Building an information security team

You've been the Security Champion. You've built programs, implemented controls, and embedded security into your organization. But as the company grows, one person can't do it all. At some point, security needs to become a function—with dedicated people, formal processes, and executive leadership.

This chapter covers how security teams are structured, when and how to build one, and—critically—how Security Champions fit into the picture even after a formal security organization exists.

The Security Champion's natural limits

Let's be honest about what a Security Champion can and cannot do:

What Security Champions do well

Capability	Why it works
Security in their team	Deep context, existing relationships
Code and architecture review	Know the codebase and stack
Developer training	Speak their language
First responder for incidents	Already there, knows the systems
Security culture ambassador	Trusted by peers

What Security Champions can't cover alone

Gap	Why it's hard
Company-wide strategy	Requires executive authority
Compliance programs	Full-time effort, specialized knowledge
Incident response leadership	Needs dedicated availability
Third-party risk	Time-consuming, specialized
Security architecture	Spans all teams and systems
Threat intelligence	Continuous monitoring required
Audit management	Months of dedicated work

The core problem: A Security Champion has a primary job (developer, DevOps, etc.). Security is 10-30% of their time. But security needs grow faster than that percentage can cover.

The transition point

You likely need dedicated security staff when:

Signal	What it means
Security work exceeds 50% of champion's time	Can't sustain the split
Multiple champions but no coordination	Need central leadership
Compliance requirements emerge (SOC 2, ISO)	Full-time effort required
Company >100 employees	Attack surface too large for part-time
Enterprise customers demanding security	Business-critical function
First significant security incident	Revealed gaps in coverage
Investor/board asks about security	Executive accountability needed

Understanding security team structure

Security roles explained

Role	Focus	Reports to	Salary range (US)
CISO	Strategy, risk, executive reporting	CEO/CTO/CFO	$250K-$500K+
VP/Director of Security	Security program leadership	CISO or CTO	$180K-$300K
Security Manager	Team management, operations	Director/CISO	$140K-$200K
Security Engineer	Technical implementation, tools	Manager/Director	$120K-$180K
AppSec Engineer	Application security, code review	Manager/Director	$130K-$190K
Cloud Security Engineer	Cloud infrastructure security	Manager/Director	$140K-$200K
GRC Analyst	Compliance, policy, risk	Manager/Director	$90K-$140K
SOC Analyst	Monitoring, incident detection	Manager/SOC Lead	$70K-$110K
Security Analyst	General security operations	Manager	$80K-$120K

Security team domains

A typical security organization under a CISO has three functional domains:

Security Engineering — AppSec, cloud security, infrastructure security, DevSecOps, security tooling

Security Operations — SOC/monitoring, incident response, threat intelligence, vulnerability management

Governance, Risk & Compliance — policy, compliance, risk management, vendor security, audit

Team size by company stage

Company size	Typical security team	Notes
Under 50 employees	0 (Security Champions)	Part-time coverage
50-100	0-1 (first hire or fractional)	Transition point
100-250	1-2	First dedicated person
250-500	2-5	Small team, broad roles
500-1000	5-10	Specialized roles emerge
1000-5000	10-25	Multiple sub-teams
5000+	25-100+	Full departments

Industry matters: Fintech, healthcare, and government contractors need more security earlier. B2C companies with low-sensitivity data can run lean longer.

The first security hire

The most important decision. Get it right.

When to make the first hire

Hire dedicated security when at least 3 of these are true:

• Security work exceeds 40% of any champion's time
• You have or need SOC 2/ISO 27001
• Enterprise customers require formal security program
• Company exceeds 100 employees
• You've had a security incident that overwhelmed part-time capacity
• Leadership is asking for security accountability

Profile for first security hire

Your first hire should be a generalist, not a specialist.

Ideal profile:

• 5-10 years experience (not junior, not too senior)
• Broad skills: can write policy AND configure tools
• Has built programs before (ideally at similar-size company)
• Strong communicator (will work across all teams)
• Comfortable with ambiguity (not a mature program yet)
• Technical enough to earn developer respect
• Business-savvy enough to talk to executives

Title options:

• Security Lead
• Head of Security
• Director of Security (small company)
• Security Manager

Avoid: "CISO" too early (unless board requires it), or overspecialized titles.

What the first hire should do

First 90 days:

Period	Focus
Days 1-30	Assess: Meet everyone, understand stack, identify gaps
Days 31-60	Prioritize: Create security roadmap, quick wins
Days 61-90	Execute: Implement highest-priority items

First year deliverables:

• Security roadmap aligned with business
• Core policies documented
• Incident response capability
• Security champions program formalized
• Basic metrics and reporting
• Compliance progress (if applicable)

First hire: build vs. buy

Option	Pros	Cons
Promote Security Champion	Knows the company, trusted	May lack depth, career expectations
Hire externally	Fresh perspective, broader experience	Onboarding time, culture fit risk
Fractional CISO	Expert on-demand, lower cost	Part-time, less embedded
vCISO + consultant	Access to expertise, scalable	Not internal, no loyalty

Recommendation: If a Security Champion has grown significantly and wants the role, promote them with training support. Otherwise, hire externally and keep Champions as embedded resources.

Scaling the security team

Hiring sequence

Most companies follow this pattern:

Stage 1 — One person (generalist). Security Lead who does everything: technical controls, policy, compliance, incident response. Breadth over depth.

Stage 2 — Two people. Security Lead (strategy + technical) + GRC Analyst (compliance + policy). Technical and governance split.

Stage 3 — Three people. Head of Security (strategy + leadership) + Security Engineer (technical) + GRC Analyst (compliance). Dedicated ownership per domain.

Stage 4 — Specialized team (5+). Director or VP of Security leading: Security Engineer (infrastructure), AppSec Engineer (product security), GRC Analyst (compliance), Security Analyst (operations).

Stage 5 — Full department (10+). CISO leading three managers: Security Engineering Manager (AppSec, Cloud Security, DevSecOps engineers) · Security Operations Manager (SOC Analysts, Incident Responders) · GRC Manager (Compliance Analysts, Risk Analysts).

Second hire decision

Your second hire depends on your biggest gap:

If your gap is...	Second hire should be...
Compliance pressure	GRC Analyst
Technical debt	Security Engineer
Product security	AppSec Engineer
Cloud complexity	Cloud Security Engineer
Incident overload	Security Analyst

When to hire a CISO

The CISO question: Do you need one?

You need a CISO when:

• Board/investors require executive accountability
• Security budget exceeds $500K
• Regulatory requirements demand it
• Company >500 employees
• Security team >5 people
• You're in a highly regulated industry

CISO alternatives:

• VP/Director of Security — Reports to CTO, covers security leadership without C-level
• Fractional CISO — Part-time executive (2-4 days/month), costs $5K-$15K/month
• Virtual CISO (vCISO) — Consulting firm provides on-demand CISO services

Reality check: Many 100-500 person companies have a "Head of Security" or "Director of Security" who does CISO-level work without the title or C-suite compensation.

Security team processes

Core processes every team needs

Process	Owner	Frequency
Risk assessment	CISO/Security Lead	Annually + major changes
Vulnerability management	Security Engineering	Continuous
Access reviews	GRC + Team leads	Quarterly
Incident response	Security Operations	As needed
Security awareness training	GRC	Annually + new hires
Vendor security assessment	GRC	Per new vendor + annually
Policy review	GRC	Annually
Penetration testing	Security Engineering	Annually + major releases
Audit preparation	GRC	Per audit cycle
Security metrics review	CISO	Monthly/Quarterly

Operating model

How security work flows:

Strategic layer — CISO. Annual security planning, risk appetite definition, budget allocation, board reporting. Sets direction and owns accountability.

Tactical layer — Security Engineering, SecOps, GRC. Three functional teams execute the strategy:

• Security Engineering — tool deployment, architecture review, DevSecOps
• Security Operations — monitoring, incident response, threat hunting
• GRC — compliance, policy management, vendor security

Operational layer — Development teams, IT, HR. Where security is actually practiced day-to-day. Each team has an embedded Security Champion — the connective tissue between the security team's standards and what actually gets built and operated.

Security team meetings

Meeting	Frequency	Attendees	Purpose
Security team standup	Daily/2x week	Security team	Coordination
Security review board	Weekly	Security + engineering leads	Review changes, risks
Champions sync	Monthly	Security + all champions	Alignment, knowledge share
Risk committee	Monthly	Security + executives	Risk decisions
Board security update	Quarterly	CISO + board	Executive reporting

Security Champions in a mature organization

Here's the key point: Security Champions don't go away when you hire a security team. They become more important.

Why Champions still matter

A CISO and security team can't:

• Attend every team's sprint planning
• Review every pull request
• Know every codebase deeply
• Be available for every security question
• Understand every team's context

The math doesn't work:

Company: 500 employees
Engineering: 200 developers
Teams: 25 (average 8 developers each)
Security team: 5 people

If security team reviews every change:
- PRs per day: ~100
- Security team capacity: 20 reviews/day
- Result: 80% of PRs unreviewed

With Security Champions (1 per team):
- Champions: 25
- PRs per champion: 4/day
- Result: All PRs get security consideration
- Security team: Focuses on high-risk items

The new champion role

When a security team exists, champions evolve:

Before security team	With security team
"I'm the only security person"	"I'm security's presence in my team"
Create security programs	Execute security programs locally
Define policies	Implement and adapt policies
Own incident response	First responder, escalate to team
Choose security tools	Use and champion security tools
Report to leadership	Report to security team

Champion ↔ Security team relationship

The relationship works in both directions.

What the security team provides to champions:

• Training and enablement
• Tools and resources
• Escalation path for complex issues
• Policy guidance and threat intelligence
• Specialist support when needed

What champions provide to the security team:

• Local security enforcement within their team
• Risk identification close to the code
• First response to incidents before escalation
• Training delivery in team context
• Feedback on whether policies are workable

How they stay connected: dedicated Slack channel, monthly sync, office hours.

Each champion knows their team's stack deeply, is trusted by their teammates, serves as the first point of contact for security questions, applies security practices in their team's context, and escalates when something is beyond their scope.

Champion as "mini-CISO"

Think of each Security Champion as a miniature CISO for their team:

CISO responsibility	Champion equivalent
Company-wide security strategy	Team security roadmap
Enterprise risk assessment	Team-level risk awareness
Security policies	Policy application in team context
Security training for company	Training relevance for team
Executive reporting	Team lead reporting
Vendor security	Dependencies and integrations
Incident command	Incident first response
Compliance program	Compliance execution in team

The difference: Scale and authority, not substance. A champion thinks about security the same way a CISO does—just for a smaller scope.

What champions don't need to know

As a Security Champion, you're not expected to:

Not your job	Who handles it
Design company security architecture	Security Architecture / CISO
Manage compliance audits	GRC team
Run penetration tests	Security Engineering (or contractors)
Build security monitoring	Security Operations
Negotiate security terms in contracts	Legal + GRC
Present to the board	CISO
Manage security budget	Security leadership
Define company risk appetite	CISO + executives

Your job: Security in your team's domain. That's enough. That's important.

Building a security team: 12-month roadmap

If you're the Security Champion planning growth

Phase 1: Validate need (Month 1-2)

• Document current security workload
• Calculate time spent on security vs. primary job
• Identify gaps you can't cover
• Quantify risk of gaps (incidents, compliance, deals)
• Build business case for first hire

Phase 2: First hire (Month 3-5)

• Define ideal candidate profile
• Get headcount approved
• Write job description
• Interview and hire
• Onboard new security lead
• Transition knowledge and relationships

Phase 3: Formalize program (Month 6-8)

• New lead creates security roadmap
• Formalize Security Champions program
• Define champion ↔ security team relationship
• Establish regular sync meetings
• Create escalation procedures

Phase 4: Scale (Month 9-12)

• Evaluate need for second hire
• Champions continue embedded work
• Security team handles specialized functions
• Measure and improve program effectiveness
• Plan next year's growth

If you're the new security leader inheriting Champions

Month 1: Listen and learn

• Meet every Security Champion
• Understand their work and challenges
• Identify what they've built that works
• Find gaps in the current approach

Month 2: Formalize relationship

• Define champion role clearly
• Create communication channels
• Set up regular syncs
• Provide resources champions need

Month 3: Empower and support

• Training for champions (if needed)
• Tools and templates
• Clear escalation path
• Recognition and appreciation

Ongoing: Partnership

• Champions are your force multiplier
• Invest in their success
• Listen to their feedback
• Celebrate their wins

Common mistakes when building security teams

Mistake 1: Hiring too senior too early

The problem: First hire is a VP-level leader with no one to lead.

Why it fails: Senior leaders want to lead, not do. Early-stage security needs doers.

Solution: Hire player-coaches early. People who can lead AND execute.

Mistake 2: Hiring too specialized

The problem: First hire is a penetration tester or SOC analyst.

Why it fails: You need a generalist first. Specialists come later.

Solution: First 1-2 hires should be broad. Specialize after team >3.

Mistake 3: Ignoring existing champions

The problem: New security team treats champions as irrelevant or threats.

Why it fails: Champions have context, relationships, and momentum. Ignoring them wastes that investment.

Solution: Champions are partners. Integrate them into the new structure.

Mistake 4: Security as roadblock

The problem: Security team sees itself as gatekeeper, not enabler.

Why it fails: Teams work around security, hide problems, resent the function.

Solution: Security enables business. "How can we do this securely?" not "No."

Mistake 5: Centralized everything

The problem: Security team tries to do all security work centrally.

Why it fails: Doesn't scale. Creates bottlenecks. Loses team context.

Solution: Security team provides frameworks. Teams (with champions) execute.

Mistake 6: No career path for champions

The problem: Champions do valuable work but have no growth trajectory.

Why it fails: Best champions leave or disengage.

Solution: Champions can become security team members, senior champions, or earn recognition in their primary track.

Real stories: building security teams

Story 1: From Champion to team lead

Company: 80-person B2B SaaS, developer became Security Champion.

Journey:

• Year 1: Developer spends 20% on security, informal champion role
• Year 2: Security work grows to 50%, company decides to formalize
• Year 3: Champion becomes "Security Lead" (full-time), hires GRC analyst
• Year 4: Team grows to 4 (Security Lead, GRC, 2 Security Engineers)

Champion's reflection: "When I transitioned to full-time security, I worried I'd lose connection to the dev team. The opposite happened—I became the bridge between security and engineering. I still review code and join architecture discussions, but now I have a team to handle compliance and tooling."

What worked:

• Gradual transition, not sudden switch
• Kept champion relationships intact
• Hired complementary skills (GRC first, not another generalist)

Story 2: External CISO hire

Company: 150-person fintech, no internal security experience.

Journey:

• Hired CISO directly (expensive, $280K)
• CISO built 3-person team in first year
• Created Security Champions program from scratch
• Hit SOC 2 Type II in 14 months

What worked:

• CISO brought enterprise experience
• Quickly established credibility with board
• Invested in champions as force multiplier

What was hard:

• CISO didn't know the codebase—relied heavily on champions
• Culture clash initially (security vs. speed)
• First year was intense for everyone

Story 3: The fractional approach

Company: 60-person startup, tight budget.

Journey:

• Hired fractional CISO (3 days/month, $8K/month)
• Fractional CISO guided 2 Security Champions
• Champions did execution, CISO provided strategy
• After 18 months, hired full-time Security Lead

What worked:

• Low cost while still getting expert guidance
• Champions grew significantly with mentorship
• Smooth transition when budget allowed full-time hire

What was hard:

• Fractional CISO wasn't always available for urgent issues
• Champions carried heavy load
• Coordination overhead between part-time and full-time people

Security team budget planning

Typical costs by team size

Team size	Annual cost (fully loaded)	Notes
1 person	$200-300K	Salary + benefits + tools
2 people	$350-500K	+ compliance platform
3 people	$500-700K	+ specialized tools
5 people	$900K-1.2M	+ contractors for projects
10 people	$1.8-2.5M	Full department costs

Budget breakdown

Category	% of security budget	Examples
Personnel	60-75%	Salaries, benefits
Tools/platforms	15-25%	SIEM, EDR, compliance platform, scanners
Contractors/consultants	5-15%	Pentests, audits, fractional support
Training/certs	2-5%	Certifications, conferences
Other	2-5%	Bug bounty, insurance

Sample budget: 3-person team

## Annual Security Budget (3-person team)

Personnel:                          $550,000
  Security Lead                     $200,000
  Security Engineer                 $180,000
  GRC Analyst                       $130,000
  Benefits/taxes (25%)              $40,000

Tools & Platforms:                  $120,000
  Compliance platform (Vanta)       $25,000
  SIEM/Logging                      $30,000
  EDR                               $20,000
  Vulnerability scanner             $15,000
  Security awareness platform       $10,000
  Other tools                       $20,000

Contractors/Consulting:             $50,000
  Annual pentest                    $25,000
  SOC 2 audit                       $20,000
  Specialized consulting            $5,000

Training & Development:             $15,000
  Certifications                    $8,000
  Conferences                       $5,000
  Training subscriptions            $2,000

Contingency (10%):                  $73,500

TOTAL:                              $808,500

Outsourcing vs. insourcing

When to build internally vs. use external resources.

When to outsource

Function	Outsource when...	Options
Penetration testing	Almost always (objectivity required)	Boutique firms, bug bounty
Compliance audits	Required (independence)	CPA firms
Incident response	Major incidents, no internal capacity	IR retainers (Mandiant, CrowdStrike)
Fractional CISO	Too early for full-time hire	vCISO services
Security monitoring	Can't build 24/7 SOC	Managed detection (Arctic Wolf, Expel)
Specialized projects	One-time need	Consultants

When to insource

Function	Insource when...	Reason
Security strategy	Core competency	Needs company context
Application security	Deep product integration	Needs codebase knowledge
Security engineering	Ongoing need	Daily integration work
Compliance management	Continuous operation	Full-time attention
Security culture	Core to business	Champions + internal team

Hybrid model

Most companies use a hybrid:

Internal team:
• Strategy and leadership
• Day-to-day operations
• Application security
• Compliance management

External support:
• Penetration testing (quarterly)
• Audits (annual)
• Incident response (on retainer)
• Specialized projects (as needed)
• 24/7 monitoring (optional)

Hiring guide: job descriptions and interviews

Sample job description: First Security Hire

## Security Lead

About the role:
We're looking for our first dedicated security hire to build and lead 
our security program. You'll work closely with engineering, IT, and 
leadership to protect our customers and company.

What you'll do:
• Build and own our security program from the ground up
• Lead compliance efforts (SOC 2, potentially ISO 27001)
• Coordinate with Security Champions across engineering teams
• Implement and manage security tools and processes
• Conduct risk assessments and drive remediation
• Develop security policies and training
• Respond to security incidents
• Report on security posture to leadership

What you bring:
• 5+ years in security (mix of technical and program work)
• Experience building security programs at a growth-stage company
• Understanding of cloud security (AWS/GCP)
• Knowledge of compliance frameworks (SOC 2, ISO 27001)
• Strong communication skills (technical and executive audiences)
• Ability to work independently and prioritize
• Bonus: Development background

What we offer:
• Opportunity to build something from scratch
• Direct impact on company security
• Path to leadership as team grows
• [Compensation, benefits, etc.]

Interview questions for security hires

Technical:

• "Walk me through how you would assess the security of our application."
• "We have a SOC 2 audit in 6 months. What's your 90-day plan?"
• "Describe a significant vulnerability you found and how you addressed it."
• "How do you approach threat modeling for a new feature?"

Program building:

• "Tell me about a security program you built. What worked? What didn't?"
• "How do you prioritize security work when everything feels urgent?"
• "How do you get buy-in from engineering teams who see security as a blocker?"
• "Describe your approach to working with Security Champions."

Incident response:

• "Tell me about a security incident you handled. Walk me through from detection to resolution."
• "How do you balance speed vs. thoroughness during an incident?"
• "How do you decide when to escalate or involve external resources?"

Culture and communication:

• "How do you make security accessible to non-security people?"
• "Describe a time you had to push back on a business decision for security reasons."
• "How do you measure the success of a security program?"

Red flags in candidates:

• Can't explain security concepts simply
• Only talks about tools, not processes or people
• No experience with business/product trade-offs
• "Security says no" attitude
• Can't give concrete examples

Expert insights

On the Security Champion role

"The best security organizations I've seen treat Security Champions as the front line of defense, not as a stepping stone. Champions who stay in their teams for years are incredibly valuable—they know everything about their domain and have earned trust that no external security team can replicate."

On first hires

"I've seen companies hire a CISO when they needed a security engineer. The CISO was frustrated because there was no one to lead, and the technical work wasn't getting done. Match the role to the actual need."

On team structure

"Don't copy Google's security org chart. They have different problems at different scale. Your structure should reflect YOUR risks, YOUR business, and YOUR resources. Start simple. Evolve as needed."

On champions with a security team

"When we hired our first security person, I was worried my Security Champion work would become irrelevant. The opposite happened. I became the security team's most valuable partner because I knew our product deeply. We work together, not in competition."

How to explain this to leadership

If you're advocating for first security hire:

"I've been handling security part-time, but we've reached the point where this isn't sustainable. Security work now consumes 50%+ of my time, and I'm still not covering everything we need. A dedicated security person will:

• Own compliance efforts (SOC 2, ISO) that I can't fully commit to
• Reduce risk that's currently unmanaged
• Free me to return to full-time [primary role]
• Enable Security Champions like me to focus on our teams

Investment: One senior hire (~$150-180K fully loaded). ROI: Faster compliance, reduced risk, unblocked enterprise deals."

If you're a new security leader explaining champions:

"Security Champions are our force multiplier. I can't be in every team meeting, review every PR, or know every codebase. But with a champion in each team:

• Security is present everywhere
• Issues are caught earlier
• Teams have local experts they trust
• My team focuses on what only we can do

I want to invest in the champion program, not replace it."

Workshop: security team planning

Part 1: Assess current state (1 hour)

1. Document all security-related work happening today
2. Who is doing it? How much time?
3. What's not getting done?
4. What are the risks of current gaps?

Deliverable: Security workload assessment

Part 2: Define target state (1 hour)

1. What does "good" security look like in 12 months?
2. What roles would support that?
3. What would champions do vs. security team?
4. How would they work together?

Deliverable: Target state description

Part 3: Build the roadmap (1 hour)

1. What's the first hire profile?
2. When is the right time?
3. What's the transition plan for current champions?
4. What's the business case?

Deliverable: Hiring roadmap and business case

Part 4: Champion program design (1 hour)

1. How do champions work with security team?
2. What's expected of champions?
3. What do champions get in return?
4. How do you measure success?

Deliverable: Champion program design for mature organization

---

Key takeaways

1. Security Champions are not a stepping stone—they're a permanent part of the security model. Even with a CISO and full team, champions remain essential.

2. A champion is like a mini-CISO for their team. Same mindset, smaller scope.

3. You don't need to know everything. Know security in YOUR domain. That's valuable. That's enough.

4. The security team enables, champions execute locally. It's a partnership.

5. First hire should be a generalist. Specialists come later.

6. Culture matters more than structure. A small team with strong champion partnerships beats a large team that ignores the business.

Conclusion

A security team doesn't replace Security Champions — it enables them. The champions handle security locally; the team sets standards, builds tooling, and handles what individual teams can't. That partnership is how security scales.

The Security Champion role you started with isn't a stepping stone you leave behind. It's the model you replicate across the organization.

What's next

Return to the course overview or explore the OWASP Security Champions Guidebook for community resources.