Discussion about this post

User's avatar
Ethan's avatar

Thanks for the article, Geoff. At my company we are right at that inflection point of trying to decide when it makes sense to begin to grow our Security team beyond our first Security Engineer (myself).

I like denoting "Customer Security" as its own skillset. That's much more of an art than a science in my experience.

You mention this in your reply to Anthony, but I'm curious how to think about the growth of security-adjacent teams such as IT and Compliance (that initially fall under the responsibility of the SecEng#1), and when it makes sense to begin to hire dedicated people for those roles.

Expand full comment
Anthony's avatar

Geoff,

thanks for writing this up. I recently started a new gig about a month ago as CISO for a SaaS software company and this has been something that's been on my mind. You measurement is based on Engineering size so I wonder what do you mean here when you say Security? Nowadays it's not uncommon for InfoSec to include SecEng/SecOps, GRC and Customer Security. Is that 3%-5% number you mention focused on a SecEng function?

Expand full comment
1 more comment...

No posts