The pure classical approach has a problem: Security and developer do not speak the same language and misunderstand frequently. The results is silos- acting, isolation, finger pointing etc.
- Developer - part of the team that can answer concrete engineering questions on daily bases
- Doted line report to security engineering (20%-40% of yearly goes)
- Organic member – take an existing team member and build him to become security expert - Security Trainings, Certification and Conferences etc.
- The Sec Master must not be: the worst coder that the team gladly will spare for security. He must be highly credible and respected.
- It has to report or escalate if serious security issues are coming in the developing
- Security engineering department for security intensive projects, like Firewalls etc
- Security Archotect
- Security Quality Assurance and IT Risk
- Chef IT Security Officer
- Security Operation
- all other security relevant departments, see ISO 27000 for more info
How the organization is may look like, it is up to company. Here a simplified example showing only some departments.
