To centralize or decentralize? That’s the Shakespearean question many security leaders are asking themselves as they look to implement the best security operations model for their organization. While there’s no right answer, I’ve come across certain trends in my work with hundreds of companies—trends that will help point security leaders in the direction of the right security model.
And although security operations tend to become centralized as organizations put more resources and capital into their risk operations, the reality is that most businesses haven’t invested in the model because there hasn’t been a need to do so. In other words, the organization has yet to deal with a risk incident that pushed them to make a significant centralized security operations investment.
Now, with a 93% surge in ransomware attacks in the first half of 2021 compared to the same period in 2020, even the most security-casual organizations are beginning to weigh the risks and benefits of a centralized versus decentralized security operations model.
In this blog, I’m going to explore each model and how it’s being used in different companies and industries. But before I do, I want to clarify that one model is not necessarily better than the other. It’s important for organizations, especially security leaders, to understand what each system entails, and which will best meet their needs in order to guarantee the highest level of protection possible.
Decentralized security operations
As the name suggests, organizations that adopt a decentralized model have dispersed security teams that manage risks often at the local and/or regional levels. Their security operations are more self-contained and the decision-making process is kept within particular business units, often based on geographic locations. This model is often initially adopted by smaller organizations with a narrow physical footprint and less sophisticated risk operations.
A decentralized security operation consists of a distributed workforce, which includes security managers, asset protection managers, loss prevention managers and more—most of whom are focused on the regional level. While they do report critical information to senior leadership (e.g., when a risk incident occurs), there is no central function at a company’s headquarters solely responsible for security decision making. For example, should they shut down a store or office in an affected area? Most often, the response is decided and executed at the operational, local or regional level.
One advantage to a decentralized security operation is that, most of the time, policies and decisions are aligned with each business location’s specific model and needs. This means security leaders and managers of each geographical area can act independently of one another and make quick decisions in times of crisis.
Take a retail clothing store for example. Its on-the-ground security team is typically responsible for what’s happening inside the building, not outside: Is anyone shoplifting? How are employees behaving? Is a customer acting violently? Because most of that team’s time is spent looking after the store’s operations, it might not be paying enough attention to threats outside of the store, including those occurring within the immediate vicinity of the building.
Security leaders and managers within a decentralized operating environment are already tasked with a myriad of duties. This is when a real-time alerting system can prove crucial. By receiving relevant, real-time alerts on what’s happening around their specific locations, security teams can more effectively gain situational awareness and communicate the risk and response plans to senior management. As a result, organizations can mitigate and respond to threats more quickly to ensure the safety of their people and assets.
Centralized security operations
The centralized approach to security operations is most often used by large enterprises and organizations with multiple locations in one country and/or worldwide. These organizations often have a dedicated, centralized team that constantly monitors all of their business locations, traveling employees and other assets.
When a threat emerges, the centralized security team receives intelligence, sometimes from the managers of the affected location, reports the threat to senior leadership and provides recommendations on which actions to take. The team then communicates the recommendations back to the regional managers so they can make the final decision. In short, the centralized security team is responsible for staying on top of every potential risk across all of its company’s locations, communicating action plans and following through until the situation is resolved.
As businesses grow, silos form, which can create a greater need for the centralization of a security operation. Centralized operations can help reduce stress levels and improve coordination among all security analysts, who see hundreds or even thousands of incident alerts every day across multiple operating markets. By adopting a centralized system, security leaders can design a more streamlined and effective workflow and communicate strategies swiftly to regional and local responders.
But there is an inherent risk to having a single point of failure. If the central command center is compromised, the entire business may be in jeopardy. This is why some organizations have multiple centralized risk functions.
For example, several multinational enterprises have a centralized security operations center or SOC—a more sophisticated operating model that allows for a stronger security posture and better visibility of potential risks—in each continent or region in which they operate. With these SOCs, they are then able to oversee their entire global operations with a maximum amount of attention.
Many retailers have an expansive footprint, especially large retailers with domestic and international locations. As such they tend to have more sophisticated risk functions, thus opting for the centralized model. The same often applies to many financial services organizations, especially those with multiple bank branches and thousands of locations worldwide. This is an even more acute challenge when their footprint includes areas where the risk landscape may be more complex, be it due to geopolitical, social or economic complications.
How to decide: centralized or decentralized?
What are your business needs? The answer to that question should determine which model you choose.
Aside from the size and physical footprint of an organization, this decision is highly dependent on the combined risk profile and associated potential financial impact that a business is willing to tolerate. All organizations have different risk tolerances. Are you willing to invest in five to 20 full-time employees assigned to one central command center, with the responsibility of overseeing all business locations? Or are you thinking about a different model to centralize your security operations without creating a SOC? There is more than one way to cook an egg.
As I mentioned earlier, neither approach is more secure than the other. Some businesses in certain industries tend to be less dispersed, and vice versa, so their choice of security operations will differ. The biggest determining factor for whether your organization should be centralized or decentralized is the level of sophistication of your security and risk operations. The more mature and advanced they are, the more likely they will end up centralized.
Learn more about Dataminr Pulse and how it helps enterprises like yours detect the earliest indications of high-impact events, threats and other business critical information so they can respond with speed and confidence.