You would think we would have matured enough as a security industry that there would be a consensus on this topic. However we are not even close, mainly due to bureaucracy and politics. So lets survey the land of failed justifications.
"Were so big we have to be decentralized"
There is nothing that states centralized security means physical separation. You can have people local to your sites all over the world and still report into a single organization.
"Our business unit is so different we need our own team"
This argument often can be valid for IT services which require customization and agility. This is rarely the case for security. Just because a particular business may require a different policy or higher standards doesn't mean they should be rogue. The overall marching orders need to be coordinated otherwise you end up having gaps in visibility, protection, compliance, etc.
"This is the way we have always done it here"
This is by far the weakest thing I've ever heard. I almost think its purely a justification to hand out C-level titles. News flash, if your organization has more then 1 CISO your probably not that good at IT or Security. You have to ask yourself are they even qualified for that position or do you have a bunch of climbers looking for a security bullet point in their resume.
Now I'm not completely blind to the fact the separation is often done for real reasons, unlike the horrible ones given above. Legal restrictions sometimes may prevent data from leaving a particular country or mandating particular requirements. However I'm not aware of any law anywhere stating that your IT security goals and objectives can't come from a centralized structure. If there is one, please provide me with the source. Another valid reason that often arises is due to mergers and acquisitions. Its quite common due to being a new acquisition, that an organization may not be fully integrated yet. Or even the case that strategically you want to keep it separate so you can divest it much quicker.
For me though, its important to understand that your entire organization is fighting the adversary together. You fail and succeed as an entire company, not as a business unit. While an enclave or silo may have world class security practices, they are only as strong as the weakest link. At some point there is a trusted process or network connection for another unit that may not have such good security. This doesn't mean that all security personnel need to be located at the corporate mothership. It simply means you need a common understanding of how to handle security incidents, architect your network and implement better security controls. If you look around and you see a lot of dotted lines and CISOs on your org chart, that's a pretty good sign that your security efforts are disjointed, taking on too much, and doing nothing really well.
"Were so big we have to be decentralized"
There is nothing that states centralized security means physical separation. You can have people local to your sites all over the world and still report into a single organization.
"Our business unit is so different we need our own team"
This argument often can be valid for IT services which require customization and agility. This is rarely the case for security. Just because a particular business may require a different policy or higher standards doesn't mean they should be rogue. The overall marching orders need to be coordinated otherwise you end up having gaps in visibility, protection, compliance, etc.
"This is the way we have always done it here"
This is by far the weakest thing I've ever heard. I almost think its purely a justification to hand out C-level titles. News flash, if your organization has more then 1 CISO your probably not that good at IT or Security. You have to ask yourself are they even qualified for that position or do you have a bunch of climbers looking for a security bullet point in their resume.
Now I'm not completely blind to the fact the separation is often done for real reasons, unlike the horrible ones given above. Legal restrictions sometimes may prevent data from leaving a particular country or mandating particular requirements. However I'm not aware of any law anywhere stating that your IT security goals and objectives can't come from a centralized structure. If there is one, please provide me with the source. Another valid reason that often arises is due to mergers and acquisitions. Its quite common due to being a new acquisition, that an organization may not be fully integrated yet. Or even the case that strategically you want to keep it separate so you can divest it much quicker.
For me though, its important to understand that your entire organization is fighting the adversary together. You fail and succeed as an entire company, not as a business unit. While an enclave or silo may have world class security practices, they are only as strong as the weakest link. At some point there is a trusted process or network connection for another unit that may not have such good security. This doesn't mean that all security personnel need to be located at the corporate mothership. It simply means you need a common understanding of how to handle security incidents, architect your network and implement better security controls. If you look around and you see a lot of dotted lines and CISOs on your org chart, that's a pretty good sign that your security efforts are disjointed, taking on too much, and doing nothing really well.
Comments
Post a Comment