This document outlines a structured and scalable security organization suitable for a high-growth, cloud-native technology company with significant infrastructure, regulatory obligations, and user-facing product surface area.
The organization is designed for ~1,000 employees and ~150β200 engineers, and it aims to cover the entire security lifecycle: from build-time controls to runtime detection, incident response, compliance, and onchain or product-specific risk.
Each role in the org tree is followed by a (num) indicating recommended headcount for that function.
CSO/
βββ Deputy-CSO-or-CISO (1) β Strategic leadership; separates governance from execution
βββ Security-Engineering (30) β Builds and defends core systems: AppSec, Infra, IAM, Crypto
β βββ Application-Security (7) β Secures code, libraries, pipelines, and partner teams
β β βββ AppSec-Engineers (3) β SAST, secure reviews, bug triage, developer enablement
β β βββ Threat-Modeling (1) β Architecture analysis and attack surface definition
β β βββ Partner-Security (1) β Embedded security with product teams
β β βββ CI-CD-Security (2) β Protects the build pipeline, secret scanning, signing
β β βββ Pipeline-Hardening (1) β Controls for Jenkins/GitHub/GitLab workflows
β β βββ Build-Signing-Tooling (1) β SLSA/Cosign, enforce artifact integrity
β βββ Infrastructure-Security (10) β Hardens infra runtime: cloud, containers, K8s, network
β β βββ Cloud-Security (2) β IAM boundaries, SCPs, IaC policies
β β βββ Host-Hardening (1) β Hardened AMIs, OS security, EDR config
β β βββ Network-Architecture (1) β Segmentation, egress policies, bastion/ingress rules
β β βββ PKI-Engineering (2) β Internal CA, mTLS, cert rotation, SPIFFE/SPIRE
β β β βββ Internal-CA (1) β Vault/StepCA management
β β β βββ Cert-Lifecycle-Automation(1) β Rotate, revoke, alert
β β βββ Container-Security (2) β Image scanning and runtime protection
β β β βββ Image-Scanning (1) β Build-time SBOM/Vuln checks
β β β βββ Runtime-Enforcement (1) β Admission controls, runtime constraints
β β βββ Kubernetes-Security (2) β Cluster policy, RBAC, and control plane protection
β β βββ Admission-Control-Policy(1) β OPA, Kyverno, baseline guardrails
β β βββ K8s-RBAC-Hardening (1) β Audit roles, limit escalation
β βββ IAM (4) β SSO, JIT, Secrets, Identity lifecycle across internal systems
β β βββ Directory-Integration (1) β Okta/GWS/AAD SCIM connectors
β β βββ RBAC/JIT-Access (1) β Role enforcement, TTL-based elevation
β β βββ Secrets-Management (2) β Vault, AWS KMS, secure workflows
β βββ Cryptography (4) β Custody keys, MPC infra, HSMs, threshold signing
β βββ MPC-Platform (2) β Key orchestration and custody workflows
β βββ Key-Lifecycle/HSMs (2) β Signing infra, key splits, storage logic
βββ Security-Operations (16) β Detect, respond, and automate against real threats
β βββ Threat-Detection-and-Response (7) β Detection logic, SOAR, threat intel
β β βββ Detection-Engineering (3) β SIEM pipelines, detections-as-code
β β βββ Threat-Intel (2) β Actor mapping, TTPs, intel feeds
β β βββ SOAR-Automation (2) β Triage orchestration, auto-response playbooks
β βββ Incident-Response (5) β On-call, IR plans, forensics, containment
β β βββ On-Call-IR (2) β Triage, escalation, coordination
β β βββ Forensics/RCA (2) β Artifact handling, root cause
β β βββ Tabletop-Exercises (1) β IR maturity, team drills
β βββ Insider-Threat (4) β DLP, high-risk access, behavioral monitoring
β βββ DLP-Monitoring (2) β GWS/DLP, SaaS monitoring
β βββ Privileged-Access-Analytics (2) β Detection for abuse of access
βββ GRC-and-Compliance (6) β Controls, policy, audit, vendor risk
β βββ Audit-Readiness (2) β SOC2, ISO27001, SOX testing
β βββ Risk/Control-Mapping (2) β NIST, CIS, CSA CCM frameworks
β βββ Vendor-Risk (1) β Third-party assessments and onboarding checks
β βββ Policy-and-Awareness (1) β Internal policy docs and security training
βββ Trust-and-Safety (5) β User trust, abuse prevention, fraud response
β βββ ATO-Detection/Mitigation (2) β Detect account takeovers, enforce MFA challenges
β βββ Abuse-Detection (1) β Scraping, spam, and API abuse
β βββ Customer-Escalation-Support (2) β Handles inbound security tickets w/ CX
βββ Blockchain-Security (4) β Smart contract risk, onchain analytics, bridge security
β βββ Smart-Contract-Review (2) β Manual audits, fuzzing, static analysis
β βββ Protocol/Bridge-Analysis (1) β Risk scoring of L1/L2 chains and bridges
β βββ Onchain-Threat-Detection (1) β Real-time detection of illicit activity
βββ Security-Partners (3) β Embedded security engineers within core teams
βββ Embedded-Infra-Squad (1) β Works with platform, DevOps, cloud teams
βββ Embedded-Product-Squad (1) β Partners with feature teams on secure design
βββ Launch-Threat-Assessment (1) β Reviews high-risk launches and changes
| Company Size | Engineers | Recommended Security HC | % of Eng |
|---|---|---|---|
| ~1,000 employees | 150β200 | 60β70 | 30β40% |
| ~500 employees | 75β100 | 30β40 | 35β40% |
| ~250 employees | 35β50 | 15β25 | 40β50% |
- Phase hiring: prioritize InfraSec, AppSec, TDR, IAM, GRC β then scale out crypto/onchain/security partners
- Use the tree to define ownership boundaries, accountability, team charters, and hiring plans
- Adapt to org size: each sub-tree is independently scalable by company maturity