NCC Group this week revealed it has allied with Qualys to expand the scope of its managed attack surface management (ASM) services to address instances of shadow IT.

Amber Mitchell, lead product manager for ASM at NCC Group, said the managed security service provider (MSSP) already provides a managed attack surface service, but aligning with Qualys makes it simpler to surface IT assets that internal cybersecurity teams are not aware of in their IT environments.

At the core of that capability is a set of real-time asset discovery tools from Qualys that now enable NCC Group to continuously monitor those IT environments, said Mitchell.

Shadow IT has, of course, been a long-standing issue for cybersecurity teams. Many devices, for example, that are connected to corporate networks without approval lack the controls needed to protect the rest of the organization from malware that an end user may have inadvertently downloaded.

That issue is becoming even more problematic in the age of artificial intelligence. End users are now routinely sharing sensitive data with external large language models (LLMs) without fully appreciating how that data might also be used to train the next iteration of that model. Cybersecurity teams will need to move beyond detecting assets to also discovering how data is being shared with external services.

It’s not clear to what degree organizations are now relying on MSSPs to help secure IT environments but there has definitely been an increase largely because most organizations have found it difficult to hire and retain cybersecurity professionals on their own. In theory, AI tools should help close that skills gap but as the tactics and techniques employed by cybercriminals continue to evolve there will still be a need for a human to orchestrate cybersecurity defenses. The upside is there should be less toil for cybersecurity professionals as more tedious tasks are handled by AI agents.

Ultimately, each cybersecurity team will need to determine which tasks to assign to themselves or to an AI versus outsourcing to an MSSP. In fact, according to the research firm MarketsandMarkets, the global managed security services (MSS) market is projected to grow from $39.5 billion in 2025 to $66.8 billion by 2030, representing an 11% compound annual growth rate (CAGR).

The truth is there are very few organizations that have the resources required, even with the help of AI, to fully secure an IT environment on their own. More challenging still, with the addition of AI agents, the overall size of that attack surface that needs to be defended is only going to continue to increase.

Cybersecurity teams heading into the New Year would be if they have not already to rethink their overall strategy. There is never going to be such a thing as perfect security so the focus needs to be on minimizing risks to the organizations as much as reasonably possible. Invariably, achieving that goal is always going to start with understanding the full scope of the IT environment that needs to be defended.