Home The 61 Specialists & 8 Departments Security & Infra: roles and what it does

Security & Infra: roles and what it does

Last updated on May 30, 2026

Secrets walled off. PII tracked. Audit packet ready before the auditor asks.

The team (head: Security & Infra Lead)

  • Security & Infra Lead
  • GRC & Compliance
  • AppSec
  • Incident Response
  • Privacy & Data Protection
  • Security Automation & Pentest

What this department actually does

  • Owns the posture and the threat model. The threat model and risk register maintained, security health reported monthly. You know where you are exposed instead of finding out the hard way.
  • Keeps secrets and data walled off. Keys inventoried and rotated, PII flow mapped, access reviewed. The privacy posture and DPA library kept current as the business changes.
  • Catches risk in the code. Application code and dependencies reviewed for risk, the dependency policy enforced, CVEs in production triaged and patched before they bite.
  • Runs toward the incident, not away. On-call for security events with containment, recovery, and a post-mortem. Quarterly adversarial tests and tabletop drills so the first real one is not the first one.

Example missions in your own words

You do not assign these tasks by hand. You type one sentence and the department scopes it. A few realistic examples:

  • "Find every secret key we have and lock it down."
    Every key inventoried, a rotation schedule set, stale and over-scoped keys revoked. The blast radius of a leak shrinks to something you can name.
  • "Map where customer data lives so I can answer a security questionnaire honestly."
    Every place PII lands documented, access reviewed, the data lifecycle written down. The questionnaire becomes a copy job, not a fire drill.
  • "Get us ready for a SOC 2 audit without me chasing evidence."
    Controls mapped to the framework, the evidence trail collected as the org runs, gaps flagged early. The auditor gets a packet, not a scramble.
  • "Review our top vendors for security risk before we sign anything."
    SOC 2 letters collected, DPAs filed, each vendor scored, and the risk register updated. The risky ones get flagged before the contract does.

Every artifact this department produces runs through the four-step review (builder, QA, reviewer, security) before it reaches you, and any risky move waits at one of the five approval points.