I have a practical question regarding organizational design:
what is the recommended ratio between a threat modelling team’s head count (assume full time employees) and the developer organization’s head count (possibly including plattform teams or other roles involved in DevOps practices)
similar ratios between AppSec team head count (doing also threat modelling) and dev org (again broadly speaking) would also be appriciated.
Even though I approciate opinions and personal accounts also, this time I am primarily looking for studies, case studies, recommendations from think-thanks, etc. I need this for decision support materials, so it needs to be a referencable source (not “hearsay”).
great question! Sounds as if you are at the start of a great C-level backed campaign.
As a primary thought point, I would recommend you to first evaluate which concept you would want to choose for your organization - centralized or decentralized setup. This alongside with regulatory aspects (e.g. number of assessments required per year) has quite an impact on the statistic.
From my own experience in setting this up in two organization with thousands of developers, I would highly recommend the decentralized approach. In this approach the central team is rather small (depends on org size but 3-6 should be a good number). It is responsible to initiate the methodology, conduct research, provide the tooling and process foundation, as well as training of colleagues. This setup is tightly bound with a security champion program approach and equates with 1 security champion being trained for every 10-30 developers.
The central approach has tight constraints on the number of applications, cadence of assessments and the development culture. The reason I do not recommend it, is that it often times leads to ineffeciency and wrong expectations in the responsibility not only for conducting but also resolution of security findings. It also comes as a challenge for you as the accountable manager of the service to rationalize additional headcount over the period of time.
I do not have concise research papers at hand. Though, I would recommend you to check into the direction of security champions/experts research.
