Cyber Security and Governance: to Centralise or not to Centralise?

Cyber security is a fascinating and rapidly evolving problem-space. What possible solutions exist in regards to coordinated governance and oversight? If a centralised software and hardware development methodology iss used – compliance to formal standards could be assured but the (logically and materially inevitable) emergence of vulnerability and exploit would mean that this systemic coherence represented a single point of failure for everyone and everything – a house of cards trembling and waiting to cascade with failure.  This is analogous to breeding variations out of genetic stock for (e.g.) fruit plant production – they all become vulnerable to the same (literal) bugs. Centralised systems also tend to suffocate innovation.

If a multiplicity of software development methods (i.e. a diverse “genetic” ecosystem) and information security approaches are used (as is the actual case, it seems, and more by accident than anything else) – diversity provides a virtual bastion against single-points of failure but the Wild West of software and device development means that quality and security assurance is a daunting task and far too many shortcuts-to-market are taken.

Notice how it is the vast, centralised data repositories and most widely-used apps, OS or devices that are the most (reported) security failures – the centers of gravity in this system.  Can security provision “out-breed” security threats?  Will we reach a point in time, a “peak vulnerability” threshold when entropy, disorder and proliferating systemic turbulence caused by security issues overwhelms efforts to control or govern the complexity?