Even a robust IT or security department will find certain tasks or projects beyond their capabilities and will need to engage outsourced IT services to fill the gap. In smaller companies, the issues become even more profound. But ignoring issues that you lack the time or expertise for can risk operational failure or security incidents.
Most organizations seek to eliminate these risks by outsourcing specific projects or even their full IT and cybersecurity needs to a service provider. However, buyers in most organizations don’t have the expertise to find and evaluate potential vendors.
Fortunately, an organization can find potential vendors and evaluate them through a handful of simple steps:
- What IT Services Can Be Outsourced
- IT Outsource Pricing
- 4 Ways to Find a Cybersecurity or IT Vendor
- 6 Ways to Evaluate and Choose a Security or IT Vendor
- Bottom Line: Careful Contracting Ensures Outsourcing Success
What IT Services Can Be Outsourced
The short answer is IT outsourcing can be as expansive as all IT, telecommunications, and cybersecurity needs and as little as a single project. Organizations can select from a full range of potential managed IT services, but if an organization is not outsourcing their full IT needs, the most commonly outsourced specialties include patch management, backup and disaster recovery, network management, and cybersecurity.
There is no universal “best option” to outsource because every company, non-profit, school district, hospital, and government agency has different needs. Yet for most organizations, IT and cybersecurity does not provide any distinct business advantage.
As with a fire suppression system, most CEOs simply want IT and security to work when needed and otherwise be unnoticeable. Most organizations will proceed through a rather predictable cycle of outsourcing as their needs and objectives change over time.
IT Outsource Pricing
Prices for IT outsourcing depend completely on the type of services needed and the scale of the company. For a broad article such as this, it can be nearly impossible to reasonably discuss options that range from a few hundred dollars a month to a few million.
However, some mile-markers can be found that illustrate possible pricing, but buyers need to read between the lines to understand that prices often represent rather narrow conditions. While pricing will always be a consideration when evaluating between competing bids, published pricing will tend to be less useful in evaluating capabilities or finding potential vendors.
Narrow Case Published Prices
Ntiva provides an excellent example because it publicly publishes two standardized pricing packages estimated to be $95 per month or $110 per month. While very useful for their prospective customers to estimate some costs, these prices do not apply to companies of all sizes and needs.
These estimates first assume an organization or roughly 100 employees and then only for full outsourcing of basic and specific IT and cybersecurity needs. These services are naturally constrained so that the MSP can ensure that their example pricing fits into their business model with potential exceptions covered under sweeping “optional” IT and cybersecurity services.
How to Use Published Benchmarks
Published benchmarks only apply directly to those organizations that only need the specifically defined services and are near the assumed employee size. Yet, they also provide a possible benchmark from which relevant pricing might be extrapolated.
For example, The logical assumption is that smaller organizations will be charged more per user because they will not split fixed costs over a larger employee base. Yet they can also expect to find less expensive solutions if they only opt for a simplified break-fix contract or a reduced set of services.
Similarly, larger organizations might be charged less on a per employee basis because of bulk discounts, although they also might need to locate more advanced services that match their more complicated needs such as application security, security for remote users, and network access control (NAC). Of course, to investigate the validity of such estimates, a buyer must obtain bids from the vendor.
Outsourced Pricing Variance
Each managed IT service provider (MSP), managed IT security service provider (MSSP), value added reseller (VAR), managed detection and response (MDR) vendor, and security operations center (SOC) will offer specific prices for specific services related to their specialties. Commonly offered services, such as patch management, will be inexpensive and specialty services, such as incident response, will be more expensive due to the requirement for advanced expertise.
Buyers should expect prices to vary somewhat based on geography since costs in Iowa or Bangalore cost much less than costs in Los Angeles or Tokyo. Remote services should also be expected to be offered at a discount compared to onsite services.
Outsourced Pricing Value
The best way to determine the value of an IT outsourcing bid will be to compare bids against known or estimated IT costs for performing the same services in-house.
If the bid is dramatically lower, the bid might be too good to be true and a buyer must check for huge differences between contracted prices and prices for non-contracted services or additional services. Big discrepancies can suggest a business strategy for the service provider to create off-contract needs as often as possible to charge higher prices. If the bid is dramatically higher than anticipated, the variance suggests either unnecessary services or a bad internal estimate.
- Best Cybersecurity and IT Outsourcing Options
- Managed IT Service Providers (MSPs): A Fast Way to Secure IT
4 Ways to Find a Cybersecurity or IT Vendor
Understanding the type of IT vendor and possible price range helps to define the scope of an outsourcing need, but does not help to locate suitable vendors. Buyers need to perform a variety of searches such as web searches, obtaining referrals, pursuing opportunities through partners, or attending conventions.
- Web searches: Most convenient option
- Referrals: Most in-depth option
- Partners of partners: Best for product-focused vendors
- Conventions: Best for casual evaluation
Web Searches: Most Convenient Option
Today, the most common and convenient method to find anything will be to start with a web-based search. However, a search for IT outsourcing, MSP, VAR, or a similar sub-category will produce many more results about the topic than potential candidates.
Even among the search results that reflect potential IT outsourcing vendor candidates, the most prominent results will be for the largest, most established vendors. This will work fine for the largest companies and government agencies, but smaller companies, non-profits, and government agencies may have difficulty finding appropriate vendors.
Smaller organizations tend to prefer to work with smaller vendors so that more attention can be given to their needs. Search engine results can produce these options by adding “near me” to the search phrase or adding local cities and regions for filtering.
Organizations can also consider using freelance sites such as Upwork or Fiverr to locate potential outsourcing partners. Most options on these sites will be individual consultants, but some will also be larger companies.
Referrals: Most In-Depth Option
Of course, obtaining a list of potential candidates provides no information about the quality of the vendor. Vendors can provide references, but those references will likely only come from their most satisfied customers. When interviewing provided references, be sure to ask about times when the vendor made a mistake and how the vendor went about fixing the problem.
Many organizations will also tap their network of local businesses and even competitors to compare notes and obtain references. These unfiltered recommendations (good or bad) can be very valuable.
Partners of Partners: Best for Product-focused Vendors
A buyer can also reach out through established vendor relationships for IT tools or check IT tool websites to obtain information on potential outsourcing partners. As with search engine results, these referrals will skew towards the largest partners, but these lists will be smaller and a buyer will be able to investigate the options efficiently.
For example, an SMB can reach out to the distribution partner that sold them their Cisco networking equipment or check the Cisco website for a referral to a VAR or an MSP that might manage the integration and setup of a NAC device purchased from the distributor.
Conventions: Best for Casual Evaluation
Trade shows and IT conventions can be another place to locate potential candidates for IT outsourcing, either through speakers, exhibit halls, or in-person networking. Speakers may not have time to discuss specific opportunities, but a buyer can glean something of the competence and nature of the speaker through their presentation and interaction with other attendees.
The vendors that rent space in exhibit halls tend to be larger organizations with more resources — or at least the biggest vendors tend to get the biggest, most prominent booths. Buyers can certainly explore their options in more detail with the sales reps at these booths, but may need to follow up with technical experts later to fully understand the vendors’ competencies.
The advantage of industry-focused trade shows (legal, construction, etc.) will be that a buyer will be able to find outsource vendors with industry-specific knowledge and experience. IT technology (Cisco Live, Palo Alto Ignite, etc.) or cybersecurity-focused trade shows (RSA Conference, Black Hat, etc.) will provide opportunities to talk with the largest IT vendors. Also look for local IT trade shows that will often provide opportunities to network with smaller IT service providers.
At any size event, a buyer may run into a representative of a potential IT outsourcing vendor in the hall, in the audience, or at a networking event such as lunch or a reception. These networking opportunities provide a buyer with a feel for a specific contact, but additional meetings will be needed to evaluate the vendor.
6 Ways to Evaluate and Choose a Security or IT Outsourcing Partner
After finding potential candidates, the buyer must then evaluate their capabilities to determine if the vendor will be a suitable match. While the price in the bid will carry weight, it cannot be the only factor in an evaluation. A better evaluation will require checking for a good fit against the needs of the organization by assessing:
- Communication and Contract Specifics
- Compliance Certificates and Capabilities
- Employee Background Checks
- Internal Security
A vendor will not necessarily be able to, or even need to check all boxes. As long as the outsource partner can satisfy all critical requirements for an organization as well as satisfy more needs than other competitors, it will be a reasonable option.
Ultimately, the value of any vendor will be their capabilities in the context of the prices that the vendor will charge. The prices are known and will be explicitly detailed in the potential contract. It is the credibility of the capabilities that will need to be explored first and foremost.
One straightforward method will be to follow up with references regarding the reliability and capabilities of the vendor. Similarly, the vendor could be engaged piecemeal to perform various one-off tasks, such as an asset discovery scan, a vulnerability scan, or a penetration test.
An indirect method uses sample reports that the vendor provides to clients such as monthly patching and updating reports, incident reports, or network traffic reports. Are these reports clear and useful? If not, it will be difficult for the organization to tell if the vendor is doing their job. If the vendor is not willing to improve upon confusing reports, it may be time to drop them from consideration.
It may be okay for the vendor to lack the identical experience and capabilities that matches the organization’s needs. In many cases technology expertise and a willingness to perform the work will be sufficient to deliver a good outcome. When in doubt, the organization can obtain a short-term contract with escape clauses to minimize commitments to poor choices.
Communication and Contract Specifics
The success of any working relationship relies heavily on effective communication. However, it can be difficult to tell how successfully an organization will be able to communicate with their vendor prior to signing the contract.
Yet IT and security vendors will provide their services according to the specifics of the contract. An organization needs to work with the vendor to ensure all expectations are covered by the contract, and the first sign of communication capabilities will be in how successfully the vendor captures requests in the contract proposals. A vendor that either willfully ignores or is incapable of understanding requests prior to winning business will have even less incentive to improve after winning the business.
Compliance Certificates and Capabilities
Organizations bound by compliance regulations will need vendors capable of understanding and complying with the requirements. In some cases, the vendors will offer certificates, such as System and Organization Controls Type 2 (SOC 2), that can be used to satisfy some compliance criteria.
More often, the compliance requirements may not apply to the vendor. For example, the Health Insurance Portability and Accountability Act (HIPAA) only applies to organizations that transmit, store, or receive health data. A managed IT services provider (MSP) that helps manage a hospital’s IT infrastructure will not touch the data and will not be subject to HIPAA.
Still, a vendor with compliance experience will be able to provide the client with documentation that supports compliance requests. The vendor should also be able to explain what reports they can generate for the organization’s own compliance efforts.
Employee Background Checks
Many compliance and maturity models require background checks for an organization’s employees. These requirements also extend to vendors and their employees. An organization can request that their vendor perform and provide assurance that all vendor employees that could potentially perform services for the organization pass background checks for criminal convictions.
Organizations depend upon their cybersecurity and IT vendors for competency in execution within the organization’s infrastructure. However, when the IT vendor performs remote management, the vendor’s own security plays a key role in protecting the organization’s security as well.
Buyers must request the vendor to attest to strong security and then also provide reports to back up those claims. Where those reports might expose the vendor unnecessarily (such as vulnerability scans that display server and router IP addresses), the buyer can be content with viewing but not retaining the reports. Just keep in mind that reports can also be faked, so consider a clause in the contract to punish vendors for fraudulent assurances.
In addition to services, IT and security outsourcing providers can also sell tools and software to the organization. Often the outsourcing vendor will receive margin or a commission from such sales, but are they transparent about the extent of their compensation?
Many service providers avoid disclosing margin because their customers will squeeze them for additional discounts. However, at the very least, a provider should be transparent and acknowledge compensation.
Lack of transparency can lead to conflicts of interest when it comes to recommendations for tools and solutions. Organizations need to proactively ask and investigate their options to understand the level of transparency or potential conflicts within their vendors.
Bottom Line: Careful Contracting Ensures Outsourcing Success
For any specific IT outsourcing need, there will be dozens, if not thousands, of potential solutions and the vendors ready and willing to implement them. Every search should begin with a careful analysis of the needs of the organization, followed by a search for potential vendors that match that criteria. A careful search and evaluation can lead to a successful relationship with an IT outsourcing partner that will enable both parties to thrive and grow.
- Top Managed Detection and Response (MDR) Services
- Best Managed Security Service Providers (MSSPs)
- MSSPs Fare Well in First MITRE Evaluations
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.