Too often third party agreements are spread out across the company with no corporate governance or reporting requirements for risk management. This has potential to subject the company to a form of friendly fire should the third party or one of its vendors become the focus of hackers or government investigation. Using a third party to provide cybersecurity services essentially means that you are not only extending your risk to that company, but taking on the additional burden of managing that company as well. CISOs need to perform in-depth due diligence so they have a comprehensive understanding of the outsourced MSS provider.”]
Source: https://www.csoonline.com/article/3242149/vetting-third-party-it-security-partners.html