CISOs are constantly evaluating their organizations to ensure the competence and structure of the team aligns with business and risk management needs. This report examines key organizational development challenges for security leaders, explains a practical approach for establishing roles and responsibilities, and discusses two common models of security structure to use as a starting point.