An organization could have geographically dispersed branches with a security management service per branch. An organization wide security policy is propagated to the local security management services and the local policies are integrated and enforced at the branch site.
Communication with other security management services allows cooperating organizations to tune their security needs and create a federated security service. To detect and counter attacks on a very large scale -- think of the 1988 Internet worm -- a single adaptive security management system may be inadequate. An attack that is specifically aimed at one organization or large network infrastructure can be detected by integrating several security management services. Combining information from different sources enables a security manager to see the ``bigger picture''. In [STA96] a rule-based system is described that uses graph theory and coordinated distributed pattern analysis to detect these types of attacks. The distributed graph engines may well be implemented as security management services.
Another reason for enabling communication between security management services is availability. A second local security management service implementation could be used as cold or hot stand-by backup server in case the main system fails.