My Thoughts on the CISA MSP Advisory

CISA published their advisory bulletin addressing risk considerations for organizations thinking about using managed service providers. This is a great advisory, but it has some areas of potential misinterpretation in it, chiefly because CISA has departed from a security group and expanded into territory in which it has little experience.   Highlights:   What if organizations stopped using MSPs?   Yes, all customers ought to be responsible and consider risks of outsourcing. But, risks of not managing IT are far greater than the risks of outsourcing  Targeting of managed services supply chain vendors is NOT a symptom of poor MSP security, it's a symptom of the unchecked business of cybercrime  MSP Zone Reading Material: Risk Considerations for MSP Customers | CISA