Infrastructure POD
Erin Geiger, Director of Content at Lumos

Maintaining IT Security While Decentralizing IT Structure

As business units gain more autonomy over their technology choices, we break down how IT can plug into each team to ensure security and compliance remain top of mind.

IT is evolving from a cost center filled with 'order-takers' to being partners and strategic advisers to the entire organization. As employees are enabled to take on actions such as procuring their own software, this eases the pressure and decreases tickets to IT. With this decentralized IT structure comes newfound efficiency, and a set of tradeoffs that require companies to implement precautions around security and compliance.

We’ve come a long way from the first centralized IT departments that were set up at the start of the personal computing age. Servers took up entire rooms, and the technology was considered so complex and expensive that it made sense to centralize operations and create a uniform standard. While that one-size-fits-all approach worked decades ago, it now feels archaic and inefficient. Employees want to solve their IT problems, and the talents of an IT team could be better spent doing something other than working through routine ticketed requests.

Decentralizing IT can help make organizations more agile. Today, nearly three-quarters of IT leaders say their organization has decentralized its IT structure, enabling managers to oversee permissions, manage procurement requests, and more, all while working with the IT team as strategic partners. The answer to who pays is also changing. Nearly 4 in 10 (39%) of leaders say the individual business unit requesting new technology is responsible for paying for it – not the IT department.

While efficiency and cost savings are the clear benefits of a decentralized approach, a majority of IT leaders (56%) say they worry about security more than any other issue.  “IT leaders should maintain a holistic approach to security, ensuring that all areas of the organization are protected and that security measures are regularly reviewed and updated,”  says Robert Siciliano, CEO of

The best way to do this is by rethinking how IT services are delivered. Instead of a ticketing system and a central IT unit, IT members should be embedded into each line of business. As designated partners, IT leaders can provide guidance to managers about best practices for implementing new business apps, evaluate risks, and foster a culture where security and data compliance are at the forefront. This model enables employees to be self-sufficient, and frees up time for the IT team to focus on new products and services.

Upholding Security

The average data breach in the United States last year cost $9.44 million. That’s more than twice as much as the global average. Not only is that expensive and annoying, but there are some sure-fire ways to mitigate the risk of it happening at your company.

“Not every company is providing security awareness training. That needs to change,” Siciliano says. “And the ones that do are providing ‘check off the compliance box’  phishing simulation training,” says Robert Siciliano, CEO of “While that might be considered good enough, it doesn't always fix the problem, and things seem to be getting worse.”

When it comes to upholding security, every employee is the first line of defense. IT leaders should create a company-wide security education culture that teaches employees good security hygiene, encourages them to ask questions, and to promptly report any suspicious activity, Siciliano says.

The need for IT to serve as partners, not gatekeepers, couldn’t be clearer. Human error is the top cause of serious security incidents, according to 84% of IT leaders. Nearly three quarters (74%) of the same group report their organization experienced security breaches due to employees not following security best practices. Almost just as many report having to deal with the repercussions of an employee being tricked by an email phishing attack.

While the increased security complexities that come with decentralized IT might sound daunting, the cost savings benefits it can bring are too good to pass up. With proper planning and ongoing education, companies can enjoy the rewards that come with a decentralized approach.

Here are some of our top tips for creating a security gameplan:

Plan for the worst

“With a decentralized IT structure, it can be challenging to detect and respond to security incidents quickly. IT leaders should have well-defined incident response plans in place to minimize damage in case of a breach,” Siciliano says.

An estimated 83% of companies will experience a data breach at some point. When dealing with a security incident, your response time is everything. Have a formalized response plan ready to go, so in the event the worst possible scenario strikes, your team will be agile, nimble, and ready to handle any security issues, including mandated GDPR reporting.

Maintain visibility over which apps are used

It’s true that a decentralized approach gives teams more agency to choose the apps they use, but that doesn’t mean IT teams shouldn’t have a say. IT employees should be embedded with teams, and made aware of the apps that are being used and how they are being used. With this approach, IT team members can act as strategic business partners to help employees make the most of their apps, answer questions, and advise on security precautions they should be taking.

Employees want to solve their IT problems, and the talents of an IT team could be better spent doing something other than working through routine ticketed requests.

Provide clarity around apps and devices

The saying, “It’s better to ask for forgiveness than permission” doesn’t work so well when your security and data are at stake. IT leaders should clearly communicate with employees on a regular basis about which apps and devices are sanctioned, and which are not to be used at work. Employees should also be encouraged to reach out to their IT partner whenever they have a question about an app or device that isn’t on the list.

Educate employees about attack methods

Employees can be the weakest link in your security, but they can also be your first line of defense. It’s important to provide ongoing education about possible attack methods and emerging threats, so employees know how to spot them – and how to report them. Basic security education includes covering social engineering, phishing, and compromised emails. 

“Providing security awareness training that leads to what we term ‘security appreciation’ means the learner elevates from simply being aware of risk to taking it to heart and doing something about it. That requires a different approach that involves affecting employees to not just change their behavior, but to get them to care,” Siciliano says.

Enforce privacy and regulatory compliance requirements

Data privacy laws such as GDPR require organizations to protect the personal data they collect, store, or process. IT leaders must ensure that decentralized systems comply with these regulations, and maintain data integrity. IT leaders should ensure that only authorized personnel can access and modify data, and that any changes are tracked. Data protection measures should also be implemented, including encryption, backups, and other measures to guard against theft, loss, or damage. 

Continuously monitor and evaluate risks

Always assume hackers are looking for an “open door” to infiltrate your company’s network. With a decentralized structure, and the risk of human error, it’s not possible to keep watch on every entry point 24/7. This is where automated tools can help. 

With this approach, IT team members can act as strategic business partners to help employees make the most of their apps, answer questions, and advise on security precautions they should be taking.

Keep thorough, detailed documentation

Document everything! Administrators should ensure that only authorized personnel can access and modify data, and that any changes are automatically tracked. Any issues should also be immediately documented to ensure the company remains in compliance.

Education around cloud platform procurement

Who pays the bill for new apps? Nearly half (46%) of business leaders say that that depends on the use and the business unit. A decentralized approach empowers groups within an organization to purchase the apps and tools they need using their budget, however this autonomy should be dependent on education around cloud platform procurement. Having a certified member of the team can help streamline the buying process, ensure contract compliance, and teach them how to configure new services and handle administrative functions. 

Furthermore, in a decentralized environment, different vendors may provide various services such as cloud storage or SaaS applications. It is essential to ensure that these vendors are properly vetted for their security practices before partnering with them. 

There are so many benefits to gain from a decentralized IT structure. By empowering each line of business to take charge of their IT needs, IT leaders can serve as business partners – not gate keepers – helping the company to run more efficiently.

Want to learn more about ways to structure your IT organization for productivity and cost optimization? Let’s chat.