Product Security Team Staffing, Capacity, and RASI Workbook
Why this page exists: Product Security directors eventually need a simple workbook that supports headcount planning, role coverage, and who-does-what mapping across AppSec, DevSecOps, architecture, platform, QA, and leadership.
Workbook asset
What is inside
| Sheet | Use it for |
|---|---|
| Role Catalog | Explain what each role exists to do and how it maps to domains. |
| Staffing Model | Compare current FTE, target FTE, gaps, and hiring priority. |
| Coverage Planner | Make domain ownership and backup ownership explicit. |
| RASI Matrix | Map recurring Product Security activities to responsible, approving, supporting, and informed roles. |
| Hiring Roadmap | Turn the FTE gap into a staged hiring plan. |
| References | Keep source URLs and design assumptions in one place. |
How to use it
- Replace placeholder staffing numbers with your real current-state and target-state data.
- Rename or split roles to match your operating model.
- Decide whether RASI or RACI is the official responsibility language and keep it consistent.
- Review the workbook alongside the policy templates for roles, SoD, metrics, and champions governance.
Good practice
Do not use a staffing workbook only as an HR list. It becomes useful when it answers three leadership questions:
- who owns each Product Security domain;
- where coverage is thin or single-threaded; and
- which activities still depend on heroic individuals rather than a stable operating model.