"They need to be more aware that they are part of the supply chain of our business," he explained. "They are part of our eco-system and not a lone player.
"If they fail, then we're at risk of failing also."
For Arronis, a key component for Serco centres around the nature of the business.
As a business support services company, it relies on third parties, meaning multiple providers could be around the table at any given time, working together to solve a pain point.
"They need to be part of that discussion, so it's more about understanding that the context has changed and we do need to work together," he added.
"I do see it as an ecosystem where it's not just our organisation, it's really the footprint which includes our third parties and the customer that I am concerned about because if a third party gets compromised, that's a big issue."
As the leading security executive of a multi- national services company with contracts from state and federal governments to operate hospitals, prisons, and detention centres, Arronis said the organisation has "unique concerns" to address and certifications to maintain.
"A key theme around change in this space is more due diligence," Arronis said.
"This means more due diligence across multiple teams. A purchase is now about legal, finance, procurement and IT all being aligned."
With regards to IT, Arronis said Serco had to "step- up" to ensure the business was across the details also.
"The context change is more to do with the type of things we are buying," he added. "For example, we may be using Salesforce or an application built on top of Salesforce by a third-party developer.
"What then comes into play are such as data sovereignty, data ownership and data access. It becomes an issue of scrutiny of the cloud service provider."
This raises questions around where they host data, where data centres are and what happens if the provider fails and leave Serco without a safety net.
"Can I recover my data easily?" he questioned. "Can I port my data from one provider to another?
"Do they have any hidden clauses in their contracts which gives them the right to use data through Facebook and Google?"
In the eyes of Arronis and Serco, ownership of risk is key. Because no matter who provides a product or service, Serco holds the risk.
"All we are doing is outsourcing a service, so we need to understand the risk profile," he said. "The better we understand the risk profile, the more risk we can take on."
Ross Olgivie - Technology and Consulting Director, Katana1
Sign up for Computerworld eNewsletters.