Shared Service Centres vs. Dedicated Teams in the Context of Cyber Resilience for Global Firms | Modular Services
Executive Summary
Phishing remains the most common entry point into an organisation. More than 90 percent of breaches begin with an email, and attackers use this foothold to launch ransomware, exfiltrate data, or disrupt operations. Phishing is not going away. It is increasing in scale and sophistication, fuelled by automation, artificial intelligence, and polymorphic campaigns that constantly change form to bypass filters.
Polymorphic phishing is an advanced technique where phishing emails are constantly changed by attackers to evade signature-based and keyword-based detection by email filters. By using automation and even artificial intelligence (AI) to randomize elements like content, subject lines, and sender names, a single polymorphic attack can create thousands of variations, making it difficult for security systems and even human users to spot the malicious intent and increasing the chance of a successful compromise.
The impact is visible. In early 2025, government institutions across 18 countries reported a 42 percent increase in phishing attacks targeting critical infrastructure. The FBI consistently ranks phishing as the top cause of reported cybercrime. Google blocks around 100 million phishing emails every single day.
For global organisations, the challenge is not only the threat itself, but the ability to coordinate a defence. Some firms operate with centralised, globally capable shared service centres. They detect once, act once, and protect everywhere. Others are more dispersed, with different IT setups across offices and multiple local vendors managing security. These firms struggle to coordinate, and attackers exploit the gaps.
This paper explores two support models existing in global firms: locally independent teams vs shared centralised service centres. It examines how siloed, localised approaches to cyber defense may hinder the security posture of the global firm and why a shared services centre provides scalability, rapid response and alignment. The paper looks at phishing and zero-day vulnerabilities as practical examples to show how resilience in a global firm depends on centralised coordination.
The Risk Landscape
Phishing is not only common, it is the most common way of penetrating cyber defenses and gaining access to sensitive data. More than 90 percent of breaches begin with a phishing attempt. Google alone blocks over 100 million phishing emails daily. According to the UK Government among businesses that experienced at least one cyber crime in the last 12 months, 90% identified phishing as the type of cyber crime. The statistics are consistent across regions and sectors. – image and source.
Phishing also scales with ease. Attackers send billions of emails daily. Even if only a small percentage succeed, the volume is enough to compromise millions of accounts each year. The method is cheap, fast, and human-focused. Filters and firewalls are not enough when deception is targeted at people rather than machines.
The problem is amplified by organisational design. Many global firms maintain different infrastructure choices in different geographies. Some outsource IT to local providers. Others use bespoke setups in certain offices. While this independence gives local flexibility, it comes at a cost: fragmented response. When multiple offices are attacked at the same time, responses are inconsistent. One region patches quickly, another waits for a local vendor, another may not even know it has been targeted.
Zero-day vulnerabilities present the same problem. When a zero-day vulnerability is released some larger offices may have the internal resources to quickly patch the systems whilst others may take days and weeks to mitigate. The global organisation then becomes vulnerable as some offices accumulate security technical debt and in that window of time attackers find opportunities for lateral movement, taking advantage of inconsistency and delay.
For law firms, financial institutions and professional services organisations, this is more than an IT concern. It is about trust. Clients expect that their data and matters are safe wherever they are handled. Insurers expect proof of resilience before underwriting. Regulators expect organisations to demonstrate that they can withstand and recover from major incidents. Continuity plans on paper are not enough. What matters is the ability to act quickly, consistently, and at scale.
Dedicated Teams vs Shared Service Centres
Dedicated or ringfenced teams
Some organisations prefer to keep dedicated teams tied to a single office or region. The immediate benefits are clear. These teams know the local systems well, they are accountable to local leadership, and they provide predictable support and project delivery at a stable cost.
But this model comes with limitations. Local IT managers remain focused on their own infrastructure design choices and day-to-day operations. They are rarely incentivised to look beyond their own office and take on firmwide projects. Their contributions, while valuable locally, are not always visible at the wider organisational level. Global coordination in this context is seen less as a driver of value and more as a compliance requirement, something that must be done rather than something that benefits the global organisation. Where offices maintain financial independence, the incentives to align on global projects are even weaker. In practice, this means local teams have little reason to invest time and energy in global initiatives, even when those initiatives are critical to resilience of the global group.
Capacity is capped and coordination is weak. A local team cannot suddenly scale to meet the demands of a major crisis that affects multiple offices at once. Where specialist skills are missing, the dependence on local vendors becomes a risk in itself. Their availability is uncertain, their priorities are divided, and in a large-scale incident they may not be able to deliver the speed and focus the organisation needs.
Shared service centres
A shared service centre operate at a global level, pooling resources and expertise and catering services to all offices. The advantages are clear.
Scale: a larger pool of analysts can be reallocated to individual offices quickly during critical incidents.
Coordination: playbooks, fixes and mitigations are distributed instantly across all offices.
Resilience: Knowledge is shared, access to senior resources is arbitrated, so no individual office is left to solve problems alone.
Efficiency: Specialised expertise is available to all firms and senior-level resources can be sourced easier through cost sharing.
Use Case: Phishing Campaign
A polymorphic phishing campaign hits three offices in three different countries.
In a fragmented organisation, each office responds independently. Local vendors act at different speeds. One blocks the campaign within hours. Another is slower. The third delays even longer. The attacker needs only one office to fail. That is enough to gain access to critical data and expose the entire global organisation to reputational risks.
In a shared service centre model, detection in one location triggers a global response. The campaign is analysed once. Controls are updated once. The protection is distributed across all offices at the same time. The attacker loses the advantage.
Use Case: Zero-day Vulnerability
A zero-day exploit is discovered in a widely used system across multiple offices.
In a fragmented model, one office identifies suspicious behaviour. It begins mitigation locally. Other offices may remediate at different speeds, until their suppliers or teams act. The exploit spreads as the global security posture of the firm is as strong as its weakest link.
In a shared service centre model, the discovery in one office activates a coordinated systems patching exercise. Mitigation steps and monitoring are rolled out everywhere at once. The organisation benefits from a global coordinated effort to resolve the zero-day vulnerabilities.
Why Shared Service Centres Deliver More Resilience
The shared model provides four clear advantages.
Scale: a larger resource pool able to surge during major incidents.
Coordination: faster distribution of intelligence, playbooks, and mitigations.
Resilience: no office is left to handle incidents in isolation.
Service assurance: central accountability ensures standards are consistently applied across the whole organisation.
This is not only more effective in practice, it is also easier to evidence to clients, regulators, and insurers. It shows that resilience is not just claimed but demonstrated.
Conclusion
Global organisations face an environment where cyberattacks are constant, adaptive, and increasingly sophisticated. Phishing and zero-day vulnerabilities remain the two most common entry points, and both expose the weakness of fragmented security operations.
Firms that rely on scattered local suppliers and independent IT setups move slowly. They duplicate effort, they miss opportunities to share intelligence, and they leave gaps that attackers exploit.
A shared service centre changes the equation through scale, coordination, and assurance. It allows global firms to respond at the speed and scale required. Most importantly, it delivers the one thing clients, regulators, and insurers now demand: cyber resilience.
And yet, the model is not universal. Some firms still view shared centres as inadequate for highly specialised, client-critical, or tightly regulated work. The most common concern is priority.
In a shared model, priority is not left to chance. It is governed by clear service assurance agreements. It is predefined, transparent, and based on business impact to the organisation as a whole. While this approach is not for everyone, many leading firms have already embraced it. Deloitte, Grant Thornton, Mazars, DLA Piper, Freshfields, and Clifford Chance all rely on shared service centres. They are now using them not only for cyber resilience and as cost-effective support centres but also as centres of excellence, driving innovation, with AI and automation at the core of service delivery.
