惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
V
V2EX
大猫的无限游戏
大猫的无限游戏
腾讯CDC
博客园 - Franky
WordPress大学
WordPress大学
Jina AI
Jina AI
GbyAI
GbyAI
云风的 BLOG
云风的 BLOG
B
Blog RSS Feed
Last Week in AI
Last Week in AI
The Cloudflare Blog
V
Visual Studio Blog
P
Proofpoint News Feed
博客园 - 叶小钗
L
LangChain Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Recorded Future
Recorded Future
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
The Blog of Author Tim Ferriss
人人都是产品经理
人人都是产品经理
Y
Y Combinator Blog
罗磊的独立博客
雷峰网
雷峰网
博客园 - 【当耐特】
Microsoft Security Blog
Microsoft Security Blog
L
LINUX DO - 热门话题
Cisco Talos Blog
Cisco Talos Blog
L
Lohrmann on Cybersecurity
Martin Fowler
Martin Fowler
Spread Privacy
Spread Privacy
MongoDB | Blog
MongoDB | Blog
Engineering at Meta
Engineering at Meta
C
Cybersecurity and Infrastructure Security Agency CISA
小众软件
小众软件
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Recent Announcements
Recent Announcements
T
Threat Research - Cisco Blogs
Security Archives - TechRepublic
Security Archives - TechRepublic
量子位
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
宝玉的分享
宝玉的分享
D
DataBreaches.Net
T
The Exploit Database - CXSecurity.com
Vercel News
Vercel News
IT之家
IT之家
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
T
Troy Hunt's Blog
aimingoo的专栏
aimingoo的专栏

Opinion

Op-Ed: Microsoft’s July Patch Tuesday reveals 622 vulnerabilities Op-Ed: The transaction was legitimate; the crime was hidden in the system Op-Ed: Why CISOs are drowning in alerts but missing the real threat Op-Ed: The reality of data-centric security and attribute-based access control Op-Ed: Australia’s cyber law is stuck in the past – the Slay Review is our chance to fix it Australian federal budget 2026: The industry perspective Op-Ed: Redefining performance in the AI-powered SOC Op-Ed: AI won’t patch the holes in your SOC Op-Ed: Australia inspired the EU’s online age restrictions, now it’s time for us to learn from them Op-Ed: Microsoft April Patch Tuesday reveals 167 vulnerabilities The industry speaks: World Identity Management Day 2026 Op-Ed: Why zero trust for OT should start at the boundary, not the boiler room The industry speaks: World Cloud Security Day 2026 The industry speaks: World Backup Day 2026 Op-Ed: Information sharing of cyber threats vital to national security Op-Ed: Building secure foundations for AI in the cloud Op-Ed: AI isn’t the threat, poor design is Op-Ed: Why Australia’s schools are becoming strategic targets for organised crime Op-Ed: Australia’s National AI Plan looks good on paper, but where are the teeth? Supply chain risk: Understanding the weakest link in cyber security
Op-Ed: Australian organisations need federated authority to stay secure at scale
2025-12-15 · via Opinion

Centralised security control is no longer fit for purpose – federated security governance is the answer.

Your security team can’t make every security decision for every business unit across your Australian enterprise. AI aims to use data across every part of the business, attack surfaces are expanding faster than budgets can keep up, and security teams must operate more efficiently amid constantly changing software environments. Simply hiring more people or buying more tools cannot address these challenges at scale.

To keep pace, organisations need to rethink how they make security decisions. The most effective shift is to move away from centralised security control and adopt federated security governance. In this operating model, CISOs set enterprise-wide risk strategy and policy, while data owners and technical teams across the organisation implement controls within their respective business units. This gives technical teams the flexibility to apply policy in ways that suit their systems while maintaining clear accountability.

You’re out of free articles for this month

To continue reading the rest of this article, please log in.

This direction aligns with what executives are already signalling. GitLab’s recent C-suite survey shows 90 per cent of leaders in Australia expect agentic AI to become the industry standard for software development within three years, yet their top concern is data privacy and security. The bottlenecks created by centralised authority will only hinder automation and innovation.

Why centralised security holds Australian businesses back

Traditional security models require CISOs to be experts across multiple business units that serve different audiences, each requiring a deep contextual understanding of the environment and its challenges. Data protection requirements, local regulations, and industry-specific compliance all introduce variations between business units.

In a federated model, technology leaders, whether from IT, engineering, or business units, have a deep understanding of the nuances of their assigned units. Their specialised knowledge helps to set a strategy that considers the right goals, technologies, workflows, and risks to deliver three immediate benefits that a centralised security authority can’t match:

Context-aware security oversight minimises friction and churn. Security decisions happen faster because they’re made closer to the action. Service and application owners already have the context and expertise to make optimal decisions within their scope of responsibility. Delegated authority allows companies to seize market opportunities, deploy new tools, manage fewer escalations, and reduce unnecessary friction or delays.

Flexible policies help teams adopt and benefit from emerging technologies. When governance cascades, security teams can evaluate how a new technology’s attack surface affects their business unit’s unique risk profile and set policies that define security boundaries based on data classifications and regulatory constraints. CISOs can establish broad organisational standards for a technology’s adoption, but their technical partners in the business ultimately own their unit’s implementation. The partnership approach ensures policies strike the right balance for productive adoption and avoid overly strict or broad security controls.

Scalable security authority accommodates organisational growth. Acquisitions, new product launches, or geographic expansions necessitate security teams to assume new workloads and specialised expertise. Properly balancing what to centralise and what to federate enables scale. Under careful policy governance, identity and data governance are domains in security that federate well with centralised technology platforms. Business units can realise the velocity benefits by having the autonomy to manage, delegate, and provision access to their services and capabilities.

Making the cultural shift work

For organisations prone to silos, rigidity, and top-down command-and-control cultures, adopting a federated model won’t be easy. The shift requires shared security ownership, with security leaders working as peers to ensure the adoption of new policies and frameworks goes smoothly. CISOs must establish standards and policies that account for the velocity and runtime operational realities of modern technology stacks if they want business units to adopt, not just be forced to comply with, security governance. Implementation partners must ensure their control structures are appropriate for the policy associated with their data classification.

In practice, that might look like a CISO setting data classification standards, while partner teams are responsible for implementing these standards as low-friction security policies and capabilities at the source of record for the data. Netflix’s security team is largely credited with pioneering the “Paved Roads” philosophy, achieving policy adoption success by building secure options that meet policy guidelines and making them the easiest ones for developers to use.

Outside of engineering, organisation-wide standards also need to offer flexibility and avoid becoming overly specific or narrow, so they remain relevant to each business unit. Self-service risk exception processes allow for special circumstances that consider the business context and impact, so security doesn’t unnecessarily hinder business unit functions.

The investment case for federation

As the role of the CISO continues to expand beyond its traditional scope, security investments are being judged not only on how well they reduce risk but also on how effectively they support broader business goals. Every dollar now needs to demonstrate measurable risk mitigation. Federation gives CISOs a more nuanced view of risk across business units, enabling them to drive outcomes that benefit the whole organisation.

As AI systems become more autonomous and deeply embedded in operations, the attack surfaces they create will quickly outpace the capacity of any centralised team to manage. For Australian enterprises, federation is not a future ambition but an operational requirement. It will reshape how organisations structure their teams, allocate budgets, and deliver security at scale.

For large, digitally complex businesses, the real advantage will come from how quickly they adopt federated authority and build a more collaborative security culture to support it. Organisations that embrace this shift early will be best placed to stay resilient, competitive, and trusted as AI-driven systems continue to expand.

Cyber DailyWant to see more stories from trusted news sources?
Make Cyber Daily a preferred news source on Google.

Tags: