CISA published their advisory bulletin addressing risk considerations for organizations thinking about using managed service providers. This is a great advisory, but it has some areas of potential misinterpretation in it, chiefly because CISA has departed from a security group and expanded into territory in which it has little experience.
- What if organizations stopped using MSPs?
- Yes, all customers ought to be responsible and consider risks of outsourcing. But, risks of not managing IT are far greater than the risks of outsourcing
- Targeting of managed services supply chain vendors is NOT a symptom of poor MSP security, it’s a symptom of the unchecked business of cybercrime
MSP Zone Reading Material: Risk Considerations for MSP Customers | CISA