This message was deleted.

There's two parts here, one is should your platfrom include security (and cost management) and the answer is yes, mostly. As much as you can offload from your devs into the platform, then better.

Haha. Makes sense. We are looking at it as a transitional move till growth phase. Thank you so much for this!

FWIW I believe engineering should always own compliance execution and compliance should own the roadmap/requirements/stragey. Its similar to a PM <> Eng Relationship. If you try to bolt on compliance later without engineering understanding the plan it becomes significantly harder. It should be possible for you to start to stack compliances with minimal work if engineering does their job correctly and compliance builds a strategy that overlaps controls.

One aspect to consider when answering to that question is … who are your customers? If your goal is that your platform team builds an IDP for your engineering organisation, I would perhaps not mix that with building ( or serving ) for another type of customers, because then you’ll have competing priorities. Should you focus on speeding the build on your pipeline so that your devs get faster feedback, or should you upgrade the firmware on the routers at your premises… I advice towards keeping those domains separated.

Andrew, Victor, copy that and great additional perspectives. Here's what I'm struggling with for IT: it all flows to what is success. For our audience (IDP), DevX satisfaction scores (CSAT across dev, deploy, prod environments ), MTTR, and Pipeline Duration are the MVP KPIs we have identified. Here is my assessment currently after thinking it out with this group. Let me know if you agree/disagree, or general thoughts: • IT doesn't align long term, and its temporary under our ownership: How does IT for non engs audience flow up to tho our KPIs/mandate of success? • Compliance doesn't align strategically (but we need to own operationally), and that hard line is necessary from an audit/competing interest perspective. • Security across product, IDP aligns: we are reducing cognitive load and the ability for threats/non-compliance to shut us down. But @Andrew Fong I see how security conflicts with Platform velocity goals as well, but what would you say to a small scale org looking to justify its alignment until a larger scale? • Cost control aligns but doesn't seem like a strategy or component of Platform/IT at our scale. It's more of a "here is our line item similar to industry standards, we spend it best we can as long as the KPI #s are hitting their goals" vs. % of Cloud Spend/IT spend/SaaS stack spend as a KPI (which seems like a bad idea, at least in the technical suite, maybe operations can worry about that one- agreed?

smaller scale all this comes down to leadership, there’s no easy to build rubric

thanks Andrew!

We approached this by having separate Product Security and Corporate Security teams. Our Product Security team sits in the same division as our Platform team and reports to the CTO with a dotted line to the CISO, Our Corporate Security team is headed by the CISO and reports to the CIO/CFO org. This allows us to have separate teams with clear goals that are still aligned on a leadership level which is working great for us. The following article was the inspiration for this setup: https://www.sans.org/white-papers/34237/