Security Resources: Don’t Put All Your Eggs in One Basket

Why Centralizing Enterprise Security Resources is Not a Great Idea

One of my favorite proverbs advises: Don’t put all your eggs in one basket. The spirit of this proverb is that one should not risk everything on the success of one particular venture. This is a life lesson that some people learn better than others. Even more interesting to me than who learns this lesson is to which domains people are most apt to apply this lesson. What do I mean by that? Allow me to explain.

In matters of finance, for one, people are quite accustomed to applying the advice of this proverb. For example, a strategy based upon investing all of our available savings into one particular stock would seem silly, foolish, or even downright naive. Unfortunately, when we look around the security domain, it does not appear that many people have internalized this lesson. Furthermore, we as a community are a long way from applying this advice.

There are many examples from our field where it is common practice to put all of our eggs in one basket. In this piece, I’d like to focus on one particular area I see organizations struggling with continually. What area is that you ask? The physical location of the team.

As I’ve discussed in this piece, this piece, and elsewhere, the analyst is the scarcest resource in the overall security challenge for a number of reasons. The scarcity is more general than just the analyst, though. All human resources, including the right leadership, are incredibly scarce in our field today. Finding the right people is extremely critical to the success of a program, and yet, it is one of the biggest challenges organizations face. Worse yet, it does not look like relief to ease the pressure in finding personnel is anywhere in sight.

Given this, you’ll understand why one particular obsession and focus that many organizations have puzzles me: their own corporate headquarters. It’s amazing to me how many organizations consider their headquarters to be a magical place at the center of the universe. This may be true for certain core business functions, of course. But, if security is not one of an organization’s core business functions, then the corporate headquarters logic would seem to break down.

There is nothing magical about the corporate headquarters location per se. A security program could blossom just as well outside of the core of the organization. I would even go a bit further and say that, in certain situations, the security organization *should* not be tied solely or anchored to the corporate headquarters. How can I possibly make such a radical statement that goes against the prevailing conventional wisdom of the day?

Let’s take look at some reasons why centralizing security resources is not a great idea:

● Business is global: It should come as a surprise to no one that business is global nowadays. The chance of having a serious security incident 12 time zones away while you’re barbecuing on the weekend is quite real. If you’ve centralized all of your security resources, you will have a far more difficult time handling the incident than if you’ve strategically placed security resources around the globe.

● Recruiting is hard: It’s no secret that recruiting qualified, talented security professionals is extremely difficult. It could be that your corporate headquarters is located in an area that is extremely competitive for talent. For example, in the San Francisco Bay Area of California, it is estimated that there are two positions open for every qualified professional. Or, perhaps your corporate headquarters is located in an area where it is difficult to find or attract the necessary security talent. In either case, it may make sense to think about distributing your security team in a few different places where it both suits the business strategically and talent is available. For example, there are a small number of information security “centers of gravity” that are emerging around the world. These places provide both highly qualified, highly analytical professionals and the peer-group those professionals need to thrive.

● Natural disasters: We are technologically advanced as a society, but we still cannot control nature. Centralizing all of the organization’s security resources in one area makes the entire security posture of the organization vulnerable to natural disasters.

● Technical issues: They don’t happen very often, but power outages, network failures, and other sorts of technical issues still occur. Having to tell the board that the team is stalled on the investigation of the high priority incident du jour because of a network outage is not a fun conversation.

● The earth rotates continuously: Like it or not, the earth’s rotation means it will always be night somewhere. Think finding good security people is hard? Try finding them and then telling them you want them to work odd hours, including nights and weekends. That is not likely to be a successful conversation.

● Groupthink: Worried about groupthink? Try building a global security organization that brings in education, knowledge, and perspectives from around the world. This is very helpful in combating groupthink in my experience.

● Diversity: Everyone talks about diversity being important. Often we think about diversity in times of race, religion, gender, or otherwise. I would argue that diversity in location and national origin is also important.

● Relationships are important: It is true that relationships are important, and of course, there is value in the relationships at corporate headquarters as well. But I would remind the reader that business is global and people are increasingly virtual and/or continually on the go. Those relationships are also important, and quite often critical to the success of the security organization. It makes sense not to ignore them.

Perhaps I see the world a bit differently than some, but I have a hard time understanding conventional wisdom. I don’t see the value of centralizing a security organization at corporate headquarters for all organizations. Attackers can attack us across our global enterprises from anywhere in the world. So why should we focus solely on defending the global enterprise from one corner of the world? As security professionals, we often advise people not to put all their eggs in one basket. Shouldn’t we follow our own advice?