What is size (how many team members) and critical functions (e.g. SOC, GRC, etc.) of your cyber security organization and the reporting line?

When it comes to defining the size of a security team, a crucial factor is the integration of security in other teams. In my past roles, we've successfully built cross-functional teams with security as a core element. Each team member, with their level of seniority, was equipped with a minimum level of security knowledge, ensuring a robust security culture across the organization. 

Moreover, if you have chosen to outsource specific functions of a security team, like a SOC, it will affect the number of security team members. 

Lastly, the maturity and seniority of your security team members play a pivotal role in determining the total number. I advocate for creating high-performing teams with fewer members but higher seniority. In conjunction with cross-functional teams, this approach can lead to a 50-member security team for a multi-billion organization. 

As you can understand from my answer, there is no one-size-fits-all here. It depends on multiple factors, including your strategy and vision for the team. 

The number of my team member is 215 professionals, the distribution is:
CyberDefense 80 professionals (SOC, Detection/Contention, IR, TH)

Cybersecurity Engineering 54 professionals (App Security, Architecture and Infrastructure, VM, Asset Protection)

CyberRisk 33 professionals (Technology, Cyber and Information Security RA)

Strategy and Information Security 33 professionals (Information Security, Governance, Awareness and training, Strategy)

CyberIntelligence and Data Science 15 professionals (AI, Machine Learning and Intelligence)

In a medium to large-sized company, the cybersecurity team typically consists of anywhere between 10 to 50 members, or even more. In addition, you have to consider the Organization the type of the organization, is it reactive, partner, engaging, ...

Some of the key functions within the team include:

The Security Operations Center (SOC): This team is responsible for monitoring and responding to any security incidents or threats that arise. Here, we find the SOC analysts, incident responders, threat hunters, and SOC managers.

Governance, Risk, and Compliance (GRC): This team ensures that the organization adheres to regulatory requirements and properly manages risks. It includes GRC analysts, compliance officers, risk managers, and audit specialists.

Threat Intelligence: This team is dedicated to gathering, analyzing, and disseminating threat information, with the goal of anticipating and mitigating threats. Here, we find threat intelligence analysts and researchers.

Vulnerability Management: This team is responsible for identifying, evaluating, and resolving vulnerabilities present in the organization's systems and applications. It includes vulnerability analysts and professionals who conduct penetration testing.

Security Architecture and Engineering: This team designs and implements the security controls and architecture for the organization. Here, we find security architects, security engineers, and DevSecOps engineers.

And so on with the rest of the key functions, such as Identity and Access Management, Application Security, Data Protection and Privacy, Incident Response and Forensics, and Security Awareness and Training.

Overall, this entire team typically reports to the Chief Information Security Officer (CISO), who is responsible for the organization's overall security strategy and execution.

I recommend checking, the research by Monika Sinha
How to Create an IT Organizational Structure That Drives Efficiency (gartner.com) 

It depends on industry and geography in which the client is operating.  Cybersecurity in most organizations reports into CRO function as it is part of operational risk or in some cases I have seen it reporting to CEO. 

From team member perspective, usually it consist of IAM, DataSec, AppSec/DevSecops, Risk Analyst, Cyber Governance and Vulnerability Management teams.  The number of team members in each sub domain vary based on the size of the enterprise. 

I think the answer to this is going to vary wildly from organization to organization. We have the the CISO office, Security Architecture and Integration, GRC, and SOC for 35 FTE. This does not include vendor partner support, the major one being after hours security monitoring. I do know that Gartner has presented this topic at a conference I have attended on a way to make a determination of right sizing an information security team.