This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

CISO AppSec Guide: People and Organisation

Revision as of 21:28, 18 August 2016 by Tgondrom (talk | contribs) (V-2 Organisation)

Jump to: navigation, search

< Back to the Application Security Guide For CISOs

Part V: People and Organisation

V-1 Executive Summary

After setting up the program, strategy, risk management and policies, let's turn to the people and the organisational structures that can support and enhance the Application Security Strategies.


V-2 Organisation

Organisation Structures Variance

In order to analyse what would be good and effective organisation structures, it is useful to analyse the different dimensions of various best practices and their success criteria, strengths and weaknesses. Organisation Structures can vary greatly from one organisation to the other. And further reviews did show that even if functions my carry the same name, they may still not actually carry the same responsibilities, capabilities or capacites.

Such criteria for organisational structures can be based on

  • historical reasons (e.g which department first started to care about Security or simple political calculations).
  • company culture (what organisational structure fits best with the company culture)
  • individual leader’s abilities and preferences (often if some department leader has a background in one specific area, that may be randomly added into the security functions and equally if the leader is sceptical about some areas, he may decide to leave such functions separately...

Frameworks: Organization Design Principles


  • Maximise synergies with related functions
  • Customer Value
  • Avoid conflicts of interest

V-3 People and Education

VA Metrics.jpg

Issue SDLC metrics.jpg