Centralized vs. Decentralized Security: My Professional Take
Looking at pros and cons of a centralized vs decentralized approach to cybersecurity teams, and how in the end there is no right answer. This is a cycle and we should focus on relationships rather than hierarchies.
I attended a "lunch and learn" event featuring an established Chief Information Officer (CIO) a few years ago. The discussion centred around information security challenges in large enterprises. One of my friends, a security architect, asked: What is the best model to manage security teams in your company? Is it better to have a single security team that manages all functions, or multiple small security teams in each department?
"Well, he said, these models just come and go. Sometimes a company needs to gather together and have a central pole of expertise; sometimes it's better for a business to have the resources spread around. That's a normal cycle for a business."
And then he moved on to other questions. I didn't. I was livid. I kept telling myself: "How can a distinguished IT executive give us such a cop-out answer? Doesn't he take security seriously?" At the time, I was struggling in a decentralized setting, and I really wished he could give me some solace.
I've grown. Today, I acknowledge that he was 100% right. I was confusing the forest for the trees. I was only seeing my current pain points: the imaginary boundaries, the lack of cohesion, and the "virtual dollars" that blocked funding from team to team... But, as I keep saying, security is infinite. There is no "winning" security. You can never stop and say: "Here it is, we are secure". There are always new systems, new threats, new misconfigurations...
The same applies to business by the way, and the CIO understood this. There is no surefire way to manage a security team. A true leader can recognize the forces at play, and go with the flow: let's create an organization that fits the needs of the business and of its people for now and the near future... Leaders know the only constant is change.
That said, grasping the cyclical nature of an organization does not exempt us from understanding the benefits and tradeoffs of each management model. This is why, this week, I will look at both sides of the coin, whilst sharing my unique experience and insights. This is not the type of information you can glean in a textbook or ChatGPT, I promise.
Explain the difference between centralized and decentralized security teams (like I'm five)
Security teams in large organizations comprise various domains such as:
- Security engineering builds defence systems such as apps, development tooling, access control frameworks, networks, intrusion detection systems, etc.
- Security operations respond to incidents, investigate threats, fine-tune security technologies, grant access to people, manage firewall rules, apply patches, etc.
- Offensive security tests the defences of the other teams like attackers would, so they can identify the flaws first.
- Governance, risk and compliance (GRC) write the standards, ensure the systems comply with laws, and make sure the other teams get funding.
The reality is more complex and I could spend a whole post explaining the various domains of cybersecurity. What matters here is that cybersecurity requires many complementary skills that need to work together to achieve some level of protection.
A centralized security team will join all of these domains together. They will all report to the same person, typically the Chief Information Security Officer (CISO).
A decentralized security team can be more complex. Decentralization can happen on two axes:
- Each domain reports to a different executive. For example, security engineering will report to the Chief Technology Officer (CTO); security operations, to the CIO; and GRC, to the CISO.
- Multiple departments have a security team that covers all domains.
You can even witness both decentralization models! Some lines of business have their full-fledged security team, while others only have a pentest team, etc.
Now to the fun part: why does this complexity exist?
Why is decentralization today's dominant trend
A few weeks ago, I attended a webinar for CISSPs. The speaker, VP of something-security, warned us about "Salesforce". "You may not know what Salesforce is, but let me tell you, your business has it!" Now, here's the thing: Salesforce is one of the biggest software companies in the world, a rival to Microsoft in the enterprise. How can a VP of security become so disconnected from the "real world"?
Cloud technologies put business applications in the hands of the users. Now, imagine this centralized security team, working as part of a traditional information technology organization... Becoming relevant is a steep hill to climb for security folks in that context.
The speed of innovation of cloud apps, especially in software-as-a-service, breeds decentralization. Finances, Human Resources, Accounting, Legal... all these departments can use their budget to purchase technologies away from a centralized security team that's stuck in an IT setting.
And here's the thing: all these departments understand that they deal with confidential and personal information. So they hire people for access controls, user accounts management, incident management, and compliance, and...
The core problem with centralization is accessibility. In 2023, everybody is trying to embed generative AI into their IT ecosystem. CISOs will be all over this. They will throw all their resources into nailing this spotlight project. So imagine being a customer service representative that "just" wants a mobile app or a customer data platform: "We are all hands on deck on this GPT chatbot, we can set up a pentest and compliance audit in 4 months." Of course somebody is going to get sick of this!
What about the issues with decentralization?
Why I was yearning for centralization in my story
Decentralization's main issue is inconsistency. Most organizations have silos. Since security is so horizontal, we're often the ones walking across them and noticing these discrepancies.
Absurdities can abound fast. If you get a new job and end up signing two social media policies, this is a good sign of a decentralized setting. If you have two password managers, three MFA applications, and two VPNs... you can see how much things can go out of hand quickly.
But it gets worse. Decentralization creates resentment between scattered security teams. To put it bluntly: different directors value security differently. You can get people with the same job title earning a different salary. What about promotions? I have seen my fair share of security analysts competing with developers for scarce opportunities. People can even quit because they feel "painted in a corner".
A central security team can make room for more specializations, which opens up advancement pathways. It's also better at training and knowledge transfers. Camaraderie plays a big part in keeping security professionals sane.
All this to say, yes, the CIO was right. A centralized team becomes a bottleneck over time. It loses its connection to what's happening. Then people get tired of absent services. They build their own security teams. After a while, the inconsistencies create so much chaos and dissatisfaction that senior leadership, or even the CEO, puts a stop to it and merges the teams again to do some cleanup. And the cycle starts over.
What's the lesson? Don't fret over organizational structures. Whatever happens, the relationships you build as an individual will carry over. As I wrote, looking at security as an "influencers' game" transcends the org chart's labyrinths.