Security Culture Matters when IT is Decentralized

Decentralized structures can give organizations powerful agility and speed up the deployment of new technologies. But the cost of decentralization is that it’s hard to ensure decisions are made consistently and with all the right considerations in mind—which is a very real problem when it comes to security. Fifty-six percent of CISOs in EY’s 2021 Global Information Security Survey said their teams are consulted late or not at all when company leaders make time-sensitive strategic decisions. More than a quarter (27%) said that, at least to some extent, the speed of technology rollouts prevents suitable cybersecurity involvement.

This puts CISOs and their security teams in a tough spot. On the one hand, they’re accountable to protect the organization against cyber harms, and the attack surface keeps growing. On the other, if they become an impediment to flexibility and responsiveness, they risk creating internal rifts between security and the business.

Fortunately, there are three steps enterprise IT security teams can take to protect the enterprise in a decentralized IT context: 1) create a security culture and proactively seek visibility into solutions being procured; 2) build in detection and response technologies wherever possible; and 3) have a formalized incident response plan for dealing with threats when they occur.

1. Create a security culture—and seek visibility

Decentralized IT combined with a “we need it yesterday” mindset can result in technology procurements that overlook security. There’s also the risk of shadow IT, which can’t be addressed just by banning unauthorized apps and devices: when people are sufficiently motivated, they find a way to work around prohibitions.

The key is for IT security teams to cultivate an enterprise security culture so that all players at every level consider security and understand their specific role in assuring it. This requires widespread education: training for Board members, executives, and senior management in data protection, regulatory compliance, risk management, and more; and for staff about threats they may not be aware of, such as the perils of public WiFi. It also requires some degree of ‘translation’—converting technical IT security concepts into plain-language explanations that help non-technical audiences understand the potential impacts for the business.

When thinking about security becomes a company-wide reflex, people are more likely to seek IT input as they make decisions about apps, devices, and other solutions. Even so, IT teams need to reach out proactively and continuously across the organization to gain visibility as early as possible into procurement processes so they can have a say.

2. Build in sensors and blocking technologies

Many organizations with decentralized structures are also distributed geographically. That means their networks and data are distributed as well, usually involving cloud solutions and software-as-a-service (SaaS) applications.

These kinds of environments need a holistic, risk-based security approach such as Secure Access Service Edge (SASE), which combines security capabilities from Zero Trust Network Access (ZTNA) controls, secure web gateway (SWG) devices, and cloud access security brokers (CASBs) that provide advanced, agentless data-loss prevention.

Sensors deployed throughout the network help generate user profiles and determine different points and levels of organizational risk. Tuned to those risks, ZTNA can be used to control access to enterprise-owned resources, with SWGs blocking inbound and outbound web traffic and CASBs enforcing limits on the actions individual users can perform inside specific applications.



Source link