Industry View

Centralizing Enterprise Security Operations and Management

Jeff Ahlerich of Looking Glass Systems looks at transcending the politics

By Jeff Ahlerich, Looking Glass Systems

October 09, 2008 — CSO — Fulfilling the risk management and regulatory compliance obligations with consistency in today's vastly disparate and complex IT enterprise environments has challenged CIO's to rethink the approach to operating their security posture. Internally consolidating and centralizing Information Security management functions has become a popular model for better combating what has become a relentless onslaught of vulnerabilities, and those who seek to exploit them for profit. Whether it's an "Army of One" position in a two hundred seat company, or a team of a dozen Security Analysts staffing a 24x7x365 SOC facility protecting a 200,000 seat, globally networked organization; The constant barrage of cyber threats today demands a well orchestrated, diligently maintained, and extremely nimble posture. It is no longer sensible to simply farm out security responsibilities to distributed system administrators and "hope for the best". Disparately applied processes, unilateral prioritizations, and daunting system administrator workloads, lead to an uneven (and oftentimes negligent) execution of security measures across the enterprise.

For example, you may have a Systems Administrator (Paul) in the Seattle Sales and Marketing branch office. Paul allocates ample time to monitor for and address security issues that develop within his environment; he is diligent in his approach and is not too overwhelmed with his regular duties to dedicate time to security related matters. Then you have the more typical Systems Administrator (David) in Denver's Operation Center. David, by no fault of his own is understaffed, overwhelmed, and simply doesn't dedicate much time to maintaining his network segments security posture. In each case, neither Paul nor David is specialized in the field of Information Security. This is a major problem in and of itself of course (like a general practice physician treating a broken leg; he can maybe get the job done but it's not what he's been trained to do). The bigger trouble with approaching Enterprise Security Management in this fashion is the inevitable neglect and inconsistencies that are bound to occur as a result.

This issue is among the principal reasons why consolidating security operations within the enterprise makes a great deal of sense. However, while on paper the ROI, TCO, and operational efficiency gains calculus make centralization a fairly simple and straightforward justification process, in practice many organizations that have adopted and implemented the model fail to realize the grand vision or yield the improvements that the IT security centralization models promised to deliver in the first place.

Diverse Stakeholders and Predictable Opposition
There is obviously no single reason for a centralized security initiative to fail on its promises. We can point to the multitude of usual suspects as potential culprits; poor integration of disparate security systems, overly complex or poorly designed and implemented infrastructure, deficiently trained or outright unqualified Analysts, or simply too much poorly correlated event data with not enough automation and/or manpower to sort through it. All of these issues are valid and absolutely do contribute to failed or ineffectual implementations of the model. However, let's turn the spotlight onto a root cause that is oftentimes overlooked and under analyzed — Enterprise IT politics and concept opposition.