Skip to main content

Get with times, decentralized security is so 2000 and late

You would think we would have matured enough as a security industry that there would be a consensus on this topic. However we are not even close, mainly due to bureaucracy and politics. So lets survey the land of failed justifications.

"Were so big we have to be decentralized"

There is nothing that states centralized security means physical separation. You can have people local to your sites all over the world and still report into a single organization.

"Our business unit is so different we need our own team"

This argument often can be valid for IT services which require customization and agility. This is rarely the case for security. Just because a particular business may require a different policy or higher standards doesn't mean they should be rogue. The overall marching orders need to be coordinated otherwise you end up having gaps in visibility, protection, compliance, etc.

"This is the way we have always done it here"

This is by far the weakest thing I've ever heard. I almost think its purely a justification to hand out C-level titles. News flash, if your organization has more then 1 CISO your probably not that good at IT or Security. You have to ask yourself are they even qualified for that position or do you have a bunch of climbers looking for a security bullet point in their resume.

Now I'm not completely blind to the fact the separation is often done for real reasons, unlike the horrible ones given above. Legal restrictions sometimes may prevent data from leaving a particular country or mandating particular requirements. However I'm not aware of any law anywhere stating that your IT security goals and objectives can't come from a centralized structure. If there is one, please provide me with the source. Another valid reason that often arises is due to mergers and acquisitions. Its quite common due to being a new acquisition, that an organization may not be fully integrated yet. Or even the case that strategically you want to keep it separate so you can divest it much quicker.

For me though, its important to understand that your entire organization is fighting the adversary together. You fail and succeed as an entire company, not as a business unit. While an enclave or silo may have world class security practices, they are only as strong as the weakest link. At some point there is a trusted process or network connection for another unit that may not have such good security. This doesn't mean that all security personnel need to be located at the corporate mothership. It simply means you need a common understanding of how to handle security incidents, architect your network and implement better security controls. If you look around and you see a lot of dotted lines and CISOs on your org chart, that's a pretty good sign that your security efforts are disjointed, taking on too much, and doing nothing really well.

Comments

Popular posts from this blog

SANS Cyber Threat Intelligence Summit 2013

     I recently attended the first SANS CTI Summit in Washington DC. While there was plenty of brain power in the room, and good discussions were to be had, overall it was just ok. There was a big focus on what CTI is and why you should be doing it, or at least consuming it. There wasn't enough discussion, aside from one talk, on how you should be doing it. It basically reinforced my beliefs that this is still very much a small, closed off club of insiders, where nobody is sharing tradecraft. I love that SANS is getting involved in this space though, and it sounds like Mike Cloppert will be writing a SANS course on Threat Intelligence in the future. I would very much be interested in that and I expect it would sell out quickly.      Mike Cloppert opened the day by discussing the old vulnerability centric approach focused on reducing attack surface as opposed to the new threat centric model focused on reducing the risk of the actual threats affecting your ...

2020 SANS CTI Summit Notes

Unfortunately due to some back surgery I was not able to attend the SANS CTI summit this year, however I always try to take advantage of the great content SANS makes available. To help me out in synthesizing the information, I combined the context provided by those that were live tweeting which is useful when reviewing the slide decks. Hope you find this useful and well done @rickholland , @PDXbek , and @likethecoins , another great year of great content! Day 1 Secret Squirrels and Flashlights: Legal Risks and Threat Intelligence https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1579535253.pdf @CristinGoodwin Assistant General Counsel for Customer Security and Trust, Microsoft Boundaries and strategies to help analysts identify and manage legal risks while hunting, investigating, and responding "Have a principled approach to sharing, so when the crisis comes you don’t have to panic.” "What we call common in #threatinel sharing is what a l...

European DFIR Summit 2018 Review

On Monday October 1st, I attended the European edition of the SANS DFIR Summit in Prague. Normally I try to attend this in Austin, however this year I couldn't make it so attended this one later in the year instead. I took a couple days PTO just to spend some time seeing the sights and it was cool getting to take time visiting the historical sights, instead of my typical shut in routine. If you have time, I would highly recommend this and definitely book a night time river cruise. Also worth noting, the new Spiderman movie was filming last week which was kinda cool. A few other recommendations I would make, would be to stay closer to the city center and take the subway daily. This has the added benefit of staying at a nicer, more western hotel (eg Marriott, Hilton), but also being near the old town square. I'm staying at the Angelo Hotel, but the training is actually split between two hotels and I don't get the benefit of being able to quickly jet up th...