[alephnerd]

Microsoft is an MSSP as well. And they are one of the multiple vendors the City of Oakland uses. But vendors can only do so much for organizations like Oakland as the final decision and implementation ends up getting stuck in red tape and bureaucratic hell between multiple disjointed teams.

[nradov]

What I'm proposing is that cities should outsource their entire IT infrastructure to a single vendor who runs the whole environment, including security. City employees shouldn't have any authority in these issues beyond vendor selection. I understand that might be politically difficult but what is the alternative? It isn't reasonable to expect city employees to have the skills and resources to defend against advanced persistent threats.

There is still room for city employees and other vendors to exert some control over higher level IT services and applications. But the core infrastructure needs to be under the control of a single competent vendor.