SLAs are Dead.... Dead Last
Obviously Service Level Agreements are still very important tools. If you haven't spent much time with them, let me first provide a couple of strong resources here. Brian Heller gives us some great advice for them here and one of my favorite papers on the subject is offered here, by Steve Hodson and Mark Norris .
Steve and Mark start with this very important message, "It is a common misconception that an SLA sets expectations about the service level that should be delivered." So then, how do we define the service level we want from our providers? Do we just let them write a Statement of Work and call it a day or do we make sure the SLA is the "safety net" as Steve and Mark once again reference it?
SLAs should be dead last in our consideration of what we expect from our providers. They should be a minimum that when they approach these limits we start to have a conversation about what is causing issues. Now, I prefer to work through issues and both my company and the service provider can grow and improve. I am never rash in judgement to replace a service provider, particularly if we have built a relationship for years.
领英推荐
I am consulting with some talented leaders at Inspira Enterprise that have been leading global MSSPs for decades. I look forward to helping to push contract capabilities to define SLAs and Operating Level Agreements for US-based customers to meet the operating and cultural expectations of customer here. But even with Brian, Steve, and Mark's help and 30 years of experience myself, I might miss a few things.
I am interested in how my peer cyber leaders drive outcomes from their service providers. I hope your expectations are even higher than my own and you can help me make a difference for our customers and perhaps shape others mindset as well.
Director, Global Information Security and Governance at Argon Medical Devices, Inc.
2 年Yep SLAs are a tool by which to work through issues. I look at SLAs to help me determine how much risk my company will have to accept with a particular vendor. That is not a bad thing per say but a good relationship, good understanding of risk, and an SLA can be a powerful thing. Maybe the way to think about it is "leverage the SLA" not try to change it.
Tech Deal Lawyer (SaaS / Cloud, AI, Advertising, Licensing, etc.).......... --> 20+ yrs experience: BigLaw, In-House, BizDev, CorpDev, etc.......... --> JD/MBA (JD cum laude from BU; MBA from Michigan)
2 年Thanks for the shoutout. I agree the SLAs in the contract should be the bare minimum, but it's my job to negotiate them just in case the vendor does only the bare minimum. I advise my clients to find vendors who try to do more than that. ;)
Global CISO | Enterprise Security Advisor
2 年First off, Michael Schindler - great article! Far too often, we rely on contractual terms to serve as an excuse to management why our tools or service provider did not prevent incident XYZ. While it serves as a safety net, it should not be heavily relied on. But on the flip side, has anyone seen SLAs enforced and fines levied?
Bridging Behavioral Science & Cybersecurity | Enhancing Security Leaders’ Decision-Making | Cyber Risk Strategist | Keynote Speaker | Author
2 年My first thought when I hear about SLAs is that they can be artificially manipulated based on what you choose as the target. On the other end of the spectrum, sometimes SLAs are overly aggressive. I think of SLAs as similar to goals. In his book "Atomic Habits," James Clear points out that goals are about achieving some target. Let's assume we hit our SLAs, THEN what? He then describes "systems," which are the methods and processes we follow to achieve our goals. Applied to the current discussion, if we are focused on SLAs, that isn't a measure of how effective we are at addressing the underlying issues. It is simply a measure of whether we completed a task in a specific timeframe.