DevSecOps: should it be placed under the CISO org or the Engineering org?
Sort by:
This is part of the Engineering Org with a guidance on Tool coming from the CISO.. Time has come move security from silo to be everyone responsibility
In my opinion, unless you are trying to shake up the organization, it makes sense to place DevSecOps under the Engineering Organization and making a dotted line to the CISO. This approach decentralizes security a bit, but it embeds it more with the engineers and they can build the security culture outside of the security team, which is what builds a stronger organizational security culture.
Moving the group under the CISO makes sense if the team is small and/or you are looking to drastically change the culture of the organization quickly. This can lead to distrust and resentment, though.
Place the process, control requirements and guidelines in the appropriate risk organisation within your firm. Allow the engineering of the requirements and automation to be completed by the platform team that implements your developer experience in your firm.
CISO has enough on its plate that to start adding the developer experience and moving to being a delivery mechanism for value is too much.
It is all about "shifting left" and this means it is a foundational element of the engineering organization from a resource, ownership and culture perspective.
Secure DevOps (I think the term 'DevSecOps' doesn't make a lot of sense) is a philosophy and set of processes, not a team. While there is infrastructure that need to exist to provide feedback to developers (and that infra is probably run/provided by a cybersecurity team), I don't see 'DevSecOps' as a team any more than I see DevOps as a team.