exit Procedures
The security team size and structure may vary depending on the size of the organization, Industry and the kind of data(health, personal, financial) being handled.
Typically, it can be categorized as below.
- For early-stage or small product companies there may be just one person(Head of Security and Compliance), who would need to play the roles of Security Engineer and Compliance Specialist, its better to form a virtual team of SPOCs from Engineering and Finance/Legal teams with ~20% security and compliance responsibilities and functional reporting to head of security
- For established, mid sized product companies, above three-person team should fit well
- For large product companies, each role should get converted to a team, i.e. Security Engineering and Compliance Team.
Looking forward to your feedback and suggestions!