Completely agreed. I also see it as a side effect of leadership that's not IT savvy. The person setting policy, if they don't understand the problem and risks, often picks solutions that make it 'somebody's elses problem'.
'I don't know Security, so I'm going to pay an MSSP to do it for me.'
This is not a bad thing, per se, it just means that their controls are ceded to a company who has marketing, shareholders, management layers, and _they_ want to optimize _their_ costs....so the protection of your organization will be 1/n of the response team's attention...where N is the number of other companies they're responsible for monitoring.
It's POSSIBLE that you'll get better support by letting an expert multiply their skills across a larger population of targets...it's just not LIKELY.
'I don't know Security, so I'm going to pay an MSSP to do it for me.'
This is not a bad thing, per se, it just means that their controls are ceded to a company who has marketing, shareholders, management layers, and _they_ want to optimize _their_ costs....so the protection of your organization will be 1/n of the response team's attention...where N is the number of other companies they're responsible for monitoring.
It's POSSIBLE that you'll get better support by letting an expert multiply their skills across a larger population of targets...it's just not LIKELY.