5 myths of managed services

Heightened cybersecurity risks and growing complexities in technology have led to increased use of managed services providers (MSPs). Many in-house IT teams are seeing the value of investing in and relying on MSPs that can help them offload certain tasks while cutting costs for their organizations. However, some technology officers are still skittish about handing the keys over to someone else.

Much of that resistance is driven by some myths about MSPs. Let's break down a few of the most common ones to help underscore why an MSP might be one of the best IT investments you can make.

Myth 1: All IT services are the same

Only fix something if it's broken, right? Well, yes, but it's better if it never breaks at all.

There are two types of MSPs: "break/fix" companies, and value-based managed services. The break/fix approach is exactly what it sounds like: You pay for IT support only when something breaks and needs to be fixed. Such providers are entirely reactive, so there's no financial incentive for them to stop a problem before it starts or make the platform as strong as possible for the future.

Value-based managed services are a completely different approach. Instead of reacting to problems after they happen, such providers actively work to prevent them from happening in the first place. The approach combines the expertise of security specialists and ethical hackers to find vulnerabilities so the providers can continuously improve — and keep the servers running.

And in the category of value-based managed services, vendor-managed service combines the best of both worlds. This is when the vendor that built the product also manages it. It's a big advantage because the developers who created the product might only be a short walk down the hall from the team that is managing it for clients — which means that any issues are handled quickly.

Myth 2: The data isn't secure

Yes, it is! And I'll prove it to you with one word: FedRAMP.

The Federal Risk and Authorization Management Program is like the Federal Information Security Management Act on steroids. It's much more rigorous than setting up security measures according to specifications and documenting them.

Let me ask you a question: When is the last time you scanned for vulnerabilities on your server? And when you scanned for those vulnerabilities, how long did it take to fix them? And did you write up a plan of action and milestones (POAM)?

If you're like most agencies, your last scan was probably awhile ago, and your POAM is still only half-finished. Under FedRAMP, any certified service provider is required to run such scans every month and provide a POAM that a third-party authority can audit. That means MSPs can catch and take action on new security threats quickly. And with the hundreds of thousands of malware hacks launched each month -- some of which are sophisticated enough to have their own help desks -- that capability is increasingly important.

Myth 3: You don't save money with MSPs

In reality, you do because MSPs have economies of scale in their favor. That means you get access to a multibillion-dollar infrastructure for a fraction of the cost.

Part of that cost covers:

1. Accreditation. Each government asset requires accreditation. The cost of setting up the software with a data center or cloud and then running through an accreditation process can run over $100,000 and take more than six months to complete. An MSP, however, can be up and running with an interim or full authority to operate within a month.
   Training. Maintaining the cloud and platform layers requires specialized training, which costs substantial time and financial investment. A proper MSP manages those layers, allowing the customer's IT staff to focus on core competencies and the mission.
2. Build time. A non-trivial amount of time is required to design, architect, build, secure and test an enterprise-level solution. An MSP has the infrastructure and the dedicated personnel to help design and continuously improve that solution.
3. Staying current. Technology advances quickly, and most on-premises consumers pay for maintenance and software upgrades but don't install them. That leads to unfixed bugs, mismatched software versions and wasted money. On top of that, as solutions grow, the hardware might also need to be upgraded. MSPs handle all of that.

Myth 4: We can do the same thing in-house

This might be somewhat true, but it's expensive. You need a dedicated staff that can architect, create and maintain the system infrastructure; actively perform load testing, code scanning, vulnerability scanning and penetration testing; and constantly update software. You also need to set aside extra time and money for accreditation, training, software and hardware upgrades, and compliance.

That's a lot of work. And even so, full-time employees might not be skilled in specific IT areas, and/or they might be spread too thin with other duties (e.g., strategy and people management) to keep up with relevant trends.

MSPs stay on top of technology or they fail as a business. They need to provide top-of-the-line 24/7 support because their reputations and livelihoods depend on it.

Myth 5: I don't need an IT team if I have an MSP

Some people think that once they do the hand-off to an MSP, their jobs are done. This couldn't be further from the truth. The teams still need to work together, but the job has just gotten simpler and better defined.

A proper MSP should enhance the customer's IT team, not replace it. It should allow the agency's employees to focus solely on their mission rather than on infrastructure and software platforms. Basically, the MSP handles all the boring stuff so the agency can handle the rest.