Information Security leadership has and will likely continue to be part politicking, part sales, part marketing, and part security. As anyone who has been a security leader or CISO in their job history can attest to, issuing edicts to the business is as easy as it is fruitless- Getting positive results in all but the most strictly regulated environments is nearly impossible. In high centralized organizations, at least, the CISO stands a chance since the organization likely has common goals, processes, and capital spending models. When you get to an organization that operates in a highly distributed and decentralized manner the task of keeping security pace grows to epic proportions.
As I was performing a recent ISO 27002 controls audit against one of these highly decentralized organizations the magnitude of their challenge really hit me. While the specific industry is relevant to this example I can simply say that they are in the business of making, testing and selling stuff. Parts of their business make thing. Parts of their business test things. And parts of their business sell both the things the other businesses do for various use-cases. Some of the business is heavily regulated. Some of the business isn't regulated at all. All of the enterprise is connected via a single network, with centralized IT services, applications and management. I could stop right here and you'd understand why this is nearly impossible to make universally applicable.
What makes this even more difficult on the security organization is that their core team is exactly .04% of the overall company staff. Their full staff complement, including recently hired new members, are less than 5% of the total IT staff count. The security device-to-staffer ration is horrible, their budget is insignificant, and for all intents and purposes the security function is relatively new when compared against the rest of the enterprise. I'm not a statistician, or particularly good at math, but even I know those numbers don't work out well.
Security in the enterprise is largely about building and operationalizing repeatable patterns of process and methodology to achieve scale. This works well in even very large, but very centralized and uniform enterprises. The problem is when you get into enterprises that are extremely diverse in business practices, technologies, and goals and compliance initiatives repeatable patterns fail to scale well since you end up building a new unique set for every different piece of the organization.
In this situation the only chance enterprise security has is local representation from inside the business. Generally, though, you're not going to find many security experts in my experience from within these business that have "an IT guy/gal" or three. The situation just keeps getting worse.
Think about this- from an operating platforms perspective you may have some OS/2, lots of UNIX variants, Mac OS, Windows from WinNT 4.0 through Windows 8.1, and then some device specific platforms like VxWorks. If you're lucky all you have is Ethernet (Category 5/6) cabling and nothing else... Now add specialized programs, PLCs, Industrial Controls Systems (ICS), and it gets messy fast.
At this point it almost doesn't matter how many security resources you have, the only way you'll scale is automation.
Sometimes things become a chicken vs egg problem. In order to have better scale with fewer resources your security organization clearly needs more automation. The problem with more automation is it tends to create the need for more security resources to manage it (you don't actually believe the marketing or sales hype that these things manage themselves, do you?) to get effective scale. Either way - you don't have the people to do this.
Bad, Meet Worse
Where things go from bad to untenable is when the business alignment and co-operation isn't ideal. As in real life, not all business units will be friendly or even want to deal with "corporate". In that case you're not only facing the impossible challenge of addressing the business security issues, but now you're fighting against politics as well. Sometimes you just can not win.
If you factor in that generally security isn't the most loved part of the IT organization because of its history of being "the no people" you quickly realize that the deck is heavily stacked against you. There are certainly ample opportunities to trip on your own untied shoelaces and fall flat on your face. The key to not doing this lies in a multi-step process which includes assessment, prioritization, buy-in, and effective operationalization.
Steering the Titanic by Committee
As the CISO or security leader of a highly decentralized enterprise you're not going to get many wins that come easily. You're probably not going to do a very good job at preventing and preempting that next breach. Heck you may not even be able to detect or respond in a timely fashion. But the key to not failing as hard is to not go at it alone. Even if you have a centralized security team of 100+ you're still going to fall prey to these same challenges. You need support from the various edge-cases in your enterprise structure. You need help from your corporate counterparts, and your outliers.
Cooperatively working towards better security is hard. It may be an order of magnitude harder than anything else you can do from a central control model - but if that's the only operating model you have available to you then it's time to make lemonade. In the next few posts I'll try to apply some of the lessons learned and recommendations from a series of these types of engagements. Maybe some of them will help you make better lemonade. Or figure out when it's time to move to a new lemonade stand.