A robust IT Managed Service Provider (MSP) is more than a luxury—it’s a necessity. Especially for software-led companies that are laser-focused on product development, the peripheral IT demands can often be a blind spot, exposing them to potential security risks. Not good news for potential investors and an easy ‘red flag’ for us to raise during Technology Due Diligence.
Back Office IT is a common area of concern that’s reasonably easy to address post-investment/deal. Yet I meet numerous investors whose portfolio company has been attacked/hacked post-deal; whilst no one can guarantee 100% protection for these growing firms, its essential to address the known gaps.
To be clear; this post is about assessing a potential IT MSP to provide services to a firm, not assessing an IT MSP for potential investment or buyout.
The usual suspects
I assume the ‘standard’ checkpoints are often the first ports of call: scope, timing, pricing, customer references, technical certifications, vendor partnerships, SLAs, insurance details, system uptime, and response times.
While these are undeniably essential, the IT realm demands an even deeper scrutiny, especially for software-led companies susceptible to multi-layered security risks.
You may also want to refer to Scott & Scott LLP’s ‘Legal Guide to Managed Services’ which was written for Managed Service Providers but provides some insight on the legal requirements and the behaviours of these firms (e.g. the report states that 50% of IT MSP present Master Service Agreements, MSAs, that were not written by lawyers due to cost. This cost-cutting may be elsewhere in the business, so it’s interesting to learn who their legal representatives are).
IT MSP Due Diligence Checklist
As you move forward with the process of either outsourcing your IT requirements to an MSP or transitioning to a new one, here are the definitive steps for due diligence:
1. Certification and Compliance:
- ISO 27001 Certification: This internationally recognised standard for information security management systems is pivotal. Especially if your firm works with larger businesses.
- Cyber Essentials Plus: A rigorous check against varied types of cyber attacks, ensuring the MSP’s protective measures are comprehensive. We like it, because it’s practical and hands-on proof that cyber is a high priority,
2. Competency in Cybersecurity:
- Advanced Skillset: Whilst many MSPs will be able to deal with generic migrations, setup and support, not many have future thinking knowledge, Ensure they know GDPR, and can implement Data Loss Prevention, Cloud Access Security Brokers and ways and measures to secure your precious IP – the code.
- Gap Analysis and Proactive Support: The MSP’s prowess should shine in identifying potential security pitfalls and proactively erecting countermeasures.
3. Expertise with Key Tools:
- Office 365 Mastery: Given its ubiquitous use in businesses, proficiency with Office 365 is paramount.
- Cloud Platforms Proficiency: Mastery in Microsoft Azure, Google Cloud, and AWS is crucial. Beyond just familiarity, they should have proven experience in migrations between these platforms.
- Cost Optimisation: If your firm is to scale rapidly, you must ensure the IT MSP has the skills to select the correct licensing and configure cost-optimal cloud solutions.
4. Service Level and Response:
- Defined Support Strategy: The MSP’s roadmap for support should be crystal clear, leaving no room for ambiguities.
- Prompt Response Times: In IT, delays can be lethal. An assurance of swift support response is non-negotiable. Ask for evidence.
5. Independence and Corporate Structure:
- Ensure Independence: An independent MSP is ideal. If PE-backed, aligning closely with the HQ is critical to circumvent service delivery hiccups.
- Peek into Employee Satisfaction: Platforms like Glassdoor are invaluable in gauging the internal health and morale of the MSP.
6. Relationships:
- Vendor Accreditations: A thorough vetting of the MSP’s Vendor accreditations will affirm their capability to address beyond basic IT needs.
- Vendor Management: Enquire which vendors currently provide a dedicated Manager, which indicates a higher profile and growth.
7. Consistency and Expertise:
- Engineer Consistency: A continuous association with a single engineer can be a boon for understanding and fine-tuning your IT landscape.
- vCIO Services: An MSP offering vCIO services is a reassuring hint of the strategic acumen nestled within their team.
- Engineer reference: Engaging with an MSP engineer can offer direct insights into their operations and ethos.
- Technology Compatibility: Ensure there’s no mismatch in technological familiarity, especially concerning your firm’s proprietary tools.
8. Case Study and Onboarding:
- Similar Customer Profile: Request the MSP to delineate a client comparable in size and technology, offering a clearer lens into their expertise and approach.
- Onboarding and Relationship Dynamics: Gain clarity on their onboarding process and the evolution of client relationships thereafter.
The Bottom Line: Why IT MSP Due Diligence Is Worth the Time and Effort.
IT MSP due diligence is more than just a technical exercise—it’s a mission-critical strategic alignment. If done well your firm/portfolio firm will be ‘wedded’ to the supplier for years. Investors, take heed: sidestepping this robust evaluation could result in unforeseen pitfalls.
By taking the time to align with an MSP that meets the stringent criteria above, you’re not merely fortifying your business; you’re building a flexible and secure foundation for your business’s future.