Security isn't a single department. A vulnerability in a container image and a regulator's compliance question both demand security attention — but they live in completely different worlds. The X axis arranges security work from narrowly technical on the left to broadly organisational on the right.
Three layers, six departments
Technical Security (left)
Closest to the code and the infrastructure.
- Infrastructure & Cloud Security — networks, identities, cloud configurations.
- AppSec & Product Security — application code, dependencies, secure SDLC.
Process & System Security (middle)
Where signals are turned into decisions and where security engineering lives.
- Security Engineering & Data Security — DLP, data flows, security tooling.
- Security Operations (SOC & IR) — detection, alerting, incident response.
Organizational Security (right)
The human and governance layer of security.
- GRC & TPRM — governance, risk, compliance, vendor risk management.
- Business Resilience & Security Awareness — crisis response, awareness, human risk.
Why this matters: a use case sitting on the right touches more stakeholders and faces more organisational friction than one on the left. The X axis is a rough proxy for change-management effort.