Three IT MSP Weaknesses Impacting Infosec Program Success


Three IT MSP weaknesses are impacting the success of your infosec (information security) program.

We frequently see evergreen problems arise when in-house IT departments partner with outsourced IT providers.

The fixes are easy. However, politics, human resources, and compliance liabilities are a different story. Why?

It’s Complicated

When the IT MSP and a middle market IT department try to co-manage infrastructure and cybersecurity, two separate but interdependent categories, there’s usually:

  • Service overlap of labor and expensive management software
  • Higher administrative overhead
  • Turf battles between subject matter experts
  • Critical oversights

This hypothetical quote from a system engineer is practically universal: “I didn’t patch the NSFW server last night because Brandon at MegaDyn IT sent me a text at 10 PM saying he was on it.”

Do any of the following weaknesses strike a chord with you?


#1– IT MSP Weakness – Reactive Account Management

Limited, piecemeal, or inconsistent account management creates delays, information gaps, and a loss of trust. The most advanced MSPs have structured offerings with a dedicated Account Manager who coordinates all service details with a dedicated vCIO, project managers, and a service team of engineers who staff the help desk.

This masterful multitasker is a highly responsive quarterback who takes the lead in setting up meetings, generating reports, providing contract/billing details, and keeping projects on track.

Juggling Multiple Roles Creates Infosec Risk

The least advanced MSPs have salespeople or owners serving dual roles as new business generators and account managers. Juggling multiple roles is challenging and risky for the client.

When an account manager is chasing a few big deals and trying to convince you to purchase a new MDR solution, and you don’t respond, the following outcomes are likely:

  • They get distracted because they’re anxious to close new business.
  • They get discouraged and self-conscious about nagging you.
  • They stop nudging you to make an important decision, leaving your network open to zero-day threats and vulnerabilities.

Learn More: Advanced Account Management


#2 – IT MSP Weakness – Spotty Technical Support Coverage

When businesses suffer from the repercussions of spotty technical support coverage, it’s not always the fault of the MSP.

To save money, IT Directors and other technology decision-makers may choose a basic service plan with support available Monday to Friday, 9 AM to 5 PM.

Most MSPs offer 24/7/365 support but this extra coverage requires a larger budgetary outlay.

Geography also presents infosec problems. If a business on the East Coast is working with an MSP on the West Coast, the three-hour time difference is disastrous if they’re ever in the eye of a ransomware attack on Tuesday at 7:45 AM.

IT Management Tool Chaos

Spotty technical coverage happens by default when an in-house IT department and its MSP use different Professional Services Automation (PSA) and Remote, Monitoring, and Management (RMM) tools.

The MSP may be covering 20% of the client’s devices using IT management tools that don’t “talk” to the client’s IT management tools.

This situation makes it difficult to quickly identify and rectify issues through a single pane of glass. Especially when the client IT department is responsible for the other 80%. With disjointed system visibility, it’s hard to tell who’s in charge of the IT environment.

The Impossible Learning Curve

Even worse, most IT departments are infamous for buying expensive PSA and RMM tools that no one ever learns to master at peak efficiency.

Professional PSA and RMM administration expertise is a dynamic journey, requiring ongoing (and costly) certifications, complex API integrations, custom development, consulting engagements, and software maintenance agreements.


#3 – IT MSP Weakness – Limited Strategic Guidance

Limited strategic guidance is the root cause of countless infosec fails. When you work with an MSP who doesn’t lead with strategy, the stage is set for discord, waste, and regret.

In all fairness, over the last 25 years, we’ve consulted with several hundred IT departments that didn’t want strategic advisory services from an MSP. Many had CIOs and CTOs and felt this skill was adequately covered.

Instead, they wanted break-fix, reactive assistance from vendors that were comfortable taking orders and managing automated system maintenance responsibilities.

Since strategy is our forte, 95% of these companies never became clients.

The Status Quo Must Go

Organizations that don’t change face numerous consequences:

  • Their IT systems don’t evolve to facilitate growth.
  • It’s impossible to accurately forecast staffing needs.
  • The line is blurred between infrastructure and cybersecurity leaving them unprepared for audits, certain to uncover security deficits and PR nightmares, especially if they’re a public company.
  • They fail to create realistic budgets for infrastructure and cybersecurity – two related but unique line items.
  • Since their PSAs are frequently only partially installed, they can’t maintain tight inventory controls and likely have unknown endpoints, device sprawl, and risk.

A Virtual Chief Information Security Services Officer or vCISO will help to clean up this mess and deliver dynamic security at scale.


Taking the Next Step to Stronger Infosec

We love it when IT department prospects have the candor to say, “We don’t know, what we don’t know.”

This state of mind signals a willingness to investigate a different approach.

Every MSP offers commodity utility services like RMM, backup and disaster recovery, system maintenance, and patching. These infrastructure offerings are basic table stakes.

However, the strategy piece is a game-changer. I mention “IT MSP weakness” in the title of this article for specific reasons. An operationally mature MSP will not agree to support a client with distressed IT systems unless the client commits to a course correction, including the implementation of Responsible IT Architecture.

If the client declines to pivot, upgrade, and innovate, and the MSP proceeds, their weakness in judgment presents three problems:

  • The client will never be unhappy
  • Their cybersecurity resilience will suffer leading to lost revenue, bad publicity, fines, and cyber insurance policy renewal rejections
  • The MSP will lose money trying to support an IT department in disarray

Please schedule a discovery session to learn more about strengthening your infosec with vCISO and more.


Jed is a Solution Advisor at Integris who has specialized in MSP solution development, sales, and marketing communications since 2003.

Keep reading

vCIO vs. vCISO: What’s The Difference? 

vCIO vs. vCISO: What’s The Difference? 

Managing your IT operations is a big job, especially if you're a small or mid-sized company without the resources to hire a full internal IT staff. In these cases, most companies hire a managed IT service provider to fill the gaps. Yet, knowing who to hire and what...

Retainers for vCIOs and vCISOs: A Comprehensive Guide

Retainers for vCIOs and vCISOs: A Comprehensive Guide

If you're running an IT department at a small to mid-size company, you know— the demands on your infrastructure are greater than ever. Cyber threats are growing at an alarming pace, primarily fueled by the accessibility of AI to hackers. Cloud productivity, system...