Successfully co-sourcing security infrastructure involves overcoming key barriers to establish a strong relationship based on shared responsibility, writes Tris Morgan, director of global advisory at BT.
Following the disruption of 2020, it’s important that security isn’t forgotten as new boardroom priorities and business objectives emerge. And as businesses realign their security strategy to fit with future plans, risk appetites and budgets, it makes sense to simultaneously reassess how to deliver on security requirements.
An important part of planning an organisation’s future security is considering what role, if any, external suppliers will play. It’s a useful exercise to identify areas where external partners can add value, such as introducing new technologies or complementary skillsets – as well as areas the organisation wants to keep under direct control.
Organisations who have a successful co-sourcing arrangement find the concept of ‘shared responsibility’ fosters a much more holistic approach to cybersecurity that improves their security posture.
But how does an organisation get to that point?
Here we address head on the three key concerns that businesses often raise when it comes to working with external security partners:
#1 Trust in the sharing of responsibilities
There’s a split in approaches to security provision at the moment: some organisations have established co-sourcing relationships in place, but others are confident they can handle security in-house. However, we’re finding that, increasingly, these self-delivering organisations are running into difficulties sourcing the skills they need and are finding the scope of the work to be done is greater than they initially thought. This brings them to the point where they have to assess their skill gaps and bring in a partner to fill them.
What both parties need to recognise is that, for any co-sourcing arrangement to work, they must establish a relationship based on trust, where the partner is committed to growing and evolving with the organisation.
But security suppliers understand the ideal relationship doesn’t pop up overnight. They know that organisations are tempted to hold on more tightly when they feel they’re under threat, making the urge to take full ownership of security provision stronger.
Some organisations feel that outsourcing can result in the loss of ownership over their estate, and they worry in particular about automation when it comes to control and decision making.
Our research showed that almost 60% of respondents wouldn’t want changes made automatically to their security policies. This wariness emphasises how building confidence is key for a successful hybrid co-management model, and the importance of clear decisions made together on how responsibility is shared. A supportive partner will allay fears with a crystal-clear delineation of responsibilities and consistent, open communication to demonstrate effectiveness and build trust.
#2 How to make the most of existing security investment
I often come across a concern that the organisation just can’t cover its security responsibilities with the staff it has available. Many security teams are facing skills and resource shortages. According to a recent PwC survey, 56% of respondents said their organisation is at risk due to a lack of cybersecurity staff. They lack the expertise, insights and technology needed to fully protect themselves from today’s new breed of attackers in a post-pandemic digitally transformed world.
Co-sourcing is an ideal opportunity to augment existing investments and then find areas to boost or develop through partnership to make the most of in-house provision. For example, those who’ve invested in security operation centres may want to carry on using this resource but consider outsourcing the volume activities which don’t need business context and insight to reduce the load on their analysts. Effective co-sourcing isn’t about duplication, it’s about supplementing and expanding the security offering with new technologies and complementary skillsets to make the most of the investment the business’ has already made.
#3 Remain agile with a flexible approach
Flexibility is the ultimate goal of a co-sourcing partnership, but organisations sometimes worry that instead they’ll get a rigid, uncompromising arrangement. Organisations are clear that, to protect themselves in an uncertain and evolving world, it’s essential to stay proactive with an agile infrastructure to enable new work styles.
They want adaptable systems that will allow them to respond to the morphing threat climate and the unpredictability of the future of work in real time. An effective co-sourcing partnership will write in flexibility and clear governance to identify areas of responsibility and when they need to be reviewed, building in the ability to adapt. Having the option of different service levels also helps an organisation flex the support they get from their partner.
Finding the right partner
Rather than a traditional outsourcing approach, the ideal security operations model works best as a collaborative ecosystem. This is where a hybrid sourcing model comes in. Rather than a binary all in or all out decision, these models offer a sliding scale from DIY to full co-management, which caters for the subtle differences between organisations’ perceptions of risk, trust and cyber maturity. It’s not about insourcing versus outsourcing. It’s about carefully choosing which elements are co-managed and used as a consumption-based service.
Choices must be guided by an organisation’s priorities, and the chosen model of co-management must fit where the organisation is on their journey towards digital transformation. Organisations should challenge security partners to grow and adapt with the organisation over time, offering flexibility and agility, while sharing the responsibility of maintaining security.