While most businesses understand the importance of IT, many lack the full in-house capacity needed to properly manage all their systems — particularly the complex ones. This is making more sense today when cybersecurity should be a priority for every business. MSPs are playing a vital role here, helping organizations to effectively manage their IT infrastructure and end-user systems.
If you are a small and medium-sized business (SMB), nonprofit or even government agency, then you'll always find a compelling need to hire MSPs to perform a defined set of day-to-day management services. These services may include network and infrastructure management, cloud management, security and monitoring among others. It's impossible these days not to see the value that MSPs can bring in the modern business landscape, and that's why the MSP market is growing fast as demand rises.
But not every MSP you come across is going to be able to fulfill your specific needs with the quality and precision that you desire. This can only happen if you take the time to carefully select the right MSP.
Is the provider you are about to hire a real MSP or an ordinary IT company working as an MSP?
To ascertain this, there are key questions you ought to ask or take into account as you engage with the shortlisted MSPs.
Benefits of asking questions before hiring an MSP?
Of course every MSP will present their capabilities, portfolio and services. You can always find these details on their websites. This kind of publicly available information does actually help you to make a short list of the MSPs you would like to work with — first impressions matter. But while valuable, all those inviting and professional presentations are not enough to reveal all the items you need to take into account before choosing one from your shortlist. Here are the benefits you stand to gain by asking critical questions:
- Deeper understanding of the MSP's capabilities: Asking questions allows you to better understand the MSP's capabilities at a deeper level. This knowledge is important in order to make sure that they are indeed able to provide the best possible service.
- Gauging communication quality: Asking questions gives you a good chance to gauge how well the MSP communicates. This is important because you need to be able to rely on your MSP for clear and concise communication in order to avoid any potential misunderstandings.
- Needs assessment: Oftentimes, you may not be entirely sure what you need from an MSP until you start talking to them and asking the right questions.
- Spotting red flags: Questions can help to uncover any potential red flags early on. If an MSP seems evasive or unwilling to answer certain questions, it may be an indication that they are not as reputable as they claim to be. On the other hand, if an MSP is happy to answer all of your questions in detail and quickly enough, it shows that they are confident in their abilities and have nothing to hide.
- Culture alignment: Questions enable you to get a feel of whether there are areas of mutual alignment. You'll want to get a sense of their culture and whether it's fairly compatible with your organization's culture. It's important to work with an MSP that you get along well with. Else, it'll be very difficult to maintain a productive partnership. Of course there may never be 100% compatibility, but there should be elements that give you that comfortable feel of alignment.
- You get to understand your position: This might probably sound strange but it's the reality. You see, the MSP has many other customers of different ticket sizes. It's highly likely that the MSP attaches different value levels to each of these customers depending on the worth of business they carry out with them. And by the time the MSP is engaging you, they'll have already assessed the value you'll bring to them in the long term. So the questions give you an opportunity to start getting a feel of how exactly they view you, and where they place you in the hierarchy of the customer value. You want to go with an MSP that values your business from early on.
The most important questions to ask the potential MSP partner
Let's start off by pointing out that you can ask any and as many questions that you feel are important for your needs. Just ensure you're respectful, polite and professional throughout the engagement. Be receptive to the MSP's questions as well, if they would also want to find out a couple of things about your organization and plans.
Having said that, here are the most pertinent questions you need to ask any MSP before you make that final decision to hire them:
1. Do you have a contract?
This is the most critical of all questions. It is essential to sign a contract with a Managed Service Provider. If the MSP tells you they don't have a contract, then that is a red flag right there. You don't want to get into business based on handshake or oral agreements. The days of ‘gentleman' agreements are long gone, because IT is no longer a luxury — it's now a key driver of businesses. Any small mistake can take you out no matter how big your organization is. An MSP contract protects your organization and the MSP plus any other parties involved in the agreement and ensures that each party knows what is expected of them. It simply takes guesswork out of the window and puts down everything in perspective. Without a contract, there would be no legal recourse if one party failed to uphold their end of the agreement.
2. What are my responsibilities?
Though it may seem like MSPs have all the responsibility in the world when it comes to managing the agreed services, the fact of the matter is that you as the customer have responsibilities of your own. For example, you'll be responsible for the human errors resulting from your employee. So it's upon you to always carry out regular training to ensure that all employees understand the risks of their actions as they use the tools in their disposal.
3. Where do you store your data?
Don't forget that once you start to work together, the MSP will be handling some of your data including sensitive customer information. If they outsource the storage, dig in to establish the strength of the provider they are using. Is the vendor certified, is there any documentation you can have a look at. Also depending on the industry, there may be regulations in place related to data storage. For example, healthcare companies are subject to HIPAA compliance, which includes requirements for how data must be stored and protected. MSPs should have processes and infrastructure in place to meet such regulations. Additionally, it's important to consider where services will be performed. If an MSP is located in a different country, there could be issues with data sovereignty.
4. What will be the impact on my organization if you are attacked?
No business is 100% safe, and MSPs are no exception. They too can be hit by criminals. So this question is not meant to find out if their security posture is foolproof, but rather whether they have a clear plan around it. In the unfortunate event that your MSP is attacked, it could have a serious impact on your business. Your data could be compromised, and you could be left without vital services. Find out what steps they take to protect their systems and what their plan entails in case of an attack.
5. What recognized certifications do you hold?
MSP certifications demonstrate a high level of mastery in addition to the usual academic qualifications. You want to know how deep the MSP team's competencies run. This is directly proportional to the value they will bring to your organization. There are certifications for the MSP as an organization as well as for the individual staff who actually perform the routine service tasks.
6. What do you outsource and what do you do in-house?
Let's be honest. No MSP can possibly do everything by themselves. There are many moving parts and they might be outsourcing some items. They need to partner with other companies to provide some services and this is perfectly in order. But you need to know what they outsource and what they don't, in relation to the services they'll be providing to your organization.
Zero in on these items:
- What do they share with the third parties?
- What happens to classified data?
- Are you comfortable with their outsourcing arrangement?
Classified data is sensitive information that could harm your business if it gets into the wrong hands. If your data is too sensitive, you might need to discuss the restrictions with the MSP or even disallow its sharing altogether.
7. Will you be able to scale as my organization's needs grow?
If your plans for growth exceed the capabilities of the MSP, you'll just end up having to switch providers down the line anyway. It's better to choose an MSP that is scale-conscious and can automatically scale with your needs without getting overwhelmed.
8. What are your onboarding and offboarding processes?
You need to understand the MSP's on-boarding process inside out. Any upfront financial commitments involved? What do they need from you and how long is the process?
Offboarding is also important though many people rarely think about it. A business is dynamic. What's important today may become less important tomorrow and vice versa. When the needs change and the current MSP is not able to cope ,you'll need to be able to exit smoothly. Ask if there are any lock-ins you need to be aware of.
9. What is your support response time?
You want to be sure that the MSP will respond promptly whenever your staff need routine support. After all, every minute that a key service is not optimally functional is a minute of lost productivity. Find out how quickly they normally get someone on the phone, and how soon they can be on-site if you need them.
10. What is your disaster response time?
Speed is everything in the event of a system crash or other catastrophe. This is not just a normal support request. A disaster is a matter of life and death for your business — that's why we call it a disaster. You need to know that help will be on the way urgently. Many experts agree that the average response time for a swift MSP should be a few hours. However, there is a wide range of acceptable response times, from as little as 15 minutes to about 24 hours. While it's not possible to define how long disaster recovery should take, you should be able to agree on the response time. The faster the response time, the faster the MSP will be able to restore services.
By this time you should be clear about your recovery requirements and use this to get a feel of whether the MSP will be able to meet those requirements. While it's not possible to guarantee certain recovery expectations, especially timelines or even give any guarantees, the MSP should be crystal clear on how they will go about recovery in case of a disaster affecting the services they manage. For example, what are their guidelines on RTO and RPO? The point is not to work with a vague outlook such as «we'll do our best».
Related: Disaster Recovery Plan and DRaaS
11. Do you have active professional liability insurance?
The financial burden of outages as a result of attacks or other causes should never fall on the shoulders of the customer if it's the MSP's fault. Unfortunately, this is often the case when organizations choose to work with an MSP that doesn't have professional liability insurance. In the event of a data breach or other incident caused by the MSP's negligence, your organization will most likely be left to foot the bill for damages, legal fees, and other expenses. But with proper insurance in place, the MSP can help to cover these costs and protect you from financial ruin.
Further reading: Should IT service providers be liable for attacks?
More questions to ask MSPs
The questions above are not the only ones you can ask. Here is a list of some more:
- What are your pricing options?
- How will your services improve our competitive advantage?
- What approaches do you take to prevent cyber attacks?
- Do you conduct remote monitoring and management?
- Which procedures do you use for troubleshooting and reporting?
- How is our data handed back to us when upon contract termination?
- Do you use a standard service level agreement for all customers?
- How often do you revise your prices for existing clients?
- Is there any additional infrastructure we need to buy when we start working with you?
- Who is ultimately responsible for my organization's data that you'll be handling: You (the MSP), a third party or my organization?
- How many years have you been providing MSP services?
- Is it possible to talk to a couple of your current and past customers?
As we said at the start, these questions are just but a guide to help you get the overall feel of each of the MSPs you've shortlisted. You are more or less taking the MSPs through a rigorous interview, the same way you would when hiring a top level manager in your organization. They'll be providing a very useful service and so it's important that you get everything right from the word go to avoid costly disappointments down the line. Essentially, you want to establish whether the MSP is truly grounded in their service provision. Do they understand their role? Are they good people to work with? Can you trust them?
As you get close to the contracting stage, please don't forget to do the crucial stuff such as defining the data access levels for the MSP and buying cybersecurity insurance for your organization — if you don't have one already.