You would think we would have matured enough as a security industry that there would be a consensus on this topic. However we are not even close, mainly due to bureaucracy and politics. So lets survey the land of failed justifications. "Were so big we have to be decentralized" There is nothing that states centralized security means physical separation. You can have people local to your sites all over the world and still report into a single organization. "Our business unit is so different we need our own team" This argument often can be valid for IT services which require customization and agility. This is rarely the case for security. Just because a particular business may require a different policy or higher standards doesn't mean they should be rogue. The overall marching orders need to be coordinated otherwise you end up having gaps in visibility, protection, compliance, etc. "This is the way we have always done it here" This is by far the weakest ...
My random musings about IT Security whenever I have time to think