@accidentalciso The problem is that when you make the security team responsible for the topics, the other teams will consider everything that has remotely to do with security their job. And how should that work out with 20 development teams and one security team. Sure, you can make the security team responsible for the actual doing of things, but then please scale the team to an appropriate size. I think having dedicated sec people in the dev teams and only a core sec team is way more efficient.