Security Risk Team

Security Risk Team Charter

Mission Statement

To drive security and technology risk treatment at GitLab by empowering teams to make informed and intelligent decisions through proactive identification, monitoring, prioritization, and reporting of security and technology risks.

Value Proposition

We perform thorough, collaborative, and efficient risk assessments as well as drive risk reduction so that GitLab can achieve its goals while maintaining a high level of security.

Core Competencies

Security and Technology Operational Risk Management (STORM) Program

The Security Risk team manages an integrated Operational Risk Management program focused on the identification, assessment, continuous monitoring, and reporting of Security and Technology Risks across the organization. Risk Reduction is 1 of 5 of the Security Department’s operating principles (Security Vision and Mission). As such, the Security Risk Team takes a leading role in providing the information required by leadership to establish our Strategic Roadmap and support GitLab’s key initiatives (internal only). Visit the STORM Program & Procedures handbook page for additional details including templates and how we integrate with other risk programs at GitLab.

Need to communicate a potential risk to the team?

Please refer to the communication section of the STORM Program & Procedures page for information on the various ways that team members can use to escalate potential risks to the Security Risk Team.

Security Third Party Risk Management (TPRM) Program

GitLab maintains an industry-leading Third Party Risk Management (TPRM) Program(/handbook/security/security-assurance/security-risk/third-party-risk-management) through AI-powered automation and continuous security monitoring to validate the security of GitLab data shared with external parties. The seamless integration of the TPRM program within the vendor Procurement flow enables cross-functional collaboration between Privacy, Legal, IT, and People Operations to facilitate transparent, data-driven decision making, Business and Stakeholder-focused Results, and adherence to GitLab’s Regulatory and Compliance Obligations. Vendor relationships maintained through this program are leveraged to create efficiencies across the organization.

Business Impact Analysis (BIA) and Critical System Tiering (CST)

The Business Impact Analysis (BIA) helps determine the systems critical to serving GitLab’s Customers. The output of the BIA is the designation of a Critical System Tier (CST) for a new system by the Security Risk Team.

Asset Inventory Maintenance

Establishing a complete and accurate inventory of assets is key to the success of GitLab’s Risk Program. The Security Risk Team coordinates with Business Technology to maintain oversight and accuracy of the Tech Stack.

Operating Model

Core Processes

Function DRI
Annual Risk Assessment Kyle Smith
Business Impact Analysis Nirmal Devarajan
New System Onboarding Checklist Nirmal Devarajan
Critical System Tiering Kyle Smith
Ongoing SecRisk-Related Observations Management Nirmal Devarajan
Ongoing Risk Treatment Kyle Smith
Ongoing TPRM Assessments Ryan Lawson
Periodic SOX CUEC Facilitation Nirmal Devarajan
Periodic TPRM Assessments Eric Geving
Acceptable Use Policy Iteration Eric Geving
TPRM Data Quality and Emerging Requirements Management Eric Geving
STORM Metrics and Reporting Kyle Smith
TPRM Metrics and Reporting Ryan Lawson
TPRM Application Integrations Ryan Lawson

Engagement Models

  1. Report Security or Technology Risk
  2. In GitLab, tag the team across GitLab using @gitlab-com/gl-security/security-assurance/security-risk-team

Communication Channels

  1. Email: securityrisk@gitlab.com
  2. Slack: #security_help channel - Mention @security-risk
  3. GitLab: Tag the team across GitLab using @gitlab-com/gl-security/security-assurance/security-risk-team

Team Members

Team Member Role
Ty Dilbeck Senior Manager, Security Risk
Nirmal Devarajan Senior Security Risk Engineer
Eric Geving Senior Security Risk Engineer
Ryan Lawson Senior Security Risk Engineer
Kyle Smith Staff Security Risk Engineer

Strategic Initiatives

The Security Risk Team conducts periodic planning and prioritization to ensure that resources are dedicated to driving down risk. This includes facilitating risk treatment and, at times, taking ownership of control design and implementation where applicable. Please refer to the GitLab Operating Model for updates on cross-functional efforts involving Security Risk.

Review and Updates

This charter will be reviewed and updated quarterly to ensure alignment with:

  1. GitLab Strategy
  2. Security Division Mission and Vision
  3. Security’s Multi-year Strategy (internal only)
  4. Security Assurance Mission and Vision
  5. Security Assurance Multi-year Strategy (internal only)
Security and Technology Operational Risk Management (STORM) Program & Procedures
Visibility: Audit Not a GitLab team member but want to provide feedback on our STORM program? We …
Security Third Party Risk Management
Visibility: Audit GitLab’s Integrated Third-Party Risk Management Program GitLab maintains an …
SOX CUEC Mapping Procedure
Purpose In accordance with ITGC SR.1 - SOC Report Review, GitLab executes annual CUEC mappings of …
Last modified March 4, 2026: Rename job-families to job-description-library (6f520606)
View page source - Edit this page - please contribute. Creative Commons License