Risk Management
Security Culture Matters when IT is Decentralized
Decentralization can make enterprises more agile but it also makes IT and network security more complex. Creating a strong security culture, deploying the right tools, and defining an incident response plan are key to keeping the business protected.
Decentralized structures can give organizations powerful agility and speed up the deployment of new technologies. But the cost of decentralization is that it’s hard to ensure decisions are made consistently and with all the right considerations in mind—which is a very real problem when it comes to security. Fifty-six percent of CISOs in EY’s 2021 Global Information Security Survey said their teams are consulted late or not at all when company leaders make time-sensitive strategic decisions. More than a quarter (27%) said that, at least to some extent, the speed of technology rollouts prevents suitable cybersecurity involvement.
This puts CISOs and their security teams in a tough spot. On the one hand, they’re accountable to protect the organization against cyber harms, and the attack surface keeps growing. On the other, if they become an impediment to flexibility and responsiveness, they risk creating internal rifts between security and the business.
Fortunately, there are three steps enterprise IT security teams can take to protect the enterprise in a decentralized IT context: 1) create a security culture and proactively seek visibility into solutions being procured; 2) build in detection and response technologies wherever possible; and 3) have a formalized incident response plan for dealing with threats when they occur.
1. Create a security culture—and seek visibility
Decentralized IT combined with a “we need it yesterday” mindset can result in technology procurements that overlook security. There’s also the risk of shadow IT, which can’t be addressed just by banning unauthorized apps and devices: when people are sufficiently motivated, they find a way to work around prohibitions.
The key is for IT security teams to cultivate an enterprise security culture so that all players at every level consider security and understand their specific role in assuring it. This requires widespread education: training for Board members, executives, and senior management in data protection, regulatory compliance, risk management, and more; and for staff about threats they may not be aware of, such as the perils of public WiFi. It also requires some degree of ‘translation’—converting technical IT security concepts into plain-language explanations that help non-technical audiences understand the potential impacts for the business.
When thinking about security becomes a company-wide reflex, people are more likely to seek IT input as they make decisions about apps, devices, and other solutions. Even so, IT teams need to reach out proactively and continuously across the organization to gain visibility as early as possible into procurement processes so they can have a say.
2. Build in sensors and blocking technologies
Many organizations with decentralized structures are also distributed geographically. That means their networks and data are distributed as well, usually involving cloud solutions and software-as-a-service (SaaS) applications.
These kinds of environments need a holistic, risk-based security approach such as Secure Access Service Edge (SASE), which combines security capabilities from Zero Trust Network Access (ZTNA) controls, secure web gateway (SWG) devices, and cloud access security brokers (CASBs) that provide advanced, agentless data-loss prevention.
Sensors deployed throughout the network help generate user profiles and determine different points and levels of organizational risk. Tuned to those risks, ZTNA can be used to control access to enterprise-owned resources, with SWGs blocking inbound and outbound web traffic and CASBs enforcing limits on the actions individual users can perform inside specific applications.
Since not all threats originate at network endpoints – web apps and email are the top two breached vectors according to Verizon – it’s important for sensors and mitigation tools to reach beyond endpoints as well. Extended detection and response (XDR) technologies fill gaps left open by endpoint detection and response (EDR). XDR collects and correlates deep threat from network, cloud, servers, email, and users to determine how a threat communicates and travels through the network and what’s been accessed, by whom and when to surface fewer but higher-fidelity alerts.
Coupled with a strong security culture, having the right automated tools in place to detect, respond, and remediate threats provide comprehensive protection for decentralized and distributed organizations. The last piece of the puzzle is having a clear, shared plan for how to respond when breaches do occur.
3. Establish a formalized response plan
Experiencing a cyberattack is no longer an if, but when due to the fast-evolving sophistication of threats and ever-expanding attack surface. A July 2022 SecureLink/Ponemon Institute report found that more than 50% of organizations said they had experienced a cyberattack within the past 12 months. Yet 63% of C-level executives in the U.S. responding to a different survey said their organization didn’t have an incident response plan.
An incident response plan is a defined set of policies and procedures that get put into action when cyberattacks occur. Its goal should be to constrain the impact of an attack as much as possible, spell out the recovery steps involved, and identify how to analyze what caused the breach so that security systems can be fine-tuned to resist similar attacks in future.
In decentralized organizations, having incident response plans captured in a playbook that IT security teams anywhere can refer to helps bring consistency to how incidents are addressed and provides a feedback loop that benefits the organization as a whole. The process of creating a playbook can help expose security gaps—especially in decentralized and distributed organizations—to strengthen the security posture overall.
Download Trend Micro’s Incident Response Services & Playbooks Guide
Technology and process reinforce the security culture
The appeal of decentralization seems to ebb and flow over time. As long as 15 years ago, a post in the Pratum blog noted: “It happens every 3-5 years, especially at larger organizations... the switch from a centralized approach to IT and information security to a de-centralized approach.”
For enterprises on the decentralization swing of the pendulum, the good news is there are practical steps that can be taken to mitigate the risks in today’s highly complex and pressured cybersecurity environment. The fundamental principle is “communicate more”. If IT teams can’t expect to be the gatekeepers of technology procurement processes, they can still inform them effectively by raising overall awareness of the importance of security and maintaining active ties with groups across the business to understand emerging needs and contribute to how they get met.
With a solid security culture at the foundation, even enterprises that have decentralized IT structures can take full advantage of the holistic security technologies available today—like SASE and XDR—to defend against threats, backed up by well-defined and continuously improved incident response plans for the whole organization to follow.
Next steps
Learn more about IT security in decentralized environments by checking out these Trend Micro resources:
- Incident Response Services & Playbooks Guide
- Guide to Better Threat Detection and Response
- What’s the Best Way to “Get the Word Out” on Cyber Risk? Video hosted by Trend Micro VP of Cybersecurity, Greg Young