Question, what are the pros/cons of combining IT/S...
# platform-leadership
b
Question, what are the pros/cons of combining IT/Security org writ large into a Platform team's responsibilities- compliance would not be baked in, but we are considering things like hardware orchestration/security beyond ENG, as well as SaaS stack/cloud costs which I'm worried that might conflict with our typical mandate of velocity and empowerment above all. However, for tiny startups, this integration of these purposes and subsequent flywheels can also have its advantages. We are about 50 engineers strong, and I'm looking to strengthen our Platform team in a time of market chaos, so adding to our purview is temping from a leadership perspective.
n
There's two parts here, one is should your platfrom include security (and cost management) and the answer is yes, mostly. As much as you can offload from your devs into the platform, then better.
the second part, does it make sense to merge a security org with a platform org, is highly context dependent. Generally, having platform team work on not-platform stuff tends to be a warning sign that your platform team is just a dumping ground or a fancier name for IT, but for small companies, you also don't always have the money to have multiple people doign the same job for different audiences
also, having dome similar things in the past, I can assure you no one in a platform org wants to manage laptops 🤣
b
Haha. Makes sense. We are looking at it as a transitional move till growth phase. Thank you so much for this!
a
FWIW I believe engineering should always own compliance execution and compliance should own the roadmap/requirements/stragey. Its similar to a PM <> Eng Relationship. If you try to bolt on compliance later without engineering understanding the plan it becomes significantly harder. It should be possible for you to start to stack compliances with minimal work if engineering does their job correctly and compliance builds a strategy that overlaps controls.
Also I really think Security and compliance should be separate functions. Its like combining reliability and velocity historically. Until there’s a very senior person they get conflated. Again security owns a layer of execution and ensuring their plan maps back to the compliance business needs. Compliance should be driven from sales requirements / TAM not from security requirements.
v
One aspect to consider when answering to that question is … who are your customers? If your goal is that your platform team builds an IDP for your engineering organisation, I would perhaps not mix that with building ( or serving ) for another type of customers, because then you’ll have competing priorities. Should you focus on speeding the build on your pipeline so that your devs get faster feedback, or should you upgrade the firmware on the routers at your premises… I advice towards keeping those domains separated.
b
Andrew, Victor, copy that and great additional perspectives. Here's what I'm struggling with for IT: it all flows to what is success. For our audience (IDP), DevX satisfaction scores (CSAT across dev, deploy, prod environments ), MTTR, and Pipeline Duration are the MVP KPIs we have identified. Here is my assessment currently after thinking it out with this group. Let me know if you agree/disagree, or general thoughts: • IT doesn't align long term, and its temporary under our ownership: How does IT for non engs audience flow up to tho our KPIs/mandate of success? • Compliance doesn't align strategically (but we need to own operationally), and that hard line is necessary from an audit/competing interest perspective. • Security across product, IDP aligns: we are reducing cognitive load and the ability for threats/non-compliance to shut us down. But @Andrew Fong I see how security conflicts with Platform velocity goals as well, but what would you say to a small scale org looking to justify its alignment until a larger scale? • Cost control aligns but doesn't seem like a strategy or component of Platform/IT at our scale. It's more of a "here is our line item similar to industry standards, we spend it best we can as long as the KPI #s are hitting their goals" vs. % of Cloud Spend/IT spend/SaaS stack spend as a KPI (which seems like a bad idea, at least in the technical suite, maybe operations can worry about that one- agreed?
a
smaller scale all this comes down to leadership, there’s no easy to build rubric
i’ve seen IT fit fine into a platform org but the IT leader was strong and understood the narrative to carry - it’s ok for not all metrics to flow up or for them to be handled out of band
b
thanks Andrew!
t
We approached this by having separate Product Security and Corporate Security teams. Our Product Security team sits in the same division as our Platform team and reports to the CTO with a dotted line to the CISO, Our Corporate Security team is headed by the CISO and reports to the CIO/CFO org. This allows us to have separate teams with clear goals that are still aligned on a leadership level which is working great for us. The following article was the inspiration for this setup: https://www.sans.org/white-papers/34237/