01 · Situation
An R&D Team Operating in the Dark
A small cybersecurity firm — fifteen people at the point this work began, with six in the R&D team — working with regulated and defence-sector clients. The majority of the organisation consisted of experienced cybersecurity consultants, many with military and government backgrounds. Trust, discretion, and operational integrity were not abstract values. They were commercial necessities.
The R&D team sat inside this organisation as a distinct unit: five people building commercial software products while the rest of the firm delivered consultancy work. The R&D team's work — its risks, its security posture, its control environment — was largely invisible to the rest of the organisation, including the CTO and security controller.
⚠️
The visibility gap. Senior leadership had no structured view of what the R&D team was doing, what risks it was carrying, or whether those risks were being actively managed. In an organisation working with defence-sector clients under revenue pressure, that gap was not just a governance problem — it was a reputational and financial one.
There was no CISO, no internal audit function, and no formal security governance structure for the R&D function. As the sole Business Analyst embedded in the R&D team, the visibility to see the gap and the responsibility to close it sat in the same role.
The Security Working Group did not emerge from a brief or a job description. It was the third piece of a connected body of work. The shift-left programme had addressed the control environment. The secure by design work had embedded security into the commercial product. What was missing was the governance layer that made all of it visible, continuous, and accountable to the people who needed to act on it.
Four purposes shaped the decision to build it.
🏛️
External credibility
The CEO and security controller needed to see that the R&D team was taking security seriously, not just shipping features. Given the firm's client base and colleagues, that was not optional.
🤝
Internal confidence
The team needed to know that the controls they had implemented were being monitored and that doing the right thing was visible, not assumed.
🔗
Client trust
Clients onboarding a new vendor do not want to inherit that vendor's risk. A documented, continuously monitored security posture gave the product manager something concrete to put in front of them.
📅
A forward bet on compliance
There was no CE+ or ISO 27001 deadline three months away. But both were coming eventually, and starting the governance work early would compress the preparation time when they did.
That last point matters. This was not a reaction to an existing requirement. It was an anticipation of one that did not yet exist.
02 · Complication
What Was at Stake
The absence of engineering risk visibility created three categories of organisational exposure — none of which were being tracked or reported.
🏛️
Reputational risk. The firm's client base included defence-sector organisations and former military personnel. Any security failure — operational or technical — risked damaging relationships built on trust and discretion. The CTO was answerable to the board and CEO not just on revenue, but on anything that could affect the organisation's reputation.
💰
Financial risk. As a small organisation with less than £5 million in annual turnover, the financial consequences of a client trust failure or contract loss were disproportionately large. Revenue pressure was real — the R&D team existed to generate commercial returns — but without visibility of the risks being carried, leadership could not make informed trade-offs.
⚙️
Operational risk. Following a production incident that triggered the shift-left security programme, it became clear that the R&D team's control environment needed ongoing governance — not a one-off remediation exercise. Controls needed to be tracked for effectiveness, not just implemented and forgotten.
03 · Resolution
The Approach
The Security Working Group was established in parallel to the shift-left controls remediation programme. The logic was straightforward: implementing controls was necessary but not sufficient. Someone needed to track whether those controls were working, whether residual risk was changing, and whether the organisation's leadership understood what was happening inside the R&D function.
Nobody asked for this structure to be created. The need was identified, the format designed, the agenda set, and the first meeting convened. The initiative was self-directed from start to finish.
The R&D team was not just serious about generating revenue by shipping features. We were also serious about maintaining trust with our clients, especially those in regulated sectors, and protecting the organisation internally. The working group was how that was made visible.
1
Gap identified
No governance structure existed for engineering risk
2
Format designed
Monthly cadence, selective attendance, structured agenda
3
Intelligence gathered
Sprint reviews, retrospectives, engineer conversations
4
Risk synthesised
Material risks, control status, ownership, challenges
5
Reported to leadership
CTO, product manager, security controller
04 · Stakeholders
Three Stakeholders, Three Different Needs
The working group brought together three senior stakeholders, each with a distinct relationship to the risk being reported. Understanding what each person needed — and translating the same underlying risk picture into the right language for each — was central to the meeting's effectiveness.
Chief Technology Officer
Board accountability
Answerable to the board and CEO on anything affecting the organisation's reputation and operations. Needed assurance that the R&D team was managing security risk proportionately — not just shipping features — so that technology risk did not become a board-level problem.
Product Manager
Delivery under pressure
Primary focus was shipping features on time. Needed to understand why security investment now was less expensive than retrofitting controls after a scale event — and why remediation work belonged in the sprint backlog alongside feature delivery, not after it.
Security Controller
Compliance visibility
Principal cybersecurity consultant overseeing internal compliance posture. The engineering team had been opaque to the wider organisation. The working group gave the security controller the evidence base needed to drive compliance and procurement activities — without having to build it from scratch.
05 · Meeting Design
How the Working Group Actually Ran
The format was deliberately lean. Meetings ran 15 to 30 minutes depending on the severity of active control implementations. Attendance was selective — the product manager was only included when agenda items were directly relevant to her decisions. Time was treated as a resource to be managed, not consumed.
01
Material risk summary
Overview of active material risks: risk statement, inherent rating, residual rating, any change since last session.
All attendees
02
Control implementation status
Progress against agreed controls: what is implemented, what is in progress, what is blocked, and who owns each item.
All attendees
03
Control effectiveness review
Are the controls that are in place actually working? Any drift in access rights, credential hygiene, or change authorisation since last session.
All attendees
04
Challenges and blockers
Anything impeding remediation progress — resource constraints, competing delivery priorities, or technical dependencies requiring escalation.
CTO + SC only
05
Data architect input (ad hoc)
Invited on an as-needed basis when technical implementation decisions required direct input from the engineering lead.
Ad hoc
06 · Intelligence Sources
How the Risk Picture Was Built
Building the working group report required judgement before it required writing. Every session started with the same question: what was material enough to escalate, what could wait, and what needed to be reframed before it reached a senior audience. The engineers reported on remediation status. The working group reported on risk. Those are not the same thing, and the translation between them was the work.
🔄
Sprint reviews
Engineers provided remediation status updates on Jira tickets during sprint reviews. These were used to track control implementation progress against agreed timelines and flag slippage.
🔍
Retrospectives
Security-relevant observations surfaced during retrospectives — process failures, near-misses, emerging risks — were captured and fed into the working group agenda where material.
💬
Direct engineer conversations
Engineers raised technical concerns directly via Slack — data access issues, GitHub permissions, pipeline anomalies. These conversations provided ground-level intelligence before it became a formal risk.
📋
Confluence risk register
The live risk register in Confluence tracked inherent and residual ratings for all material risks. The working group was the governance layer that kept the register honest and current.
🎫
Jira control tracking
Every control gap had a corresponding Jira ticket with assigned ownership, sprint prioritisation, and validation criteria. Closure was confirmed before tickets were marked done.
🏗️
Access control reviews
Periodic reviews of access rights across both environments — cross-referenced against role requirements — surfaced drift and fed directly into the working group's control effectiveness agenda item.
08 · Reflection
What I Would Do Differently at Scale
This work was self-directed and built proportionately for a small, early-stage organisation without a formal security governance structure. The following is an honest assessment of its limitations and what a more mature organisation would do differently — alongside a distillation of how the work was driven without formal authority.
How this was driven without formal authority
1
Identified the governance gap before being asked to — nobody commissioned this work
2
Designed the format deliberately: lean enough to sustain, structured enough to be credible
3
Managed senior stakeholders' time as a resource — selective attendance, clear agendas, 15 to 30 minutes
4
Synthesised ground-level engineering intelligence into a risk picture leadership could act on
5
Maintained transparency throughout — what was going well, what was not, what needed escalation
Honest limitations and what I would do differently
1
No independent verification — identifying risks, recommending controls, and tracking their effectiveness sat in the same role. At the organisation's stage of maturity this was appropriate, but it would not scale. An internal audit function or independent assurance layer would be needed as the organisation grew.
2
Scope was limited to the R&D function. At scale, a more integrated governance structure would connect engineering risk to enterprise-wide risk management.
3
Control effectiveness measurement was primarily qualitative. At scale, quantitative metrics would be built: access drift rates, change authorisation compliance rates, mean time to remediate by severity.