Information security organizations at large enterprise companies are increasingly debating the merits of running centralized or decentralized information security programs. This is an issue for global companies, healthcare conglomerates, umbrella organizations that manage several brands, and even large university systems that have traditionally given autonomy to departments and schools.
- TODAY’S REALITY
Today, most CISOs work in hybrid decentralized organizations where business departments have autonomy over specific solutions that help meet their business goals, but operational functions, such as HR and IT, work within a centralized model.
For example, within a large healthcare system hospitals and healthcare providers may make their own strategic business decisions, but IT functions, including hardware and platform decisions are standard across the system. The fact is, information security needs to be involved in all aspects of business and risk management, and therefore IS needs to have a strong presence in every part of the organization, even in highly distributed environments like healthcare systems. Therefore, a completely centralized model that works for the IT organization may not work for information security.
Many CISOs have created centralized information security teams that work well within their decentralized organizations. These CISOs leverage informal partnerships, such as Security Ambassadors to ensure security is represented all the time. Security Ambassadors are non-technical employees outside of the IS team that are trained and deputized to be the security advocate to their part of the organization. These programs allow centralized information security teams to succeed in decentralized businesses. Corey Scott, the CISO of LinkedIn created a Security Champions program to foster inclusion and commitment from outside of the security team.
THE TOUGH QUESTION
The real question for CISOs is how decentralized organizations can manage and respond to risks, and if risk can be effectively mitigated with a centralized security approach.
When decisions about risk are made at the organizational level in a centralized model, all risk is more easily understood, defined and measured. Yet, this approach also requires that all parts of the enterprise meet a single set of standards, which can be clunky and cumbersome, and sometimes stifle innovation unnecessarily.
Audry Agle, who was previously CISO at First American Corporation and is now at Black Knight Financial Services wrote about the benefits of managing risk in a decentralized environment at CSO Online. She wrote that in a decentralized approach each business unit takes responsibility for its own program. “As [each business unit] will develop their own policies and standards, they are far more likely to embrace the program, assign the necessary resources to it, and fully implement. Rather than having a generic set of policies that can apply across the organization, this model has the advantage of producing policies that are aligned with each unit’s specific business model. Further, the business unit can act autonomously, and thus theoretically more efficiently when policy changes or incident investigations are necessary.”
While ownership and understanding are potential benefits to the decentralized model, new risks and challenges also arise as a result of the approach. For example, when risk is managed via a decentralized model, careful communication and planning is needed to ensure risks are not transferred from one organization to another without awareness or consent.
5 Benefits of a Decentralized Security Model
1 - Employees take greater ownership of risk
2 - More awareness of information security company-wide
3 - Can enable faster innovation
4 - Greater autonomy to achieve business goals
5 - Information security is embedded within each department
And 5 Challenges
- 1 - No consistency across the organization
- 2 - Requires stronger and more consistent communication
- 3 - Risk can be overlooked or mischaracterized
- 4 - Still requires strong central support and guidance
5 - Requires more staff
Defining Decentralized and Centralized Governance
Bob Turner, the CISO at the University of Wisconsin Madison shared a presentation on SlideShare that provides a good definition of the difference between centralized and decentralized approaches to organizational structure.
In Turner’s description, a decentralized organization, “authority, responsibility and decision-making are delegated to individual groups and teams.” He writes that teams establish their own standards, policies and guidelines, and they manage their own cybersecurity risk based on their business strategies. Coordination and communication is necessary amongst subordinate groups, especially to manage and transfer cyber security risk.
Conversely, according to Turner, centralized governance includes, “single threaded authority, responsibility and decision making power.” Centralized governance involves the entire enterprise in the development and implementation of risk management and cyber security strategies.
K logix leverages our deep network of CISO leaders, and broad experience working with customers in all verticals, to deliver relevant, analysis-backed consulting services to our customers. K logix can help strengthen and mature your security program through strategic business-focused consulting services. Drop us a line for more information on how we can work together to strengthen your program.