Finding the right way to approach cybersecurity in a decentralized organization with several business units requires both business model optimization (i.e., reducing repetitive roles and tasks) and enabling independent business lines to innovate and stay
nimble. This piece explains how using a service-oriented architecture can enable a security operation to straddle the line between centralization and decentralization in an effective manner, while also retaining visibility and control over essential
elements of the program.
Decentralized Security Issues
As organizations experiment with decentralization in an effort to drive more independent and agile business units, security remains a challenge. When security is segregated across business lines, it may increase the focus of each security team to the
business it supports. However, it also can lead to issues with consistency across businesses, as well as governance from a higher-level perspective. Additionally, it can cause inefficiencies because the same tasks/issues are duplicated, and institutional
learning suffers.
On the other hand, a centralized security organization may face “political” distance from the business units, which may perceive it as overbearing, lacking context to the specific line of business needs or having issues with responsiveness.
Read: Tips for Building a Cybersecurity Service Catalog
Centralized Security Service-Oriented Model
To effectively deploy security in a decentralized organization, a combination of decentralization concepts and centralized oversight are required. The central security organization should operate on a services-oriented model—effectively offering
its services as if it were an MSSP. To do this:
- Clearly identify and document the main security functions the business lines require, including what the expected results are from each one. Be it technical (such as deploying and managing security software), governance (such as compliance and
audit) or operational (such as delivering monitoring and response services)—all functions must be included.
- Provide each function with a dedicated team to support it: This should include all aspects of the service, as if it were being offered to an external customer. Notably, you will need functions that go beyond the engineering/technical portions of
the service to include service-oriented roles such as project management, people management and, at times, even customer service. This helps ensure the businesses consuming such functions are treated individually, rather than bundled under a singular
deployment approach, which tends to lose the granularity needed to address each business’ specific needs.
- Organize by service function: Typically, centralized service-oriented security organizations have three or four departments:
- Engineering, which provides functions such as application security, penetration testing, product deployment and management.
- Operations, which includes SOC, incident response and threat hunting.
- GRC, which provides oversight functions for audit, compliance, policy and regulations.
- Program management, which delivers project management across all other departments, as well as customer service.
The leadership of each of those functions operates closely with one another and with the CISO, so all service offerings are constantly tuned and measured through delivery to the businesses, and coordination with the technical functions in the businesses
is maintained.
Centralized Security Challenges
Bearing in mind the central security function provides the “tone” for how security should be deployed and practiced across all business lines, security leadership should continuously evaluate whether a localized security function in some businesses
is warranted.
For larger or more complex businesses, having local security team representation—whether it’s just a security leader e.g., a BISO or a team under them (with security engineering, operations
or a combination of those)—provides an effective means of scaling the service-oriented approach to such business lines.
Larger/complex businesses will also tend to consume more attention and bandwidth from the centralized team, which can reduce efficiencies across the board. It’s the centralized security leader’s job to identify the tipping point at which a
localized security team would make sense, and then locate potential leaders in advance to promote them into that function.
Other caveats to watch out for are inefficiencies across similar functions in the centralized security organization. The delineation of services such as EDR, network security and incident response is going to be unique for each organization, and it must
be defined clearly.
In some cases, these would be offered under the same organizational unit, whereas in others they should be separated. It all depends on the specific organizational culture, the hierarchy and organizational structure of other technical teams, and sometimes
even the internal politics.
Tips for Centralized Service-Oriented Security
Centralizing security within a distributed organization can work well and promote efficiencies across the organization. To improve your chances of success:
- Define your services carefully: Defining the specific services offered through the central security team is a crucial first step for an effective transition from segregated teams.
- Communicate clearly: Constant and clear communications around what the offerings are, what to expect from them, what the requirements from the business lines are, and how the interactions are going to occur are key to ensuring the success of a
centralized organizational structure for security.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.