Anatomy of a CISO Organization in the Modern SaaS Era

As businesses increasingly embraced digital connectivity, the corresponding rise in cyber threats heightened associated risks. Cybersecurity was initially embedded within IT, primarily focused on deploying antivirus software on computers. Over time, its role expanded further into technical security measures and compliance fulfillment and from there evolved into a distinct and indispensable business-critical entity.

The inclusion of the Chief Information Security Officer (CISO) in the C-suite is a relatively recent development. The CISO transitioned from a security practitioner to assuming the responsibilities of a business executive. Today, businesses demand CISOs to adopt a more robust and strategic leadership position. CISOs are expected to enhance integration with the business, strategically handle information risks, and foster a culture of shared cyber risk ownership throughout the entire enterprise.

Having orchestrating multiple re-organizations of internal security teams in my career, I have discovered that there is a 3-pronged mandate of a CISO, they are:

1. Protecting the company
2. Securing the products
3. Assuring the customers

Team Structure and Security Controls

In a CISO organization, various teams collaborate to address different aspects of cybersecurity, risk management, and information security. The specific structure may vary depending on the organization’s size, industry, and specific needs.

In a mature organization the internal security team typically constitute 3–3.5% of the total workforce and can be grouped into 5 key enterprise functions:

1. Security Controls and Platform — Engineering & Operations
2. Security Assurance
3. Governance, Risk and Compliance
4. Security Programs — Product & Program Management Office
5. Customer Assurance — Customer Trust, External Communications

Typical Organizational Chart of an Internal Security Org

1. Security Controls and Platform

This constitutes the core of the CISO organization, usually comprising 50–60% of the overall team headcount. It is responsible for the majority of the development and operational efforts.

The teams and responsibilities of this function are:

1. Detection and Response (DnR)
   - Incident detection, reporting, response (CSIRT)
   - Security Incident & Event Management (SIEM)
   - Log management
   - Escalations management
   - Threat Intelligence
   - Security health checks
2. Threat Vulnerability Management (TVM)
   - Vulnerability scanning, code scanning, and assessments
   - Risk prioritization
   - Asset inventory (SBOM, HBOM, service catalog)
3. Systems Security
   - Patch management (including remediation planning)
   - Supply chain security
   - Workload security
4. Identity & Access Management (IAM)
   - Manage user identities, access privileges, and authentication mechanisms
5. Data Security
   - Encryption — in-transit, at-rest, confidential compute
   - Secrets management
   - Data privacy
   - Public Key Infrastructure (PKI)
   - Data Loss Prevention (DLP)
6. Network Security
   - Network firewalls
   - Network segmentation
   - Intrusion Detection / Prevention Systems (IDS / IPS)
   - Network Application Security — WAF, service mesh, etc.
7. Endpoint Protection
   - Deploy and manage security solutions on endpoints (computers, servers, mobile devices) to protect against malware, unauthorized access, and other security threats
8. Email Security
   - Email quarantine — blocking spam, phishing, malware, etc.
   - Email policy enforcement

2. Security Assurance

Tasked with ensuring alignment of an organization’s systems and processes with security policies, standards, and industry best practices, this team’s primary objective is to evaluate, validate, and enhance the overall security posture of the organization. Traditionally, this function constitutes around 20% of the organization’s total headcount.

The teams and responsibilities of this function are:

1. Product Security
   - Security requirement standards, guardrails and evaluations for product activities and technologies
   - Threat modeling
   - Application Security
   - Security assessments — pen testing, security scorecards
   - Secure SDLC
   - Shared Security Model
2. Corporate Security
   - Security requirement standards, guardrails and evaluations for Corp IT activities and technologies
   - Third party vendor risk management
   - Security training for employees
3. Infrastructure Security
   - Security requirement standards, guardrails and evaluations for Cloud Ops activities and technologies
   - Threat modeling
   - Security assessments — pen testing, security scorecards
4. Offensive Security
   - Red team for security testing of products, corporate, enterprise and infrastructure.

3. Governance, Risk & Compliance (GRC)

In charge of supervising and managing the organization’s comprehensive governance framework, this team is responsible for evaluating and mitigating risks while ensuring compliance with relevant laws, regulations, and standards. Typically, this function accounts for 10% of the total headcount in the organization.

1. Governance
   - Standard policies, processes and procedures
   - Security awareness and training
2. Risk Management
   - Risk assessments — control gaps, exceptions
   - Control monitoring
   - Gen AI risk management
3. Compliance
   - Compliance management
   - Common Controls Framework (CCF) development
   - Regulatory research and interpretation
   - Legal liaison
   - Audit coordination

4. Security Programs

The PMO serves as a cross-functional unit supporting all other security teams within the organization. It establishes the roadmap, prioritizes tasks, and oversees the implementation of diverse initiatives. Depending on the organization’s maturity, this function may constitute anywhere from 5% to 15% of the overall headcount.

The teams and responsibilities of this function are:

1. Platform Product Management
   - Overseeing the WHY
   - Overseeing the development and strategy of a platform / technology ecosystem, to meet business goals
   - Key responsibilities include defining the platform’s features, aligning with customer needs, prioritizing development efforts, and ensuring the platform’s success in the market
2. Program Management
   - Overseeing the WHEN
   - Coordinating and overseeing the execution of complex technical projects
   - Key responsibilities include defining project scope, creating timelines, managing resources, and ensuring effective communication among cross-functional teams
3. Internal Communications
   - Announcements, updates and messaging for internal security related communications
4. Product Analytics
   - In mature organizations, the product function can eventually be broken down further to have a dedicated product analytics team

5. Customer Assurance

Tasked with cultivating and sustaining positive customer relationships, this team ensures customers extract optimal value from the company’s products and platform while aligning security practices with customer expectations. Typically the smallest function, it constitutes approximately 5% of the organization.

1. Customer Trust
   - Maintain a security knowledge base
   - Filling out SAQs, audit reports for new opportunities and existing customers
   - Partner with Legal to ensure transparency of security practices and trust disclosures
2. External Communications
   - Manage customer announcements and messaging for enterprise security
   - Collaborate with legal, sales and marketing teams to accurately represent the organization’s security capabilities, certifications, and compliance commitments to customers.