The functioning of modern societies increasingly depends on secure cyberspace. Given states' lacking capacities to protect this novel domain, governments draw on a variety of third parties for support. Yet, they face a challenge. While imposed control may limit third parties' competence, the abandonment of hierarchical control contradicts the widespread notion of national security. How do states navigate between these functional and national security imperatives to design governance arrangements? We develop a typology that combines cybersecurity problems (risks vs. threats) with governance modes (delegation vs. orchestration). This helps us to explore more than 100 cybersecurity policies across 15 different states. We find one predominant pattern. Governments delegate authority but maintain elements of hierarchical control, when they respond to threatening attacks. In contrast, governments orchestrate intermediaries by soft inducements to address risks and diffuse vulnerabilities in cyberspace. This contributes to both indirect governance scholarship and the debate on cybersecurity.