Today I had a pleasant call, a person who worked with me many years ago, my right hand in a journey on the financial world dealing with the task of CISO. Something that fills me with pride is that she now occupies that role that was once mine and that I hope she will achieve great results and as always go beyond what she thinks she can achieve

The most gratifying thing of all is that even after all this time he calls me to ask for a favor: "I want to restructure the security area and I need a frame of reference".

These are the questions that awaken the consultant in me, the one that once, before facing the world of entrepreneurship, I thought I knew and felt I was a reference.

The answer is not simple, there is no recipe or standard to establish how to structure an area. Even less so in security, where I still find companies that hire consultants to solve the great dilemma of who the CISO should report to.

But it is not impossible either, the structure of an organization must support a strategy, and that is the starting point.

We have seen how organizations have evolved, they all come in processes of transformation through technology, exploiting to the maximum three major advances in the world: data as a fundamental element for decision making; the cloud as a capacity for elasticity and efficiencies of technological resources and automation, transforming any repetitive task performed by a person in a task that executes and is controlled through technology.

The cybersecurity business must transform itself in order to support organizations in these processes, understand the agile processes of DevOps, and contribute to this constant world of evolution and transformation of the products or services that the organization offers.

After having conveyed a lot of these concepts of how the operation can feed into the strategy and the strategy feeds back into the Cybersecurity operation through continuous analysis, in 2018 Gartner publishes the CARTA (Continuously Adaptive Risk and Trust Assessment) model.


But the chart only shows that Cybersecurity is easily integrated into the DevOps cycle of organizations, but it does not solve the structure issue. For this I return to the need for strategy, and left some premises that we must take into account to include them in our planning processes:

  1. Oriented to Business Objectives: The best way to understand this premise is the example of the brakes of a Formula 1 car. The brakes are not to reduce speed, but to achieve the best lap.

  2. Flexibility: We must be agile in the detection of attacks and vulnerabilities and even more so in the response.

  3. Scalability: The cybersecurity architecture, the detection processes and the security model must be related so that we can easily meet the cybersecurity challenges we face.

  4. DataDriven: Visibility and decisions must be made through intelligence generation and data exploitation.


For them there are 4 major working groups that are being structured within the areas of Cybersecurity:

  1. RedTeam: Team dedicated to have visibility of the organization's attack surface, identifying assets, services, applications, identities related to the organization and their vulnerabilities and control effectiveness.

  2. Threat Hunters: Team dedicated to the detection and response of anomalies and incidents.

  3. SecDevOps: Team dedicated to automate operational security tasks, integration of security architecture with the processes of care and response.

  4. Data Scientist: Team that supports the generation of intelligence through the development of machine learning models for the detection of patterns, trends, anomalies, etc..

Long gone are the roles of security architects, policy and guideline makers, control custodians who are only dedicated to configuring rules in tools. Analytics, automation and adaptive security are the priority in these processes of digital transformation of enterprises.

Want to know how SecDevOps works?

See our User Success Story in the Financial Sector



More Blogs

Isotipo A3Sec