Cybersecurity - What to Outsource? What to Retain?

Posted: 07/20/2018 - 09:13

In daily life as an individual, you rely on others – from neighbors to police to lawyers and judges to armed forces – for protection against threats of all kinds. At the same time, you also bear responsibility: the more careless or inclined toward risk you are, the less secure you become. 

The same applies to enterprises and the cyber-world. An organization needs allies and partners because today’s threats are complex, widespread and extensive. Yet there is a lot that an organization can and should do itself. How do you divide and assign responsibility? What kind of IT security functions can you outsource and what should you retain in-house?

Cloud Computing and Overlapping Roles

Answering those questions can be a challenge. How, for instance, do you define in-house? Businesses now run on wireless networks and mobility. Cloud computing has blurred the line between internal and external IT resources. Departments rely on SaaS tools hosted on public clouds and deploy enterprise apps on private clouds in third-party data centers. The boundaries aren’t always clear.

As the Internet of Things (IoT) accelerates, the IT domain will expand further. Already, the notion of a perimeter defense is being displaced by the Zero Trust network security model, in which threats can arise from anywhere. In that scenario, security becomes everyone’s job.

The idea that “we are all CISOs now” is not entirely new. (See my ComputerWorld article on SaaS security from April.) The democratization of IT has meant that nearly anyone can add a SaaS app or other cloud service to corporate IT estate. Maybe the individual deciding to deploy that technology has reviewed the provider’s certifications, regulatory compliance and network architecture. Or maybe not. In any case, by using these services, an organization, in effect, has outsourced much of the security associated with them.

But the field is dynamic. In the give-and-take over these blurred boundaries, a new category – Cloud Access Security Brokers (CASB) providers – has arisen to provide visibility into application use, identify risk factors and enforce security controls. (NTT Security has announced a strategic partnership with Symantec in this area.) The model is logical: protect outsourced IT with outsourced security.

Governance, Risk Management, Compliance

Businesses can vet the credentials of outside IT providers, but they are unlikely to run the tests or verify the performance of those partners themselves. Such efforts would fall under the rubric of Governance, Risk Management and Compliance (GRC), a collection of related capabilities that companies tend to retain for themselves. 

Executives can always seek advice and counsel, for instance, but as a rule do not outsource how they govern, as governance involves core issues of corporate identity and business ethics. Risk management and compliance are also held closely. Only top executives can set tolerance for risk, and chief compliance officers bear responsibility for the validity of conformance or regulatory outcomes.

Growing complexities and a shortage of talent, however, have made enterprises more likely to look for help with IT-specific risk management and compliance efforts. An ecosystem of rapidly evolving solutions now exists to address the multifaceted segments of IT risk management, from policy to auditing and operations to vendor management. The efforts by Sourcing Industry Group to promote better management of tail spend is a good example of a related initiative with promising implications for risk mitigation.

More comprehensive approaches also exist. From the perspective of a global network services provider with our own unified threat management solutions, we know that even multinational corporations need help. An enterprise must determine its own approach to GRC, but then aligning its security architecture accordingly could entail outsourcing various functions, such as vulnerability assessment, malware detection, endpoint threat detection and log analysis.

Compliance is also a taxing and evolving challenge. The EU’s General Data Protection Regulation (GDPRand the newly finalized Cybersecurity Framework version 1.1 from the U.S. National Institute of Standards and Technology (NIST) are cases in point. But the decision to outsource compliance is a serious one, especially if the party is given access to an entire network and sensitive data. As in finance and accounting, trust and transparency are key ingredients to a successful IT audit.

Independent Yet Allied

Like many business decisions, the question of what security to outsource and what to retain falls on a spectrum. On the one hand, issues overlapping with corporate governance, such as acceptable risk thresholds, should stay in-house. At the other end, companies that have adopted SaaS and other cloud computing tools or platforms have already outsourced both IT resources and much of the related security management, whether they realize it or not.

As noted at the outset, security is not a solo operation. “Over the past 10 years, one observation remains steadfast,” writes the authors of the 2018 Global Threat Intelligence Report (GTIR) from NTT Communications. “Our adversaries operate on a global level, and we must invest in capabilities, people, processes and controls which scale.” 

Enterprises are responsible for building a security-minded culture, where everyone – from C-suite to hourly employees – is empowered with knowledge, tools and awareness. But effective collaboration with trusted external partners is the only way that most organizations will be able to scale up to meet an ever-shifting and expanding set of cyberattacks that threaten them. 



About The Author

Brandon Curry's picture

Brandon Curry has worked as an expert in the information technology industry for more than 25 years. During this time, he has held a variety of roles ranging from sales and post-sales account management to operations and solution architecture, on both the IT and network sides of the information communications technology (ICT) business.

Curry brings a unique, out-of-the-box perspective to problem solving, technology strategies and customer solutions. He joined NTT America in 2015 after working for T-Systems North America in several capacities, including Head of Sales and Service Management. In his current role, Curry is NTT America’s Vice President of Solutions, Product and Service Management, leading the end-to-end pre-sales, product management, post-sales governance and account management functions.

Curry is a strong believer in continuous learning, and is a thought leader on new technologies and market trends. He holds an Associate of Science degree in pre-medicine from the University of Kentucky, an MBA from Northwestern University’s Kellogg School of Management, and an MS in security from Carnegie Mellon University. He has earned many advanced level certifications such as CCIE, CISSP and is a Certified Ethical Hacker. In addition, Mr. Curry is a member of the (ISC)2 national and Chicago chapters, as well as the Global IT Architects Association.
Twitter: @nttcom