Manage Your Managed Service Provider

How to make an MSP work for your business.

Michael A. Davis, CTO of CounterTack

November 10, 2011

6 Min Read

InformationWeek SMB - Nov., 2011

InformationWeek SMB - Nov., 2011

InformationWeek Green

InformationWeek Green

Download the entire November issue of InformationWeek SMB, distributed in an all-digital format as part of our Green Initiative
(Registration required.)
We will plant a tree for each of the first 5,000 downloads.

Michael A. Davis

Michael A. Davis

Small and midsize businesses looking to grow should focus on their strengths and delegate other tasks to those that can handle them better. IT is no different, which is why managed service providers have grown to be an almost $55 billion business in the last four years, according to research firm Visiongain. Whether you're outsourcing all IT or just the management of a mainframe application, picking the wrong provider can cost more than just money; it can slow growth. Picking the right MSP is critical.

Cost savings is a key reason SMBs outsource IT. Companies spend 80% of their IT budgets keeping the basic infrastructure running; that's dead money that doesn't contribute to growth. Most studies, including those from Dell and Gartner, estimate a 25% to 40% hard savings from outsourcing this work to an MSP, but they don't always take into account additional fees. It may cost $3,000 per month for an MSP to handle your servers and workstations, but if you want to install a new machine, that will be an extra $350. Want to install a wireless access point? That'll cost extra, too.

Most MSPs will audit your environment to learn the network and add you into their platforms. They're also looking for gaps and problems they can offer to fix. In my MSP business, the first year of a managed services agreement often has additional projects that amount to 150% of the agreement value. For some businesses, that amount can exceed the current IT budget!

When you meet with prospective providers, ask them for a breakout of project-based vs. agreement charges, and also ask for a list of additional project costs you can expect. The best MSPs will provide a list of fixed-fee additional services that lets you estimate the costs you'll incur over the next year or two.

MSPs love recurring monthly revenue, and you'll have to sign a one- or two-year contract to get their best pricing. Make sure you understand all the details. Will you need to give 30 or 60 days' notice to get out of it? What if the number of devices in your company goes up or down--how are costs recomputed? Get each clause explained or have an attorney review the contract.

Opt for a short-term contract when working with a new MSP. You can always extend it and get the discount pricing, but until you have vetted its technical team, don't commit.

What Are You Getting?

Just how deep is the technical team's skill set? Many MSPs give you access to low-level and highly skilled engineers as part of the fixed fee. This access may seem like a great resource, but make sure you analyze how deep the team's skills really are. Meet with some of the engineers and ask references how many times senior engineers get involved with problems. Many MSPs use their senior engineers for project work and rarely make them available for emergencies.

Check how the MSP runs its help desk and other 24/7 services. Does it use multiple shifts? Does it have an on-call system? Does it provide an escalation process?

The last point to assess is engineer turnover. Being a junior-level engineer on a help desk isn't glamorous, and many MSPs have a hard time holding on to them. Ask about the tenure of the junior engineers you'll be working with and make sure the MSP doesn't have high turnover.

One benefit of an MSP is the processes it uses to manage your environment. But engineers can cut corners and not follow processes in order to cut the cost of working on your account. To make sure that doesn't happen, find out how the vendor will prove to you that it's meeting performance goals. Will it give you access to the raw ticket data? Provide time sheets and other information on completion times and how long a ticket is open?

Get a monthly report on not just what the vendor did, but also on how well it met the service-level agreement. If the MSP can't easily provide this, walk away as it's most likely an hourly-fee company masquerading as an MSP.

Security is another area to look at carefully. Attackers are going after SMBs more than ever. When looking at MSPs, see if any of their engineers have security certifications. Also check whether they manage security devices such as firewall, content filtering, and spam filtering as part of their service, and whether they offer an outsourced compliance service that includes quarterly vulnerability scans and policy review.

Not all companies need to outsource security to an MSP. It depends on your size and regulatory requirements, but you must keep your data safe and secure if a disaster occurs. If you elect to off-load any data to the MSP as part of a backup and recovery solution, make sure it has the infrastructure to handle a disaster. Smaller MSPs will fudge their capabilities or simply resell another company's services. It's OK if they resell as long as your data is safe.

Bottom Line

Once you think that outsourcing IT to an MSP is going to free you to do more strategic work, ask the final question: Will it?

Some MSPs require that all communication to them go through a single point of contact at your company (which will probably be you), while others will let any employee call the help desk and get service. If you don't want to have to run interference between a secretary with an email issue and the MSP, make sure the outsourcer can work directly with employees.

Some MSPs have the account manager provide planning services as part of the fixed fee. Others have a virtual CIO--a senior engineer with some business sense--for each client. Make sure you meet with that person before you sign the MSP. Clients often assume that person will be a great strategic thinker who knows their business, only to find out the person knows nothing about business or business processes.

SMBs are seeing managed services as a low-risk, economical way to maintain a strong IT position without the expense of building and owning a complete IT infrastructure. But hitching your IT wagon to the wrong MSP can set your company back, and replacing a failed relationship can cost a lot of money and time.

A failed MSP partnership affects IT from the top down. IT managers have lost responsibility and even been fired for hiring the wrong company. Nothing is worse for a business than having employees unable to do their work because the IT company hasn't address their problem yet.

About the Author(s)

Michael A. Davis

CTO of CounterTack

Michael A. Davis has been privileged to help shape and educate the globalcommunity on the evolution of IT security. His portfolio of clients includes international corporations such as AT&T, Sears, and Exelon as well as the U.S. Department of Defense. Davis's early embrace of entrepreneurship earned him a spot on BusinessWeek's "Top 25 Under 25"
list, recognizing his launch of IT security consulting firm Savid Technologies, one of the fastest-growing companies of its decade. He has a passion for educating others and, as a contributing author for the *Hacking Exposed* books, has become a keynote speaker at dozens of conferences and symposiums worldwide.

Davis serves as CTO of CounterTack, provider of an endpoint security platform delivering real-time cyberthreat detection and forensics. He joined the company because he recognized that the battle is moving to the endpoint and that conventional IT security technologies can't protect enterprises. Rather, he saw a need to deliver to the community continuous attack monitoring backed by automated threat analysis.

Davis brings a solid background in IT threat assessment and protection to his latest posting, having been Senior Manager Global Threats for McAfee prior to launching Savid, which was acquired by External IT. Aside from his work advancing cybersecurity, Davis writes for industry publications including InformationWeek and Dark Reading. Additionally, he has been a partner in a number of diverse entrepreneurial startups; held a leadership position at 3Com; managed two Internet service providers; and recently served as President/CEO of the InClaro Group, a firm providing information security advisory and consulting services based on a unique risk assessment methodology.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights