When I work with a client for the first time, I frequently encounter a fractious relationship between the client and their IT MSP (managed service provider).

There are numerous symptoms to the issue. But, at its core, it usually comes down to a lack of trust between the client and the IT MSP.

In many cases, the loss of trust has arisen because the IT provider has consistently failed to deliver a sufficient level of basic service – For example

  • Not resolving issues in a timely manner
  • Not addressing the root cause of recurring problems
  • Not returning phone calls.
  • Not answering simple questions with plain English

Their promises of being a ‘true business partner’ ring hollow.

But in other cases, the loss of trust has arisen because of a disconnect between what the client assumes the IT provider is doing, and what the IT provider is actually doing.

Relationship counselling

When I ask a client about their relationship with their IT provider, they usually talk about the relationship being quite healthy and the service being quite good for the first year or so.

But then there’s a turning point.

This turning point usually arises when either

  • The client has a significant incident (for example, a loss of data; a lost laptop; a ransomware attack) or
  • The client is asked by an important customer to show evidence that they are taking appropriate steps to reduce the risk of such incidents.

The client has assumed that the IT provider has this all covered. But when they ask the provider, it quickly becomes obvious that the provider is, in fact, doing very little, if anything to protect the client from such incidents.

It’s not me. It’s you.


That’s the moment trust is damaged and the relationship really starts to head towards the rocks.

To the client, it feels like the IT provider has been scamming them, by only providing a subset of the services that they need. After all, the IT provider is the expert, so clearly they should have known from the start what the client would need, even if the client didn’t know it themselves.

Clearly, the fault lies with the IT provider.

And that might well be the truth.

But the only way to know for sure is to look at the details of the IT service that the client is paying for. If it’s not written in a contract or service schedule, then all assumptions are null and void.

The contract doesn’t matter. Until the contract is the only thing that matters.

It’s not you. It’s me.

To understand how this happens so frequently, we need to consider the pricing model of many IT MSPs. A pricing model that has emerged because of the way most organisations select an IT MSP.

Most ‘real world’ businesses do not know enough about IT to know difference between a good IT MSP and a bad one. So, most select their IT provider on the basis of price.

Therefore, a common way for an IT MSP to win business is to be one of the cheapest options.

And the only way to be cheap is:

  1. To focus on the smallest set of services necessary to keep the IT ‘lights on’, and
  2. To operate on a reactive, break-fix basis.

In layman’s terms, this means if it ain’t obviously broken, there’s no budget available to fix it.

And there’s certainly no budget available to proactively address cybersecurity risks before they become real problems.

A disconnect between an organisation and its IT MSP is inevitable from the moment an organisation selects an IT MSP on the basis of price.

It’s time for a change

We need to recognise that a low-cost, break-fix pricing model is no longer appropriate for the IT needs of most organisations.

Organisations without IT or cyber expertise in-house (i.e. the majority of organisations) need a true IT partner (or partners) who can take the lead, show them what appropriate service and security look like, and commit to performing a consistent set of activities to deliver and maintain that service and security.

This is not just hollow statements about being a partner, but:

  • Contractual commitments, backed up with
  • Specific metrics that will demonstrate in a frequent basis the effectiveness of their activities, and
  • Financial consequences if these metrics demonstrate persistently poor levels of service or security.

In return for these specific commitments, organisations must be prepared to pay an IT MSP so they are incentivised to do a good job rather not a quick job.

You should get what you pay for.

But you should expect to pay for it.

But clients don’t listen

When I speak to IT MSPs about this, they are not convinced it will be a way for them to win business from prospects.

I can understand their fears. After all, they will still be competing against generic, low-cost, low-quality competitors who may win the business because of hollow commitments backed up by razor thin margins.

But if an IT MSP does not try, they will never know.

At a minimum, the IT MSP should present options or service tiers to a prospect, so the prospect can get a better understanding of what each tier does and does not include.

This ensures the MSP can still present a low-price offering. And should they win the business because of the low-cost offering, if (or when) this client turns around in a year’s time asking about security services that they now accept they need, the IT MSP can point them at the more expensive service tiers that the client chose not to pay for.

Detailed service descriptions will remove any assumptions about what the IT MSP is responsible for, and it makes for a far more productive, and trust-based, conversation in the future.


If you want to discuss any of these issues and ways to avoid them, or if you have a different view on this, get in touch.