This week, we have a guest post from Brandon Curry, Senior Vice President, Solutions and Service Management, at NTT Communications’ Global Enterprise Services in the US.

In the cyber world, organizations need allies and partners – working alone is no longer an option. Why? Because today’s threats are complex, widespread and extensive. The question is: what kind of IT security functions can enterprises outsource, and what should they retain in-house?

Answering those questions can be a challenge. What, for instance, do we mean by in-house? Businesses now run on wireless networks and mobility. Cloud computing has blurred the line between internal and external IT resources. Departments rely on SaaS tools hosted on public clouds and deploy enterprise apps on private clouds in third-party data centers. The boundaries aren’t always clear.

As the Internet of Things (IoT) accelerates, the IT domain will expand further. Already, the notion of a perimeter defense is being displaced by the Zero Trust network security model, in which threats can arise from anywhere. In that scenario, security becomes everyone’s job.

The idea that “we are all CISOs now” is not new. The democratization of IT has meant that nearly anyone can add a SaaS app or other cloud service to a corporate IT estate. Maybe the individual deciding to deploy that technology has reviewed the provider’s certifications, regulatory compliance and network architecture. Or maybe not. In any case, by using these services, an organization, in effect, has outsourced much of the security associated with them.

But the field is dynamic. In the give-and-take over these blurred boundaries, a new category – Cloud Access Security Brokers (CASB) providers – has arisen to provide visibility into application use, identify risk factors and enforce security controls. NTT Security has announced a strategic partnership with Symantec in this area. The model is logical: protect outsourced IT with outsourced security.

On the other hand, companies tend to retain control in Governance, Risk Management and Compliance (GRC), a collection of related capabilities. Executives can always seek advice and counsel, for instance, but as a rule do not outsource how they govern, as governance involves core issues of corporate identity and business ethics. 

Risk management and compliance are also held closely. Only top executives can set tolerance for risk, and chief compliance officers bear responsibility for the validity of conformance or regulatory outcomes.

Growing complexities and a shortage of talent, however, have made enterprises more likely to look for help with IT-specific risk management and compliance efforts. An ecosystem of rapidly evolving solutions now exists to address the multi-faceted segments of IT risk management, from policy to auditing and operations to vendor management. The efforts by the Sourcing Industry Group (SIG) to promote better management of tail spend is a good example of a related initiative with promising implications for risk mitigation.

More comprehensive approaches also exist. An enterprise must determine its own approach to GRC, but then aligning its security architecture accordingly could entail outsourcing specific functions, such as vulnerability assessment, malware detection, endpoint threat detection and log analysis.

So what will you do?

Like many business decisions, the question of what security to outsource and what to retain falls on a spectrum. On the one hand, issues overlapping with corporate governance, such as acceptable risk thresholds, should stay in-house. At the other end, companies that have adopted SaaS and other cloud computing tools or platforms have, whether they realize it or not, already outsourced both IT resources and much of the related security management.

Ultimately, security is not a solo operation. Over the past ten years, one observation remains steadfast. As noted in the 2018 Global Threat Intelligence Report (GTIR), our adversaries operate on a global level, and we must invest in capabilities, people, processes and controls which scale.

Enterprises are responsible for building a security-minded culture, where everyone is empowered with knowledge, tools and awareness. But effective collaboration with trusted external partners is the only way that most organizations will be able to scale up to meet ever-shifting and expanding set of cyber attacks that threaten them. 

A version of this article was originally published on Future of Sourcing.