Managed service providers, also known as MSPs, offer organizations of all sizes a way to gain fractional expertise and capabilities unrelated to their core activities without the need for a huge upfront investment.
Information technology (IT) MSPs typically provide the easiest path to better cybersecurity because they focus completely on the effective implementation of basic IT infrastructure.
Every organization should understand and consider the flexibility offered by outsourcing to one or more MSPs as part of their IT operations and security strategy. This article will explore what MSPs are through the following topics:
- How Do MSPs Work?
- What Are MSPs Used for in Security?
- What Are the Types of MSPs?
- 7 Key Benefits of Using an MSP
- 7 Challenges When Working with MSPs
- Bottom Line: Use MSPs for Comprehensive IT Security
How Do MSPs Work?
Organizations easily enter into ad hoc relationships with contractors or with a service provider for common services that have established, public pricing. However, long-term, complex, or customized services will require a more disciplined engagement process and a deep understanding of needs and industry options — in fact, we have an entire article on Best Cybersecurity and IT Outsourcing Options.
In short, organizations scope their needs and then research appropriate MSPs for their outsourcing requirements. Various MSPs will offer a menu of options for services and their pricing models, and an organization will need to determine which ones work the best for their needs.
MSPs will provide their services according to the specifics of the contract, so an organization needs to work with the master service agreement (MSA) to ensure all expectations are covered by the contract. Once signed, the MSAs will generally be able to start work immediately, with the exception of some possible software installations.
To enable remote work, expect IT vendors to install remote monitoring and management (RMM) tools on most devices under the contract. Where required, the MSP will also install software related to the service to be performed (antivirus, network monitoring software, etc.).
What Are MSPs Used for in Security?
Security itself can also be offered as a managed service through managed IT security service providers (MSSPs), managed detection and response (MDR) consultants, or security operations centers (SOCs). However, those businesses tend to be their own categories and beyond the scope of this article.
However, in the most fundamental way, cybersecurity requires a solid foundation of IT to be in place to be effective. For example, the most advanced extended detection and response (XDR) tool could be combined with the most capable secure access service edge (SASE) security tool, but they can do little to protect a network of Windows 98 machines with obsolete VPNs, four-character passwords, and firewalls configured to allow all traffic without any blocking or monitoring.
Organizations use the benefits MSPs offer to maintain a secure and solid foundation of IT infrastructure. This solid foundation enables reliable operations capabilities and supports cybersecurity goals and objectives.
What Are the Types of MSPs?
Corporations, nonprofit organizations, utilities, and all manners of government agencies use managed service providers. The term “managed service” applies to any function that is outsourced to a nonemployee, so MSPs encompass a huge variety of providers that differentiate by:
- Size: Anywhere from an individual consultant to as large as 700,000-employee Accenture
- Regional reach: From the global reach of large international consulting and outsourcing firms to local firms with local specialities
- Specific industries: Healthcare, legal, construction, etc.
While MSPs also provide a wide range of business services, here we’ll focus on managed IT and cybersecurity service providers.
Types of IT MSPs
Of course, even within these categories lie many different specialties. For IT services and infrastructure, some larger MSPs will provide generalist services and attempt to solve all problems. Others will seek to specialize and provide services such as:
- Application monitoring
- Compliance consulting and services (PCI-DSS, HIPAA, etc.)
- Backup and disaster recovery services
- Cloud services
- Data analytics
- Data center hosting
- Email services
- Endpoint and server management
- Hardware repair
- Help desk
- Infrastructure-as-a-Service (IaaS)
- IT architecture design
- IT policy and program development
- IT system auditing and gap assessments
- IT system implementations and integrations
- Managed detection and response (MDR)
- Managed IT security service (MSSP)
- Managed internet of things (IoT)
- Network management
- Network security monitoring
- Operations and network performance monitoring
- Platform-as-a-Service (PaaS)
- Print and printer services
- Project management and development
- Process improvement for operations and IT systems
- Security operations center (SOC)
- Software design and development
- Solution scoping and evaluation
- Software-as-a-Service (SaaS)
- Strategic planning and guidance
- Storage-as-a-Service (STaaS)
- Telecommunications and video conferencing
- Updates and patching management
- Vulnerability Management-as-a-Service (VMaaS)
- Website hosting
Most of these will be familiar or at least intuitive to your company. Some might balk at the inclusion of SaaS, but consider that SaaS tools provide specialty management services that bypass the otherwise typical needs for software installation, updates, software server maintenance, hosting, and other affiliated requirements.
Most MSPs generate their revenue primarily through recurring activities billed on retainer for services delivered on a regular basis. This recurring revenue is supplemented by additional consulting fees, special project income, or margin from hardware, software, or third-party services sales to the customer.
Some MSPs are transparent regarding earned commissions or margins, but others may not be as transparent. Lack of transparency can lead to conflicts of interest when it comes to recommendations for tools and solutions. Organizations need to proactively ask and investigate their options to understand the level of transparency within their MSP vendors.
For the rest of this article, we will focus on general IT MSPs at a high level. Specific subcategories of MSPs will be discussed only if a specific concept applies to certain types of MSPs.
Who Uses MSPs
The large variety of MSPs reflect the equally varied needs of the organizations that use them. Organizations typically pursue either full outsourcing or focused outsourcing, yet even within these categories, there is a variety of motivation.
- Full outsourcing of all IT services to one or more MSPs can be helpful because:
- Small (SMB) organizations do not have enough resources or IT requirements to hire full-time employees
- Lean and focused organizations do not feel that IT plays a role in delivering their core mission and will outsource all IT services to maintain focus on core competencies
- Sibling relationships exist within large corporations or government agencies where the parent organization may maintain an entire subsidiary dedicated to IT services; the related companies or agencies have an obligation to contract with the related MSP
- Focused outsourcing maintains at least some IT resources within the organization except for:
- Specific projects that require additional MSP capabilities beyond either everyday capabilities or everyday resources (or both)
- Specific needs that may merit engaging specialized MSPs (networking, email, cloud management, incident response, etc.)
Many organizations will use more than one MSP, and some compliance regulations even require multiple vendors. For example, the credit card industry’s PCI DSS requirements force organizations to use vendors unaffiliated with implementing IT infrastructure to conduct penetration testing.
We’ll go into further detail on these benefits and challenges next.
|Benefits of Using MSPs
|Challenges with Using MSPs
|Accounting & Cost Advantage
7 Key Benefits of Using an MSP
When any organization decides to use a managed service provider, they do so because they seek one or more key benefits. Even if only a few of these advantages lead to the decision to outsource, an organization will often enjoy nearly all of the following benefits over the lifetime of the IT outsourcing agreement.
1. Accounting and Cost Advantages
First and foremost, organizations often seek financial savings from working with MSPs. MSPs can eliminate slack time by deploying workers on a fractional basis to multiple clients. This efficiency enables MSPs to typically offer services for less than a typical organization can deploy in-house capabilities.
Additionally, by working with a service provider, an organization can eliminate the upfront costs associated with hiring IT staff and the purchase of some IT software or hardware. Financial officers enjoy expense recognition and cash flow advantages by switching from fixed capital costs to ongoing expenses.
Larger MSPs can further reduce costs through the deployment of IT workers in lower cost regions to provide remote services such as help desk support or remote maintenance. Lastly, tool vendors often provide MSPs with bulk or partner discounts, which those MSPs can sometimes pass along to their customers.
2. Time Advantage
Time provides the next advantage typically desired by MSP customers. A signed contract with an MSP bypasses the time required to hire staff, staff training, and any sales or evaluation time normally required for IT and cybersecurity tools the MSP can deliver.
In addition to time savings, the MSP delivers time consistency. Many MSPs can offer 24/7/365 monitoring or help desk support beyond the capabilities of their customers. MSPs can leverage international talent to take advantage of lower costs and friendly time-zone differences. Additionally, the MSPs workforce costs can be spread across multiple clients because most IT issues occur sporadically.
3. Hiring Advantage
Part of the cost and time advantages also relate to an organization’s requirement to invest money and time to hire staff. However, human resource troubles go even deeper and include issues with recruitment, retention, and scale.
IT labor shortages continue to drive up the costs and difficulties of staffing IT teams in general, with many companies finding it increasingly difficult to find the talent needed for their basic IT needs. Continuing heavy talent demands also makes it harder to retain staff — especially talented staff that seeks continuous challenges not always found in a typical corporate IT environment.
Additionally, IT labor needs tend to be irregular with unpredictable surges in talent requirements caused by IT equipment failure, cyberattacks, sudden surges in customer demand, or even a widespread attack of the flu. Quality MSPs easily deliver the additional IT capability for surges and, more importantly, can easily accommodate decreases in demand without the risk of layoffs or losing experienced employees.
4. Instant Expertise
As noted above, most organizations struggle to find talent, let alone expertise. Yet, the moment a service contract is signed, the organization can immediately deploy the expertise of the MSP.
MSPs focus on their specialties and hire IT experts with deep experience and knowledge beyond the reach of most organizations. Even if an organization could find the budget and deploy the expertise necessary to evaluate prospective employees, the most experienced applicants typically prefer the constant challenges only available by working for an IT outsourcing vendor with many different customers.
Expertise also helps to deliver on the cost and time savings. When an internal team installs a new tool, it often leads to learn-by-error adventures in installation and configuration. Internal IT team members typically only perform an installation once and cannot benefit from any learned experience. Meanwhile, MSPs often install the same tool in dozens or even hundreds of customer locations, which provides them with a huge advantage for speed, reduced labor costs, and fewer mistakes for installation, configuration, and operations.
MSPs also provide the perspective of many different types of deployments that can help a customer to learn from the mistakes and successes of others. An MSP can suggest IT changes to improve productivity, resilience, or even security. MSP experience also helps to troubleshoot issues quickly and anticipate maintenance, capacity, and other IT problems before they arise.
5. Organizational Focus
Most organizations are not in the IT business. Instead, many IT initiatives merely support the most basic needs of the organization. Therefore, deep investments in IT capabilities don’t make strategic sense.
Meanwhile, even the smallest MSP spends all day, every day focused on the business of solving IT problems. Outsourcing day-to-day IT management and operations to an MSP allows a customer organization to focus on improving their own objectives while handing off IT needs of secondary importance to IT experts.
6. Competitive Competence
Internal IT teams are shielded from competitors because they only have to satisfy internal needs. Sadly, many internal IT teams often become complacent and lose their ability to keep up with ever-changing technologies.
MSPs must remain competitive to stay in business. While MSPs often deploy more expertise at a lower cost to equivalent internal teams, they also must compete against other MSPs and keep up with the changing needs of their entire talent base.
7. Legal Advantages
Although extremely rare, if an IT incident occurs, especially one involving incompetence, a company will have limited recourse to pursue damages against employees. Often the company may suffer legal liability and only be able to fire the staff responsible. MSPs provide an organization with a sizable target for frustrations and financial restitution either through lawsuits, cash settlements, refunds, or future discounts.
7 Challenges When Working with MSPs
Organizations often hesitate to outsource their IT needs because of their concerns. Before executing a contract, an organization needs to at least internally address the following seven concerns. For even more assurance, an organization can address these concerns explicitly in the contract with the MSP.
Uncertainty constantly gnaws at confidence levels and will lead to many other problems. Will the MSP deliver on its promises? How can nontechnical buyers determine the skill of technical vendors? Will the technical expert be the person assigned to the organization’s problems, or will a junior technician do the work?
Any known issues must be addressed during the contract negotiations phases and, where possible, written into the contract itself. Minimum service-level agreements (SLAs) can help to enforce a level of service that ensures an MSP will deliver on their contracts and use the appropriate experts. Although the nontechnical buyers will be unable to truly judge the technical capabilities of an MSP, referrals should be checked for due diligence and competence clauses can be included in the MSP contract.
2. Communication Issues
Communication is always difficult and will usually be rooted in the assumptions related to vagueness in written or spoken instructions. An organization must work with the MSP to clearly outline business needs and confirm the meaning of any potentially vague clauses in the contract.
For particularly critical needs, an organization cannot be afraid of appearances. It must take the time and risk the embarrassment of asking potentially obvious questions to make sure that each part of what the MSP is offering truly meets the organization’s needs.
3. Decreased Control
The very nature of outsourcing turns over control of critical IT resources to an outside party. Although many can make the case that few executives understand what is happening within the IT department anyway, executives begin to worry once they can’t just walk down the hall and ask someone for an explanation.
Even when an organization retains some IT functions, MSPs will not share all of the information available regarding the organization’s IT performance and security by default. This will be especially true if the MSP is using proprietary tools without sharing functions or if their tools cannot adequately segregate the information of different customers.
However, many IT tools produce information overload that few companies can use. Companies can overcome this by requesting specific reporting on their desired data in the contract. When the organization isn’t sure about the available data, the company can request a trial reporting period and then select the key reports needed for long-term monitoring.
Organizations also worry about increased response times and a lack of onsite presence when outsourcing. These concerns must be brought up during the contract negotiations so that the MSP can include options for highly responsive SLAs and on-site resolution.
However, improved response time and on-site work will come with higher price tags, and many organizations cannot afford the most responsive service. As an alternative way to address this issue, many organizations will retain a few expert IT staff members to provide expedited internal service.
As an unrelated organization, the MSP vendor’s business model and profit margins will be fully opaque to the customer. Organizations often worry if the MSP will attempt to exploit their customer’s ignorance to upsell unnecessary technology or services. Similarly, will the MSP hide commissions or increase margins on third-party tools or inflate the time and difficulty needed to resolve issues to bill more hours?
Organizations can try to address these issues during contract negotiations and perform due diligence in investigating tool pricing. Unfortunately, transparency will rarely be granted and the organization will simply need to decide if they can trust the vendor. An MSP knows that if they betray their customer’s trust, they risk having their reputation actively attacked by the burned customer.
5. Security Concerns
Security should be one of the top concerns, but it’s an afterthought for many organizations. The sad reality is that many organizations struggle to understand IT in general and assume that any professional MSP will automatically be secure.
Organizations should always outline and require minimum security standards in their contracts and perform due diligence through vendor security audits. Audits should include:
- Detailed summaries of how the customer’s data is protected and segregated from other customers
- How access to the customer’s systems are protected
- MSP penetration test results that show the date and count of discovered vulnerabilities (if any)
- MSP summary patching and vulnerability reports that show the date, the days between patch receipt and application, and the number of unpatched systems or exceptions
- MSP policies for password sophistication and two-factor authentication, which should at least match but preferably exceed the customer’s standards
- MSP network and system security monitoring policies and summary event reports
Will all MSPs provide this information? Certainly not.
However, these requests provide an opening position for negotiation, and the way the MSP responds to the request can be informative. An MSP that refuses to provide even an “eye-only” inspection to a customer’s representative bound by a nondisclosure agreement might be hiding significant problems. Just keep in mind that reports can also be faked, so consider a clause in the contract to punish vendors for fraudulent assurances.
An organization that outsources all IT functions to a single MSP vendor risks becoming overdependent upon that vendor — and possible vendor complacency. Additionally, without in-house talent, the organization may fail to recognize opportunities to use IT to improve operations or develop unique capabilities that might provide a competitive advantage.
This challenge can be offset through strategic consulting or discussions with MSPs, but organizations must proactively pursue such investments in time or money. Organizations can also avoid vendor complacency by requiring strict adherence to the SLA and opening up MSP services for bidding periodically (for example, every 3–5 years).
7. Increased Expenses
By choosing to outsource to an MSP, an organization gains the benefit of reduced upfront costs and gains the challenge of ongoing expenses. Whether or not these ongoing expenses seem high will often depend upon the perspective of the executives and their understanding of how much it would cost the organization to adopt the same capabilities in-house.
One method organizations use to check if costs are reasonable is to open MSP outsourcing to bidding every few years. Another is to hire an IT consultant capable of reviewing the IT pricing and determining if the MSPs offerings fit the current needs of the organization. In both cases, the process can provide valuable perspective into the going rate for outsourcing and keep the incumbent vendor price competitive.
Bottom Line: Use MSPs for Comprehensive IT Security
Just as most organizations cannot design a better operating system than Microsoft, most organizations cannot exceed the IT capabilities of MSP vendors. Outsourcing non-core IT functions to an MSP will typically enable better operations performance, resilience, and security.
MSPs can often deliver these improved capabilities faster and at a lower cost than an in-house team can. Almost all organizations should pursue the benefits of outsourcing IT functions to an MSP.
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.