The US Cybersecurity and Infrastructure Security Agency (CISA) released a document called Risk Considerations for Managed Service Provider Customers. CISA acknowledges the role of network administrators, among others, in selecting an MSP. While the document includes good overall guidance to small- to medium-sized businesses (SMBs) that use consultants, I find some of the recommendations to be inconsistent with what I know in the SMB space.
In particular, CISA recommends that “SMBs should catalog which assets are the most critical to operations and characterize the risk to those assets. This allows organizations to prioritize which assets should be included in or excluded from vendor agreements and to develop specific contingency plans for incidents affecting those assets.” Many small businesses aren’t always aware of the risk technology assets present. The business need often powers the purchasing of the technology asset; as long as that need is met, the risk of the asset is not analyzed. It’s often the consultant that comes in and recommends changes to the technology assets.