These days, many organisations engage a “Managed Service Provider” (MSP) that promises to undertake various IT support and management tasks, usually billing monthly, in advance.
You, your MSP and any cloud providers involved have key common interests, but also conflicting goals as shown below.
Many organisations assume the MSP will take care of everything IT. Service agreements that are detailed and clearly spell out responsibilities are often lengthy and managing them is rarely at the top of the client’s priority list.
Where the MSP is proactive and attentive to client needs, over time a comfortable equilibrium is often reached. The client is happy, the MSP is happy and systems are working so nobody looks much further.
So, what are the 3 problems with the model?
Problem 1: MSP Management Systems
Firstly, MSP management systems do not belong to the client:
Data, backups or operational systems hosted by the MSP or a cloud provider are often not transferrable to a different provider;
Clients rarely know exactly what the MSPs management software does, where it is hosted, how it is protected or what its possible security issues may be;
It is often not in the MSP’s interest to highlight possible issues with its own systems; and
Client contingency planning does not usually plan for a failure of the MSP’s systems.
Problem 2: MSP Billing
When it comes to billing, MSP’s often fall into two distinct categories:
Those that are focussed on upselling or cross-selling:
How to generate extra project revenue,
How to sell additional products,
How to make more money, with little extra effort; and
EVERYTHING is a project that requires a full project management team at each meeting (for which the client is charged), a Project Director, a Project Manager and a team of implementers.
And those that don’t like to charge extra, that:
Avoid uncomfortable discussions about extra costs,
Leave the decision on whether to spend or not to the client, who may not really understand the implications; and
Utilise cheaper, lower cost solutions that may not fully address the need.
Problem 3: Lack of Governance
Perhaps the most insidious is lack of governance:
MSPs usually use some form of remote management software to provide insight, alerts, and support to the client. This software allows the MSP to deploy scripts or other automated processes or to provide end user support with system administrator privileges. This presents some problems - MSPs can destroy an entire IT environment with just a few mouse clicks; MSP staff can access data, often with no auditing of their actions,
Clients are not generally going to spontaneously develop or review technical policies and procedures,
MSP’s are not necessarily going to know about or understand changes to business priorities that might necessitate changes; and
Required changes can sometimes just be a bit too hard. The MSP can make the technical changes, but training and staff exceptions can make it a waste of time. A simple example is where clients decide on a standard operating environment and then “special” staff are hired that need exceptions – if too many exceptions are implemented, then sometimes it’s not worth having the policy to start with.
Now, am I saying that all Managed Service Providers are bad and the model is irretrievably broken? Certainly not.
However, it may pay to consider the following questions and ensure you are prepared BEFORE they become an issue.
Who is responsible for IT governance?
Responsibility for IT governance should be clearly defined. Generally, this person should be a senior company representative, not a representative of the MSP. It is important to define their titles, duty statement, and determine whether they are solely responsible for IT strategy and policy or are a part of a committee of other senior management representatives. This person should meet regularly with the MSP and key stakeholders to discuss current and future strategy requirements, equipment replacement and general system issues and improvements.
Define risks associated with the MSP
Define the risks to your organisation posed by the MSP. Some risks might include:
Are there any critical systems or data that are hosted or controlled by the MSP and, if so, what is the contingency for a failure of the MSP or their systems?
Does the organisation maintain copies of system documentation and processes such that, should the need arise to change MSPs, the organisation can continue to operate effectively?
Are there systems or software solutions provided by the MSP that would require replacement should a change of MSPs be necessitated, such as:
Business Information Systems that are developed, managed, hosted or otherwise controlled by the MSP - these are especially critical as often they cannot easily be replaced or transferred
Anti-Virus software
Backup and recovery solutions
Managed devices (routers, computers, servers, etc) provided under a lease or other arrangement
Log management systems (eg. SIEM – Security Information and Event Management)
Where such risks do exist, it is imperative that the organisation make an informed decision as to whether to implement solutions offered by the MSP or have a plan in place to replace these solutions, if required.
MSPs love to implement standardised solutions across multiple clients. This makes it easier to implement, easier to manage and requires less training of support personnel. In fact, many MSPs will refuse to implement custom solutions as they may not be financially viable, centrally manageable or scalable.
Perhaps the key differentiator between MSP’s is that some of them are highly cognisant of these issues and others are not.
We have been providing Managed Services for over 12 years, and proactive support and management for 10 years prior to that.
We think we are the good guys. But then our competitors say the same thing too!