The common phrase “You get what you pay for” can easily be applied to just about any product or service you purchase. Managed I.T. and cybersecurity services are no exception. When managed service providers (“MSPs”) intentionally provide ambiguous quotes, though, it’s really hard for decision-makers to effectively compare and evaluate their options. Armed with some knowledge of where many service providers cut corners, however, you can ask more probing questions and determine if the lower-cost options are worth the risk.
Labor Time Limits
Service providers that started their business as a traditional break-fix company and later converted to an MSP practice often struggle with the concept of “unlimited” labor hours. As a result, many of them will limit the number of hours that are included in the monthly fee, and then charge extra for hours used above and beyond that. To be clear, this service model is not managed services. Instead, this is referred to as “block time” or a “retainer” model. Any limits to labor hours mean that your relationship with the service provider will be limited to a break-fix approach. In another recent blog post, we explain why this type of service model doesn’t work and how it is ultimately more expensive for the business.
Little or No Proactivity
Business owners are often sold on the concept of an MSP being “proactive.” MSPs of all shapes and sizes make this promise during their sales pitch, but very few deliver on that promise. Why? Because delivering services proactively is more about the culture of the MSP’s business than the tools it uses. The entire company, from sales to support and even to billing must be focused on proactivity first and foremost. When businesses switch from their current MSP to a mature MSP with a strong culture of proactivity, the business’s leaders always comment on how different (and better) of an experience it is.
To call out a service provider on their bluff when they claim to be proactive, you can ask some of these questions:
- How often will you be evaluating our technology against industry best practices? Please provide us with your best practices assessment template.
- How far in advance of a hardware or software end-of-life will you be providing us a plan for upgrades?
- How often do you have a human audit our configurations and policies to make sure they are set up correctly?
The MSP should be able to respond quickly and confidently to all these questions. If they stumble or are slow to respond, it likely means the proactive side of their practice is not yet developed or matured.
The days of installing anti-virus and calling it a day are long gone. Adequately protecting businesses from today’s cyber-attacks requires a dozen or more different defenses. Not only that, but the defenses must be customized to protect the business wherever it operates. A business that runs most of their technology systems in the cloud, for example, requires a different defense strategy than a business that maintains everything in-house. Many MSPs simply don’t have the expertise or capacity to run a mature cybersecurity practice. And don’t be fooled by fancy-sounding certifications. If the MSP’s business owner touts their cybersecurity certification, but the people actually delivering the cybersecurity services aren’t certified to an equal or higher level, the certification offers very little value in demonstrating the MSP’s cybersecurity maturity.
To identify MSPs that have weak cybersecurity practices, you can ask some of these questions:
- What cybersecurity framework do you follow in the operations of your cybersecurity practice? (They should respond with something like NIST CSF, NIST 800-171, CMMC, ISO 27000, HITRUST, etc.)
- How many people on your staff comprise your cybersecurity incident response team? Please provide us with your incident response plan that details their names, roles, and responsibilities.
- We need to ensure that all attack vectors are adequately protected, including our endpoints, firewall, internet, email, cloud systems, etc. Is this included in your proposal? (If they say “no, but we can add that in,” this is a clear sign their cybersecurity practices are not mature)
If the MSP gives you that “deer in the headlights” look with any of these questions, it likely means their cybersecurity practice is not yet developed or matured.
Inconsistent Service Experience
Have you ever worked with a service provider, and had a very positive initial experience, but then the experience took a turn for the worse and never got better? This is all too common with MSPs, and it all boils down to change management and process. The world of technology changes at such a rapid pace, and technology service providers must have a well-defined and refined process for managing that change. Once again, this is more of a business culture challenge than it is a specific set of tools to be implemented. The MSP must also have mature operations that focus on standard operating procedures and other efforts that deliver a consistent customer experience.
To anticipate an MSP that might fall short of your expectations for a consistent experience, you can ask some of these questions:
- How many standard operating procedures have you published in-house for use by your team? (Mature MSPs will have several hundred or more)
- How often is your team trained on your standard operating procedures? (Mature MSPs will train monthly at the very least, but typically weekly)
- What is your SLA monitoring and escalation procedure that ensures our requests are addressed timely and consistently? Please provide us with your documented response strategy.
Once again, the MSP should be able to respond quickly and confidently to all these questions. If they stumble or are slow to respond, it likely means their operational practices are not yet developed or matured.
Another common problem that seems to plague MSPs is the high turnover of their staff. This results in your business always having to work with someone new who seems to be learning the ins and outs of your technology systems from scratch. You may be surprised (or not surprised) to learn that the majority of MSPs are run by technicians and not businesspeople or trained leaders. This means that their focus is often on the technology rather than the employee experience. Of course, some amount of turnover is unavoidable, and preparing for that change is equally important.
Mature MSPs understand that, in the service business, the people that deliver the services are just as important to the customer experience as the services themselves. Therefore, they will invest heavily in the attraction and retention of high-quality employees through various strategies.
To identify an MSP that might struggle with turnover in the future, you can ask some of these questions:
- During the initial onboarding of our business onto your services, how long does it take for you to formally document our business technologies? (Thoroughly documenting a business can take several days to even a couple of weeks)
- How many people are responsible for managing us as a customer? How many other people are cross-trained on our account in the event one of our primary representatives is sick or on vacation?
- How often do you conduct formal employee performance appraisals? How do you track and measure employee performance? How often do you round on employees to measure workplace satisfaction and feedback?
When speaking with a mature MSP, it will be immediately evident how much better prepared they are for managing and retaining their people after you ask these questions. While many decision-makers focus specifically on the services the MSP provides, it is highly beneficial to your long-term experience with the MSP if you also give attention to the MSP’s strategy for its people, as they are ultimately the ones responsible for your service experience.
The age-old adage “You get what you pay for” still rings true today. To effectively evaluate a service provider, you must focus on the operational maturity of the MSP rather than just the total monthly fee. The way in which the MSP conducts its business, from billing to cybersecurity and even to its human resources and management strategy, has a substantial impact on your experience as a customer as well as your total investment over time. Many of these seemingly intangible qualities of a mature MSP result in fewer business interruptions, better planning for change, a stronger cybersecurity posture, and ultimately a lower total cost of I.T.
Don’t assume that two providers that charge similar fees are equivalent either. Many less mature MSPs are beginning to raise their pricing to align with their more mature competitors but fail to deliver the equivalent experience. By asking probing questions, and by giving attention to the non-technical distinguishing factors of an MSP, you will be able to identify and partner with a service provider that will deliver a long-term, mutually beneficial relationship.