Cybersecurity organizations at large enterprises are more and more debating the risks and benefits of whether to run a centralized or decentralized information security program. Regardless of your organization's size, industry, or age, this is an issue that every security program has to address.
With the rise of technologies like blockchain and the cloud, the decentralized network has become a growing trend in today’s business environments. These networks are notably different from the centralized networks that were around in the early 2000's, and this article serves to explain the key advantages and disadvantages of each environment.
- Today's Reality
Today, most CISOs work in hybrid decentralized organizations where business departments have autonomy over programs and solutions that help meet their business goals. Operational functions on the other hand, such as IT and HR, work within a centralized model. Let's use a large healthcare system as an example: within that system, hospitals and healthcare providers may make their own strategic business decisions, but IT functions like hardware and platform decisions, are standard across the system. As we're seeing with the increased importance CISOs are placing on shifting left, information security needs to be involved in all aspects of business and risk management (ideally from the beginning). Therefore, information security needs to have a strong presence in every part of the organization, even in highly distributed environments like healthcare systems. That being said, a completely centralized model that works for the IT organization may not work for information security as whole within the organization.
Many CISOs have created centralized information security teams that operate within their decentralized organizations. In the past, CISOs leveraged informal partnerships, such as Security Ambassadors to ensure security is represented all the time. Security Ambassadors are non-technical employees outside of the IS team that are security champions to their specific part of the organization.
- Recently, we're seeing security leaders look to their executives and board to help weave security into the fabric of the organization's culture. Lance Spitzner, Director of the SANS Institute, stated on page 8 of our March 2019 Issue of Feats that his executives understand "that security is not just an IT problem, it’s also about business issues, soft skills issues, and human issues. We’re starting to see the CISO not as an IT person managing an IT problem, but the whole business. It’s less about technology and more about managing risk, and you can see it as more CISOs are reporting to the top."
How can decentralized organizations manage and respond to risks?
While ownership and understanding are potential benefits to the decentralized model, new risks and challenges also arise as a result of the approach. For example, when risk is managed via a decentralized model, careful communication and planning is needed to ensure risks are not transferred from one organization to another without awareness or consent.
5 Benefits of a Decentralized Security Model
- 1. Employees take greater ownership of risk
- 2. More awareness of information security company-wide
- 3. Can enable faster innovation
- 4. Greater autonomy to achieve business goals
- 5. Information security is embedded within each department
5 Challenges of a Decentralized Security Model
- 1. No consistency across the organization
- 2. Requires stronger and more consistent communication
- 3. Risk can be overlooked or mischaracterized
- 4. Still requires strong central support and guidance
5. Requires more staff
Centralized vs. Decentralized: Which one do you need?
As with many architecture questions, business needs should be the primary consideration when making a choice between either network. If an organization needs an easy-to-manage system that allows for increased control over workloads and user access, a centralized network would be the most practical choice. While a decentralized architecture may be more difficult to carry out and maintain, it offers benefits when it comes to redundancy and security.
If you want more information regarding network architecture and how to design a program that fits your unique business needs, contact one of our industry experts for a consultation.
K logix leverages our deep network of CISO leaders, and broad experience working with customers in all verticals, to deliver relevant, analysis-backed consulting services to our customers. K logix can help strengthen and mature your security program through strategic business-focused consulting services. Drop us a line for more information on how we can work together to strengthen your program.