Skip to content

Four Strategic Positions

Understanding Where You Are Determines What You Should Do

The two-axis positioning model creates four distinct strategic positions. Each position faces different security challenges and requires different sequencing and pace to scale security capabilities. What it does not change is what the program must ultimately contain.

Critical Insight: Your position changes almost everything about your security program. It does not change what the program is for. Every quadrant owes the same containment: deny-by-default limits on authority. Code review and human comprehension were never able to police that authority at the scale enterprises already run. That containment is the floor. How you enforce it fits your scale: a small shop on a single workload contains it with host isolation and tight access scoping; a large mesh contains it with workload identity. Same floor, mechanism fit to scale. What your position decides is how fast you reach that containment, what you fund first, and what pace the rest of the program can sustain. A Studio organization that funds security like a Lean enterprise creates coordination overhead it does not need; a Mass organization that promises Studio timelines will miss them.


The Four Strategic Positions

Studio: Small reach + Higher Readiness

Who You Are:

  • Narrow granted authority: no automated actor crosses trust boundaries (a small team is the usual correlate rather than the cause)
  • Cloud-native infrastructure from inception
  • Automated CI/CD pipelines and modern DevOps practices
  • API-driven operations and infrastructure-as-code
  • Minimal legacy technical debt

Your Security Approach: Enable security through modern tooling and self-service capabilities. Use your technology advantages rather than building processes that assume operational constraints you don't have.

Strategic Focus: Build security automation from day one. Don't create manual processes you'll need to replace in 18 months. Your higher operational readiness makes automation achievable now, and your small reach means there's little cross-boundary authority to coordinate and govern.

Key Investment Priorities:

  1. Automated Supply Chain Security: Dependency scanning and update automation with minimal manual intervention
  2. Pipeline-Native Security: Security checks integrated directly into CI/CD with immediate developer feedback
  3. Self-Service Security Capabilities: Cloud platform security features that "just work" without security team involvement
  4. Observability-First Runtime Security: Cloud-native monitoring with automated alerting and incident response

Common Pitfalls to Avoid:

Don't Build for Future Complexity

Risk: Implementing enterprise-scale security architecture "because we'll need it eventually"

Symptoms: Multi-week security design reviews, approval workflows for two-person teams, committee decision-making

Solution: Build for your current reality. Add governance weight only when your reach actually widens.

Success Indicators:

  • 6 Months: Automated dependency scanning covers 95%+ of codebases, security checks integrated in all pipelines with <5 minute feedback loops
  • 12 Months: Zero manual security reviews for standard deployments, developers resolve 80%+ security issues without security team involvement
  • 24 Months: Security automation enables 3-5x growth without proportional security team expansion

Movement Path: As you grow, you'll naturally grant more authority and widen your reach. Your challenge is keeping containment ahead of that reach: transition to Lean rather than falling into the Mass trap of widening reach faster than you can contain it.

See Studio Implementation Guide


Lean: Large reach + Higher Readiness

Who You Are:

  • Broad granted authority across the estate, held with the floor built (large scale is the correlate; reach is set by authority rather than headcount)
  • Sophisticated DevOps and platform engineering practices
  • Comprehensive observability and automation across the enterprise
  • Mature change management and incident response processes
  • Strong engineering culture with continuous learning focus

Your Security Approach: Orchestrate enterprise security architecture with integrated learning culture. Enable security at scale through platform engineering and federated champions who configure the boundaries the platform enforces.

Strategic Focus: Optimize security operations at enterprise scale while maintaining innovation velocity. Your advantage is operational sophistication. Use it to embed security into engineering platforms rather than building centralized security bottlenecks.

Key Investment Priorities:

  1. Security Platform Engineering: Self-service security capabilities available across all teams and products
  2. Federated Security Champions: Engineers inside each team who set the team-level boundaries the platform then enforces: capability scopes, deny-by-default grants, the guardrails their team ships inside. The platform team authors the paved road; champions set the boundaries within it and feed the threat models that shape it. The leverage is configuration rather than inspection, so enforcement scales without a human in the path of every change. The boundary-setting is itself threat modeling and risk judgment rather than a config chore: the enforcement is delegated to the platform, the judgment is not.
  3. Enterprise Architecture Integration: Security embedded in platform decisions and organizational standards
  4. Continuous Security Intelligence: Automated threat detection with predictive insights and proactive response
  5. Cultural Scaling Mechanisms: Learning from incidents and scaling security knowledge across the organization

Common Pitfalls to Avoid:

The Coordination Overhead Trap

Risk: Security program becomes a bottleneck due to enterprise coordination requirements

Symptoms: Multi-week security architecture reviews, declining developer satisfaction, increasing workarounds

Solution: Federate security decision-making to engineering teams with clear guardrails. Centralize platform capabilities rather than every security decision.

Success Indicators:

  • 6 Months: Security platform adoption across 70%+ of teams, measurable reduction in security review wait times
  • 12 Months: Security champions program active in all major teams, 60%+ of security issues resolved without central team involvement
  • 24 Months: Security capabilities scale automatically with organizational growth, security becomes competitive advantage

Movement Path: Stay in Lean by continuously evolving security capabilities to match organizational scale. Falling into Mass happens when readiness can't keep pace with widening reach, so maintain platform investment velocity.

See Lean Implementation Guide


Craft: Small reach + Lower Readiness

Who You Are:

  • Narrow granted authority, held by hand rather than by a proven floor
  • Legacy systems or manual deployment processes
  • Limited automation and observability
  • Straightforward product or service offering
  • Often resource-constrained or bootstrapped

Your Security Approach: Focus on operational readiness foundations while maintaining essential security capabilities. Accept manual security processes initially, but invest strategically in readiness improvements that enable future automation.

Strategic Focus: Build operational capabilities systematically while maintaining security coverage. Your small reach means a failure stays contained even when caught by hand, so you can afford some manual processes temporarily. Use this breathing room to invest in readiness infrastructure.

Key Investment Priorities:

  1. Critical Supply Chain Controls: Basic dependency scanning and critical vulnerability management
  2. Foundational Readiness Infrastructure: CI/CD basics, infrastructure documentation, change management fundamentals
  3. Essential Runtime Monitoring: Basic production monitoring and incident response capabilities
  4. Process Documentation: Record what works to enable eventual automation and knowledge transfer

Common Pitfalls to Avoid:

The Permanent Manual Process Trap

Risk: Treating manual processes as acceptable long-term state rather than temporary necessity

Symptoms: "This is how we've always done it," no automation roadmap, resistance to process changes

Solution: Be explicit that manual processes are temporary. Document current state as foundation for future automation. Invest consistently in readiness improvements.

Success Indicators:

  • 6 Months: Critical dependencies monitored, basic CI/CD pipeline operational, documented security processes
  • 12 Months: 30-50% automation of security checks, measurable reduction in manual security work
  • 18-24 Months: Operational readiness sufficient to support automation investments, movement toward Studio position

Movement Path: Move toward Studio by investing in operational readiness. This single-axis movement is achievable. Prioritize cloud migration, DevOps tooling, and automation infrastructure over widening your reach.

See Craft Implementation Guide


Mass: Large reach + Lower Readiness

Who You Are:

  • Broad granted authority accumulated across a legacy estate, with no proven floor under it
  • Significant technical debt and mixed infrastructure (legacy + modern)
  • Manual processes coexist with automated systems
  • Complex compliance and regulatory requirements
  • Multiple organizational changes or acquisitions

Your Security Approach: Pragmatic security within constraints while enabling gradual modernization. Accept that full transformation takes 3-5 years. Don't promise 12-month miracles.

Strategic Focus: Balance current operational demands with strategic modernization investments. The reach you already hold prevents rapid transformation, but your scale justifies investment in foundational improvements.

Key Investment Priorities:

  1. Pragmatic Supply Chain Controls: Risk-based approach given limitations; focus on critical paths and crown jewels
  2. Hybrid Security Architecture: Solutions that work across legacy and modern systems without requiring full modernization
  3. Strategic Technical Debt Reduction: Systematic elimination of highest-risk legacy constraints enabling future automation
  4. Change Management and Communication: Organizational alignment on multi-year transformation reality and sequencing
  5. Quick Wins for Credibility: Visible improvements that build organizational confidence in long-term transformation

Common Pitfalls to Avoid:

The Diagonal Transformation Trap

Risk: Attempting to shrink reach AND build containment at the same time, the highest failure risk

Symptoms: Aggressive transformation timelines, simultaneous re-platforming and process overhauls, widespread disruption

Solution: Sequence changes carefully. Typically, build the containment floor first (the Mass → Lean climb) to enable automation at scale. Accept 36-60 month timeline.

Success Indicators:

  • 12 Months: Hybrid security solutions operational, critical technical debt reduction projects started, transformation roadmap with executive buy-in
  • 24 Months: Measurable automation improvements in high-value areas, improved operational readiness metrics, cultural momentum toward transformation
  • 36-60 Months: Substantial progress toward Lean position, security increasingly enabling business rather than constraining it

Movement Path: Most Mass should move toward Lean by investing in operational readiness while managing existing complexity. This is difficult but achievable with sustained executive support and realistic timelines. Attempting to simplify operations (Mass → Craft) rarely succeeds. It requires major business restructuring.

See Mass Implementation Guide


Confirm Your Position

Confirm which quadrant you are in with the position assessment on the Two-Axis Model page. It walks you through the same reach and readiness questions that define the axes.

Strategic Position and Investment Strategy

Your strategic position determines your optimal approach to the investment portfolio, including how you constrain business-as-usual work and where you invest instead:

Position BAU Approach Constraint Mechanism Scaling Investment Focus Timeline to ROI
Studio Minimal BAU burden initially Avoid creating manual processes to begin with Automation-first from inception 6-12 months
Lean Systematic BAU constraint Self-service platform + clear escalation paths Platform capabilities at scale 12-18 months
Craft Manageable manual BAU Keep manual scope small; document while building readiness Foundational readiness infrastructure 18-24 months
Mass High BAU burden requiring constraint Triage system + strategic automation pilots Strategic debt reduction + readiness 24-48 months

Common Position Misidentification

Startup Founder Self-Assessment: "We're obviously Craft, we're small and scrappy!"

Reality Check: If you're cloud-native with automated deployments, you're Studio. Your reach is small because no automated actor holds broad authority, rather than because the team is small, and your modern stack is high readiness. Don't build manual processes just because you're small.


Established Enterprise Self-Assessment: "We're Lean, we have mature security programs!"

Reality Check: If you're running significant legacy infrastructure with manual deployments, you're Mass regardless of security team size. Your reach is large, but operational readiness is constrained by technical debt.


High-Growth Startup Self-Assessment: "We're Studio scaling successfully!"

Reality Check: If you're widening reach faster than you can contain it, you're moving toward Mass (large reach, lower readiness). Maintain containment investments or you'll face the diagonal transformation trap.


Next Steps

  1. Confirm your quadrant: Use the position assessment on the Two-Axis Model page
  2. Review Movement Paths: Understand how to transition strategically
  3. Read Your Implementation Guide: Apply position-specific guidance from 06-implementation/
  4. Evaluate Contextual Modifiers: Understand how your specific situation affects implementation

Back to Two-Axis Model Continue to Movement Paths

Edit this page