Security Risk Team

Security Risk Mission

To drive security risk treatment at GitLab by empowering teams to make informed and intelligent decisions through proactive identification, monitoring, prioritization, and reporting of security risks.

Core Competencies

Security Operational Risk Management (StORM) Program

The Security Risk team manages an integrated Operational Risk Management program focused on the identification, assessment, continuous monitoring, and reporting of Security Risks across the organization. Risk Reduction is 1 of 5 of the Security Department’s operating principles (Security Vision and Mission). As such, the Security Risk Team takes a leading role in providing the information required by leadership to establish our Strategic Roadmap and our quarterly Objectives and Key Results (OKRs).

Visit the StORM Program & Procedures handbook page for additional details, including a quick introduction to Risk Management at GitLab as well as information about the purpose, scope, and specific procedures executed as part of the program.

Need to communicate a potential risk to the team?

Please refer to the communication section of the StORM Program & Procedures page for information on the various ways that team members can use to escalate potential risks to the Security Risk Team.

Security Third Party Risk Management (TPRM) Program

GitLab maintains an industry-leading Third Party Risk Management (TPRM) Program through the use of automation, continuous monitoring, and deep integration across business functions to validate the security of GitLab data shared with external parties.

The integration of GitLab’s TPRM program within the vendor Procurement flow enables cross-functional collaboration between Privacy, Legal, IT, and People Operations to facilitate transparent, risk-based decision making, Business and Stakeholder-focused Results, and adherence to GitLab’s Regulatory and Compliance Obligations. The vendor relationships maintained through this program are leveraged to create efficiencies across the organization.

Business Impact Analysis (BIA) and Critical System Tiering (CST)

The Business Impact Analysis (BIA) helps determine the systems critical to serving GitLab’s Customers.

The output of the BIA is the designation of a Critical System Tier (CST) for a new system by the Security Risk Team.

Asset Inventory Maintenance

Establishing a complete and accurate inventory of assets is key to the success of GitLab’s Risk Program. As such, the Security Risk Team collaborates closely with IT and Business Owners to ensure new systems are added to the Tech Stack.

Team Members

Team Member Role
Ty Dilbeck Manager, Security Risk
Eric Geving Senior Security Risk Engineer
Kyle Smith Senior Security Risk Engineer
Ryan Lawson Senior Security Risk Engineer
Nirmal Devarajan Security Assurance Engineer

Functional DRIs

While the DRI is the individual who is ultimately held accountable for the success or failure of any given project, they are not necessarily the individual that does the tactical project work. The DRI should consult and collaborate with all teams and stakeholders involved to ensure they have all relevant context, to gather input/feedback from others, and to divide action items and tasks amongst those involved.

DRIs are responsible for ensuring a handbook-first approach to their project(s) and challenging existing processes for efficiency.

Function DRI
Annual Risk Assessment Kyle Smith
Business Impact Analysis Nirmal Devarajan
New System Additions to Tech Stack and Post-Implementation Checks Nirmal Devarajan
Critical System Tiering Kyle Smith
Ongoing SecRisk-Related Observations Management Nirmal Devarajan
Ongoing Risk Treatment Kyle Smith
Ongoing TPRM Assessments Ryan Lawson
Periodic SOX CUEC Facilitation Eric Geving
Periodic TPRM Assessments Eric Geving
TPRM Data Quality and Emerging Requirements Management Eric Geving
StORM Metrics and Reporting Kyle Smith
TPRM Metrics and Reporting Ryan Lawson
TPRM Application Integrations Ryan Lawson

Contact the Team

Return to the Security Assurance Homepage

Security Operational Risk Management (StORM) Program & Procedures
Not a GitLab team member but want to provide feedback on our StORM program? We receive feedback from GitLab team members regularly and we wanted to provide a mechanism for non-GitLab team members to provide feedback as well to help us iterate and align more closely with our values. If you are not a GitLab team member and would like to provide feedback on our Security Operational Risk Management (StORM) program or methodology, plese use this feedback form to submit anonymous feedback.
Security Third Party Risk Management
GitLab’s Integrated Third-Party Risk Management Program GitLab maintains an industry-leading Third Party Risk Management (TPRM) Program through the use of automation, continuous monitoring, and deep integration across business functions to validate the security of GitLab data shared with external parties. The integration of GitLab’s TPRM program within the vendor Procurement flow enables cross-functional collaboration between Privacy, Legal, IT, and People Operations to facilitate transparent, risk-based decision making, Business and Stakeholder-focused Results, and adherence to GitLab’s Regulatory and Compliance Obligations.
SOX CUEC Mapping Procedure
Purpose In accordance with ITGC SR.1 - SOC Report Review, GitLab executes annual CUEC mappings of our internal controls to each SOC report associated with a SOX in scope application to ensure controls are adequately designed to address the CUEC requirements outlined in the SOC report. This activity is executed in Q1 of each fiscal year in order to gain the greatest coverage for the prior fiscal year. Scope Formal CUEC mappings are limited to SOX in scope third party SaaS applications as defined by management.
Last modified March 27, 2024: Update SR Team HB to reflect functional changes (974b128c)
View page source - Edit this page - please contribute. Creative Commons License