The organizational structure of an SSG should encourage maximum communication and teamwork between the security and development functions. It’s essential to clarify roles and responsibilities, decision-making power, and budget authority. The more clearly you outline these points, the more smoothly your SSG will run.
There is no “right way” to organize your team. Your structure should fit the culture of your organization. Among BSIMM organizations, there are five different models for structuring an SSG.
1. Service Model. This SSG offers software security activities such as pen testing, SAST, DAST, and so on “as a service” from a central hub. All work must go through the central group and follow standard processes. This model requires the SSG to sign off before products are released.
Pro: Ensures consistent security protections.
Con: Product groups may need to wait to book resources, depending on demand. Developers may feel they have less responsibility for the security of their products.
2. Policy Model. A central team sets standard guidelines, but doesn’t do actual execution. Policies include risk ranking and classification, creating knowledge bases and security frameworks, managing vendor compliance, and employee training.
Pro: Fewer people considered “overhead” in a central team.
Con: May be difficult to enforce policies.
3. Hybrid Model. This SSG offers both services and policy as explained above.
Pro: A full-service SSG makes it easier to measure which policies are carried out and their level of impact.
Con: Requires a full range of strategy and tactical skills.
4. Business Unit Model. This model distributes SSG members to individual business units to serve their specific needs, report within a business unit, and adapt policies and processes as needed.
Pro: If it works well, more people within an organization are well-versed in security.
Con: If there is poor coordination or communication, success can be difficult to maintain and measure.
5. Management Model. Product leaders manage security as a business process, along with product design, quality assurance, and so on.
Pro: Security is truly embedded in the culture of the organization.
Con: Business leaders must continue to prioritize security as they face pressure to release products quickly.