My Thoughts on the CISA MSP Advisory

CISA published their advisory bulletin addressing risk considerations for organizations thinking about using managed service providers. This is a great advisory, but it has some areas of potential misinterpretation in it, chiefly because CISA has departed from a security group and expanded into territory in which it has little experience.  

Highlights:  

• What if organizations stopped using MSPs?  
• Yes, all customers ought to be responsible and consider risks of outsourcing. But, risks of not managing IT are far greater than the risks of outsourcing 
• Targeting of managed services supply chain vendors is NOT a symptom of poor MSP security, it's a symptom of the unchecked business of cybercrime 

MSP Zone Reading Material: Risk Considerations for MSP Customers | CISA