惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

爱范儿
爱范儿
P
Palo Alto Networks Blog
月光博客
月光博客
H
Hackread – Cybersecurity News, Data Breaches, AI and More
I
InfoQ
aimingoo的专栏
aimingoo的专栏
腾讯CDC
T
Threatpost
D
DataBreaches.Net
Vercel News
Vercel News
F
Fortinet All Blogs
Engineering at Meta
Engineering at Meta
C
Cybersecurity and Infrastructure Security Agency CISA
Forbes - Security
Forbes - Security
U
Unit 42
C
Check Point Blog
Blog — PlanetScale
Blog — PlanetScale
O
OpenAI News
量子位
TaoSecurity Blog
TaoSecurity Blog
Microsoft Azure Blog
Microsoft Azure Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
V
Visual Studio Blog
Recorded Future
Recorded Future
云风的 BLOG
云风的 BLOG
Security Archives - TechRepublic
Security Archives - TechRepublic
The Last Watchdog
The Last Watchdog
S
Security Affairs
Attack and Defense Labs
Attack and Defense Labs
罗磊的独立博客
Stack Overflow Blog
Stack Overflow Blog
Microsoft Security Blog
Microsoft Security Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
V
V2EX
小众软件
小众软件
S
SegmentFault 最新的问题
www.infosecurity-magazine.com
www.infosecurity-magazine.com
W
WeLiveSecurity
AI
AI
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
博客园 - 聂微东
I
Intezer
Know Your Adversary
Know Your Adversary
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
P
Proofpoint News Feed
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
The Cloudflare Blog
博客园_首页
NISL@THU
NISL@THU
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO

Opinion

Op-Ed: Microsoft’s July Patch Tuesday reveals 622 vulnerabilities Op-Ed: The transaction was legitimate; the crime was hidden in the system Op-Ed: Why CISOs are drowning in alerts but missing the real threat Op-Ed: The reality of data-centric security and attribute-based access control Op-Ed: Australia’s cyber law is stuck in the past – the Slay Review is our chance to fix it Australian federal budget 2026: The industry perspective Op-Ed: Redefining performance in the AI-powered SOC Op-Ed: AI won’t patch the holes in your SOC Op-Ed: Australia inspired the EU’s online age restrictions, now it’s time for us to learn from them Op-Ed: Microsoft April Patch Tuesday reveals 167 vulnerabilities The industry speaks: World Identity Management Day 2026 Op-Ed: Why zero trust for OT should start at the boundary, not the boiler room The industry speaks: World Cloud Security Day 2026 The industry speaks: World Backup Day 2026 Op-Ed: Information sharing of cyber threats vital to national security Op-Ed: Building secure foundations for AI in the cloud Op-Ed: AI isn’t the threat, poor design is Op-Ed: Why Australia’s schools are becoming strategic targets for organised crime Op-Ed: Australia’s National AI Plan looks good on paper, but where are the teeth?
Op-Ed: Australian organisations need federated authority to stay secure at scale
2025-12-15 · via Opinion

Centralised security control is no longer fit for purpose – federated security governance is the answer.

Your security team can’t make every security decision for every business unit across your Australian enterprise. AI aims to use data across every part of the business, attack surfaces are expanding faster than budgets can keep up, and security teams must operate more efficiently amid constantly changing software environments. Simply hiring more people or buying more tools cannot address these challenges at scale.

To keep pace, organisations need to rethink how they make security decisions. The most effective shift is to move away from centralised security control and adopt federated security governance. In this operating model, CISOs set enterprise-wide risk strategy and policy, while data owners and technical teams across the organisation implement controls within their respective business units. This gives technical teams the flexibility to apply policy in ways that suit their systems while maintaining clear accountability.

You’re out of free articles for this month

To continue reading the rest of this article, please log in.

This direction aligns with what executives are already signalling. GitLab’s recent C-suite survey shows 90 per cent of leaders in Australia expect agentic AI to become the industry standard for software development within three years, yet their top concern is data privacy and security. The bottlenecks created by centralised authority will only hinder automation and innovation.

Why centralised security holds Australian businesses back

Traditional security models require CISOs to be experts across multiple business units that serve different audiences, each requiring a deep contextual understanding of the environment and its challenges. Data protection requirements, local regulations, and industry-specific compliance all introduce variations between business units.

In a federated model, technology leaders, whether from IT, engineering, or business units, have a deep understanding of the nuances of their assigned units. Their specialised knowledge helps to set a strategy that considers the right goals, technologies, workflows, and risks to deliver three immediate benefits that a centralised security authority can’t match:

Context-aware security oversight minimises friction and churn. Security decisions happen faster because they’re made closer to the action. Service and application owners already have the context and expertise to make optimal decisions within their scope of responsibility. Delegated authority allows companies to seize market opportunities, deploy new tools, manage fewer escalations, and reduce unnecessary friction or delays.

Flexible policies help teams adopt and benefit from emerging technologies. When governance cascades, security teams can evaluate how a new technology’s attack surface affects their business unit’s unique risk profile and set policies that define security boundaries based on data classifications and regulatory constraints. CISOs can establish broad organisational standards for a technology’s adoption, but their technical partners in the business ultimately own their unit’s implementation. The partnership approach ensures policies strike the right balance for productive adoption and avoid overly strict or broad security controls.

Scalable security authority accommodates organisational growth. Acquisitions, new product launches, or geographic expansions necessitate security teams to assume new workloads and specialised expertise. Properly balancing what to centralise and what to federate enables scale. Under careful policy governance, identity and data governance are domains in security that federate well with centralised technology platforms. Business units can realise the velocity benefits by having the autonomy to manage, delegate, and provision access to their services and capabilities.

Making the cultural shift work

For organisations prone to silos, rigidity, and top-down command-and-control cultures, adopting a federated model won’t be easy. The shift requires shared security ownership, with security leaders working as peers to ensure the adoption of new policies and frameworks goes smoothly. CISOs must establish standards and policies that account for the velocity and runtime operational realities of modern technology stacks if they want business units to adopt, not just be forced to comply with, security governance. Implementation partners must ensure their control structures are appropriate for the policy associated with their data classification.

In practice, that might look like a CISO setting data classification standards, while partner teams are responsible for implementing these standards as low-friction security policies and capabilities at the source of record for the data. Netflix’s security team is largely credited with pioneering the “Paved Roads” philosophy, achieving policy adoption success by building secure options that meet policy guidelines and making them the easiest ones for developers to use.

Outside of engineering, organisation-wide standards also need to offer flexibility and avoid becoming overly specific or narrow, so they remain relevant to each business unit. Self-service risk exception processes allow for special circumstances that consider the business context and impact, so security doesn’t unnecessarily hinder business unit functions.

The investment case for federation

As the role of the CISO continues to expand beyond its traditional scope, security investments are being judged not only on how well they reduce risk but also on how effectively they support broader business goals. Every dollar now needs to demonstrate measurable risk mitigation. Federation gives CISOs a more nuanced view of risk across business units, enabling them to drive outcomes that benefit the whole organisation.

As AI systems become more autonomous and deeply embedded in operations, the attack surfaces they create will quickly outpace the capacity of any centralised team to manage. For Australian enterprises, federation is not a future ambition but an operational requirement. It will reshape how organisations structure their teams, allocate budgets, and deliver security at scale.

For large, digitally complex businesses, the real advantage will come from how quickly they adopt federated authority and build a more collaborative security culture to support it. Organisations that embrace this shift early will be best placed to stay resilient, competitive, and trusted as AI-driven systems continue to expand.

Cyber DailyWant to see more stories from trusted news sources?
Make Cyber Daily a preferred news source on Google.

Tags: