In daily life as an individual, you rely on others – from neighbors to police to lawyers and judges to armed forces – for protection against threats of all kinds. At the same time, you also bear responsibility: the more careless or inclined toward risk you are, the less secure you become.
The same applies to enterprises and the cyber-world. An organization needs allies and partners because today’s threats are complex, widespread and extensive. Yet there is a lot that an organization can and should do itself. How do you divide and assign responsibility? What kind of IT security functions can you outsource and what should you retain in-house?
Cloud Computing and Overlapping Roles
Answering those questions can be a challenge. How, for instance, do you define in-house? Businesses now run on wireless networks and mobility. Cloud computing has blurred the line between internal and external IT resources. Departments rely on SaaS tools hosted on public clouds and deploy enterprise apps on private clouds in third-party data centers. The boundaries aren’t always clear.
As the Internet of Things (IoT) accelerates, the IT domain will expand further. Already, the notion of a perimeter defense is being displaced by the Zero Trust network security model, in which threats can arise from anywhere. In that scenario, security becomes everyone’s job.
The idea that “we are all CISOs now” is not entirely new. (See my ComputerWorld article on SaaS security from April.) The democratization of IT has meant that nearly anyone can add a SaaS app or other cloud service to a corporate IT estate. Maybe the individual deciding to deploy that technology has reviewed the provider’s certifications, regulatory compliance and network architecture. Or maybe not. In any case, by using these services, an organization, in effect, has outsourced much of the security associated with them.
But the field is dynamic. In the give-and-take over these blurred boundaries, a new category – Cloud Access Security Brokers (CASB) providers – has arisen to provide visibility into application use, identify risk factors and enforce security controls. (NTT Security has announced a strategic partnership with Symantec in this area.) The model is logical: protect outsourced IT with outsourced security.
Governance, Risk Management, Compliance
Businesses can vet the credentials of outside IT providers, but they are unlikely to run the tests or verify the performance of those partners themselves. Such efforts would fall under the rubric of Governance, Risk Management and Compliance (GRC), a collection of related capabilities that companies tend to retain for themselves.
Executives can always seek advice and counsel, for instance, but as a rule do not outsource how they govern, as governance involves core issues of corporate identity and business ethics. Risk management and compliance are also held closely. Only top executives can set tolerance for risk, and chief compliance officers bear responsibility for the validity of conformance or regulatory outcomes.
Growing complexities and a shortage of talent, however, have made enterprises more likely to look for help with IT-specific risk management and compliance efforts. An ecosystem of rapidly evolving solutions now exists to address the multifaceted segments of IT risk management, from policy to auditing and operations to vendor management. The efforts by Sourcing Industry Group to promote better management of tail spend is a good example of a related initiative with promising implications for risk mitigation.
More comprehensive approaches also exist. From the perspective of a global network services provider with our own unified threat management solutions, we know that even multinational corporations need help. An enterprise must determine its own approach to GRC, but then aligning its security architecture accordingly could entail outsourcing various functions, such as vulnerability assessment, malware detection, endpoint threat detection and log analysis.
Compliance is also a taxing and evolving challenge. The EU’s General Data Protection Regulation (GDPR) and the newly finalized Cybersecurity Framework version 1.1 from the U.S. National Institute of Standards and Technology (NIST) are cases in point. But the decision to outsource compliance is a serious one, especially if the party is given access to an entire network and sensitive data. As in finance and accounting, trust and transparency are key ingredients to a successful IT audit.
Independent Yet Allied
Like many business decisions, the question of what security to outsource and what to retain falls on a spectrum. On the one hand, issues overlapping with corporate governance, such as acceptable risk thresholds, should stay in-house. At the other end, companies that have adopted SaaS and other cloud computing tools or platforms have already outsourced both IT resources and much of the related security management, whether they realize it or not.
As noted at the outset, security is not a solo operation. “Over the past 10 years, one observation remains steadfast,” writes the authors of the 2018 Global Threat Intelligence Report (GTIR) from NTT Communications. “Our adversaries operate on a global level, and we must invest in capabilities, people, processes and controls which scale.”
Enterprises are responsible for building a security-minded culture, where everyone – from C-suite to hourly employees – is empowered with knowledge, tools and awareness. But effective collaboration with trusted external partners is the only way that most organizations will be able to scale up to meet an ever-shifting and expanding set of cyberattacks that threaten them.