SLAs: What your cybersecurity vendor isn't telling you - Help Net Security

SLAs: What your cybersecurity vendor isn't telling you - Help Net Security

Service Level Agreements (SLAs) have been used in the IT world for many years as a contractual mechanism for holding service providers accountable and extracting defined payments and penalties when they mess up. Likewise, vendors have used SLAs to put their “money where their mouth is” in terms of fulfilling value promises and establishing important metrics for their customers. In reality, SLAs have not kept up with either of these purposes.

For most IT pros, once contracts are signed, the SLAs are shelved by both parties and do nothing meaningful to guide the relationship. Most enterprises are sophisticated enough to understand that any monetary compensation for a vendor’s failure to perform is likely to be so insignificant as not to warrant the effort. Similarly, SMBs may lack the technical resources or manpower to properly document vendor failures, and pursuing remedies from vendors is likely #599 on the top-600 list of priorities.

SLAs from security software and services companies tend to be even more meaningless than those from IT. The reason is anchored in the universal truth that no security offering can guarantee 100 percent effectiveness. Also, a service outage from a threat scanning company, for example, might allow a catastrophic incident to occur or it might not.

If nothing happens, the likelihood of a pursuit for damages by the customer are slight. If a breach does occur, there are bigger issues at stake and most likely will turn on legal issues beyond the SLA in the contract.

So, if SLAs are virtually worthless in practice, why do we still use them?

The reality is that they can be useful if we evolve the purpose. While SLAs may have previously served as a “stick” i ..