Listen to Podcast
12 Questions Nonprofits Should Ask to Evaluate a Managed Service Provider (MSP)
“Managed services” can mean different things to different people, especially when you are just embarking on a quest to find a provider. To understand what you need, what a provider is offering – and whether they’ll be able to deliver – Community IT Innovators developed a list of basic questions to ask.
Download the white paper here: 12 Questions Nonprofits Should Ask to Evaluate a Managed Service Provider (MSP)
In our 25 years in serving the nonprofit IT community, we’ve heard lots of stories of IT support that didn’t work out. We used our experience to develop this list of 12 questions you can use to vet any managed service provider as you evaluate your needs and their services.
Join Steve Longenecker, our Director of IT, and Johan Hammerstrom, our President and CEO, for an in depth discussion on avoiding common pitfalls and getting the right level of service for your nonprofit.
Don’t miss this chance to learn how your organization can vet and compare IT providers, whether you have 5 employees or 500.
As with all our webinars, this presentation is appropriate for an audience of varied IT experience.
As Director of IT Consulting, Steve Longenecker divides his time at Community IT between project managing client projects and consulting with clients on IT planning. Steve’s appreciation for working at Community IT Innovators is rooted in respect for the company’s dream and vision, and for the excellent colleagues that the dream and vision attract. Steve is MCSE certified. He has a B.A. in Biology from Earlham College in Richmond, IN and a Masters in the Art of Teaching from Tufts University in Massachusetts.
Steve loves helping nonprofits avoid mistakes and draws on a long career in nonprofit IT consulting for this webinar.
President and CEO Johan Hammerstrom has always been interested in using technology as a force for good that can improve our world. In college, he pursued this interest through science, first studying Chemistry, Physics and Biology at Stanford University, graduating with Honors with a BS in Chemistry. He then studied Biophysics at Johns Hopkins University and received a Masters Degree.
The time spent in Baltimore convinced Johan that there were more pressing and immediate problems that technology could and should be used to address. He pursued a career in Information Technology, with the express goal of improving our communities and our world. He started at Community IT in 1999 as a Network Administrator. Since that time, Johan has been a Network Engineer, a Team Lead, the Director of Services, Vice President of Services, Chief Operating Officer, and beginning July 2015 President and CEO. Working directly with over 200 nonprofit organizations, to help them plan around and use technology to accomplish their missions, has been one of the most positive and rewarding experiences of his life.
Johan has a long experience of fielding questions on how to evaluate a managed service provider, and is looking forward to sharing the most common questions in this webinar.
12 Questions Nonprofit Should Ask When Evaluating an MSP
Johan Hammerstrom: Good afternoon, and welcome to today’s Community IT Innovators Webinar. Today we’re going to be talking about 12 questions that nonprofits should ask when evaluating a managed service provider or MSP. We’re grateful that you could join us this afternoon. I want to start by introducing today’s presenters. So welcome, Steve, do you want to introduce yourself?
Steve Longenecker: Sure. I’m Steve Longenecker. It’s good to be with you all today. I’m the director of IT consulting at Community IT. I’ve been in Community IT for 15 years and glad to be here.
Johan: Great. My name is Johan Hammerstrom. I’m the President and CEO of Community IT and also the moderator for the Webinar Series and Steve and I are going to be co-presenting this Webinar today. I want to tell you a little bit about Community IT if you’re not familiar with us. Community IT is a 100% employee owned company. We are dedicated to advancing nonprofit missions through the effective use of technology. We work solely with nonprofit organizations and have done so for almost 25 years. So we’re also a winner of the MSP 501, which is put on every year by Channel Futures and it means we’re one of the top 501 MSPs in the world.
Before we begin, I do want to mention that Steve and I talked a little bit about whether or not we should proceed with this webinar, it felt a little bit out of place, given what’s happening in the world right now in March 2020. We decided that we wanted to go forward with it. We’re not going to be referring to the pandemic at all in today’s webinar. There’s plenty of resources out there to help your organization respond and shift to remote working, we actually sent an email out on our newsletter earlier today linking to some excellent resources that TechSoup has published, including a 90-minute webinar that they ran last week, all about nonprofit preparedness in response to the pandemic. We understand that that’s on everyone’s mind. It’s something that we’ve been very focused on this week. We would direct you to those resources to help you and learn more about it. We’re going to make the next hour pandemic-free so maybe it gives us all a nice break from thinking about the crisis, we can talk a little bit more about evaluating managed service providers.
(2:52) So at the outset, I really want to emphasize that the goal is not to sell ourselves first and foremost, nor is it to say that there is a one size fits all managed services provider. We firmly believe that we’re a strong business; we provide great services to the nonprofit’s that we work for. We’re a good fit for a lot of organizations. We also firmly believe that we’re maybe not the best fit for every organization. There are a variety of different managed services providers out there, many of whom are excellent. We really feel that these questions are going to help you identify the MSP, that’s really the best fit for you as an organization.
The questions are really intended to accomplish two things.
- One, they’ll help you evaluate the quality and capacity, help you to vet whether or not the MSPs that you’re looking at, are able to do the work.
- Secondly, they’ll help you to really identify an MSP, that’s going to be a good fit for your organization. So that’s really the goal in the presentation today.
(4:11) There’s 12 questions, as I mentioned, and we actually have a white paper on our website, which also goes through these 12 questions. You can go to our website and download the white paper if you’re interested.
The questions that we’re going to run through today, and we’re going to talk in a little bit of detail about each one are:
- Number one getting references;
- Number two, finding out who answers the phone when you call to get support;
- Number three, finding out who’s going to visit the location when you need onsite support,
- finding out a little bit more about staff tenure at an organization and what that means.
- Questions you can ask to get to the bottom of pricing. Go into some more detail about that.
- Talking a little bit about onboarding and how the MSP on boards new clients.
- Find out a little bit more about how in detail some questions you can ask and some ways of asking this question, to just get a better sense of how the managed services provider is going to work with you.
- How they’re going to report on their work. That’s a very important part of working with a nonprofit organization,
- the vendors and technologies that they support and use their cybersecurity capacity and
- how they implement cybersecurity,
- their overall capacity for strategic planning and finally, this is kind of a key question and all the other ones sort of lead up to this,
- how do they see themselves delivering value?
We’ll go through each one of these one at a time. Hopefully, at the end of this, you’ll have a better sense of how to evaluate managed services providers.
Start with references and it’s pretty straightforward if you’re hiring somebody, if you’re hiring a contractor to work on something for you, or if you’re looking for a vendor like a managed services provider, you’re going to want to get good references from them. Specifically, you want to make sure that they’re providing you with references to other nonprofit organizations. We work exclusively with nonprofits, but there are a lot of MSPs that work with a lot of nonprofits in addition to other types of organizations. We feel in our experience that nonprofits are pretty unique. It’s important to find an MSP that has that nonprofit experience. You can get a lot of information by talking with someone who has worked with the MSP, who understands sort of the nonprofit context.
Obviously, when you ask for references, you’re going to get good references, chances are, you’re not going to get organizations that are unhappy with the service that they’re receiving. If you have an honest conversation with the reference that you’re talking to, you can ask them, what are they good at? What are their strengths? What are some areas where maybe they could improve where they’re not as strong? Most MSPs make trade offs and how they run their business. There’s certain areas that they’ve chosen to focus on, that they’re strong in. There may be other areas where they’re not as strong in. That’s not necessarily a knock against any MSP is just sort of the reality of running a business. That sort of gets back to this question of finding out who’s going to be a good fit for your organization. If you can find out: What is this MSP really good at? What are some of the things that maybe they’re not as strong at that can help you to understand fitness more completely.
Anything to add there, Steve?
Steve: No, I think that covers it. I think the point about, no MSP is perfect, but finding out from a reference, hopefully the reference is willing to share, it’s like the job interview question: What would a former employer say is one of your weaknesses? And you know that everyone should be ready to answer that question and answer and with all my weaknesses, “I work too hard.” “I care too much about the quality of my work,” something like that. Probably there really are things that your potential service provider doesn’t do well. What you want to know is whether those things are not so important to you or things that would be critical to you. That’s a way to approach it.
Johan: The next question is who’s going to answer the phone? There are a variety of possible answers to this question. What you want to find out basically, if the primary way of getting in touch with the MSP is through a help desk, or if it’s through some other method. Some MSPs have a full service help desk. They prefer that their customers call that help desk. Other MSPs will have you call an office manager, and then they’ll route the call to a technician. Just finding out how they work is really important. This is a pretty straightforward question and they should have a pretty clear answer. They should understand their processes well enough to answer this question clearly.
If they’re relying on a helpdesk, then there’s some follow up questions that you could ask to get a little bit more information. You could find out how many technicians are on the help desk, is the call going to go to a technician? Or is it going to go to someone who’s in more of a triage role and will assign the ticket to a technician? You can ask them things like: What’s your first call resolution rate? How many issues are resolved by the first person that picks up the phone? How many times do issues have to be escalated to other people on the help desk, and you can also ask them if their help desk is staffed in-house or is outsourced. We’ve had a lot of experience with both, we have an in-house Help Desk, but we know other MSPs who used outsourced help desks. There’s some great firms out there that provide outsourced help desk services to MSPs who then resell it to their customers. So outsourcing isn’t necessarily a bad thing. You want to understand that from the outset. Are you going to be working with someone who’s part of the company or you’re going to be working with another firm?
Steve: I’ll add to that, the strength of having your help desk be internal employees is that, of course, you can manage quality control better that way. There are some fantastic outsourced help desk providers, so I don’t mean that there’s not good quality in the outsourced world. If it’s internal employees, they understand the brand, the mission. They are part of that big picture. The other thing that maybe it was worth making explicit about why you’re asking about how much the rate of success with first time resolution, first call resolution. Why that matters is because: staffing a helpdesk is really a challenge in this day and age for managed service providers. It’s a tight labor market. You end up with oftentimes quite junior technical staff on the front lines of the help desk.
That makes sense insofar as oftentimes what people are calling the helpdesk for is to have their password reset. Once you know how to reset a password, you can do it all day. It doesn’t make sense to have a senior engineer sitting on a Help Desk frontline resetting passwords when their skills should be used on much more difficult technical questions. You can’t expect 100% first time resolution because you’re calling the helpdesk with a wide variety of problems. An MSP’s job is to find that balance between being cost effective with deploying a scarce resource of skilled labor effectively so that we are able to help. Not everything has to be escalated, we want to resolve most problems on the first call, but we also need to be able to escalate it if we have to. It’s not that you’re looking for 100% or even necessarily 90% first call resolution.
I think part of it is though, if the provider doesn’t know what their first call resolution is, and they don’t have that kind of metrics, then I think it speaks to the fact that they’re not probably managing that question as effectively as they would be if they did have those metrics. Does that make sense to you, Johan? That’s how I would look at it.
Johan: Definitely. I think that you’ll find this is a recurring theme with a lot of these questions is that they’re sort of basic questions. Whoever you’re talking with should be able to answer them relatively quickly. They should be thinking about their business in ways that enable them to answer these questions easily.
(13:33) Do you want to talk a little bit about on site support? Steve?
Steve: Sure. We, Community IT, have clients where there’s little to no onsite support because the client is small and they have relatively few IT needs and basically what they want is to be able to call a help desk when they need it, get help, oftentimes remotely and that should be that. But onsite support is sometimes needed when you’re setting up a new computer, it often makes sense or generally makes sense to try to do that onsite. It’s more efficient that way. Who is going to come when you need help onsite? How long does it take before – if it’s an ad hoc request for service, what is the service level agreement on how long it will be before dispatch can be arranged? What’s the average time? What’s the committed limit on the time? Is it going to be a junior technician or a more senior person? Those are all good questions to ask about ad hoc dispatches. Then Community IT also has plenty of clients that have recurring onsite support. If you anticipate that being one of the ways you’re going to interact with your managed service provider, first of all, if that’s important to you, you want to make sure that an MSP provides recurring onsite support. Then you want to find out who provides it. There are different ways to handle this. There’s not supposed to be a lot of judgment about one way is better than the other. It’s back to that fitness question of: What fits with the way you operate?
Community IT has a dispatch team. So a team approach to dispatches and that allows us to be efficient and cost effective that we have, a team of engineers who do some recurring support, but also quite a bit of bench time when they’re available to go out and do dispatches. So when you ask us for an ad hoc dispatch, not as part of a recurring scheduled thing, but a one time event: you need someone to come set up a new computer or you need someone to replace a switch or whatever. You’re going to ask us for a dispatch and who you get depends on who has time at that moment, earliest in their schedule, and there’s again a team of four, five, whatever, that’s the scale we operate at, engineers and whoever’s available will be the person who comes out.
When you have a team approach, you need to have a commitment to best practices, you need to have a commitment to good documentation. Because if the person who comes out from Community IT to your site isn’t familiar with you, they need to be able to, a) know how Community IT does things and do it that way, because there’s a set of practices that are trained and committed to by our company. I think there needs to be good documentation because I don’t know you, so I need to be able to easily and quickly find out what I need to know about you as a client in terms of your technology. What kind of firewall do you have? How old is it, where is it located, all that stuff should be documented. So when you find out that onsite support is provided by a team where there’s a team approach, there’s some strength there.
On the recurring side, we actually do a modified team approach. We like to have the same people coming out if you’re getting support from us, four days a week, we probably have two people because that gives us more redundancy, and it’s a more robust system. We might have someone coming on Monday and Wednesday and someone else coming on Tuesdays and Thursdays and so you get to know one person. So having that kind of: I get to know one technician, there’s a lot of strength there. You get a relationship with someone, your staff gets to know that one person, they really get to know who you are as a client, both your technology but also who you are culturally, and it fits.
There can be some dependencies that come with that. We certainly have had to work with our clients. They get to know someone really well and they really like them. Then if that person gets promoted to a position where they’re no longer doing recurring support, there’s a transition there, a fond farewell and someone new comes in to get to know.
There’s pros and cons to all these things. These are things that you’d like to know. It gives you a sense of who the MSP is, whether they’re going to have a more team-oriented, or a more single technician oriented approach about who comes to you and whose face you actually see, when onsite support is needed.
Johan: You could ask them about the balance between onsite and remote capacities. There are MSPs that just want to do everything onsite, and there are other MSPs that they’re only really set up to provide support remotely that works great for some organizations and for other organizations, it’s not as good a fit. So the balance between onsite and remote support is something that’s good to ask about and also to ask references about.
Steve, we’ve been at a time of unprecedented, an incredibly low unemployment rate and I’ve heard within the MSP industry that unemployment among IT professionals is actually a negative unemployment. It’s been a very tight labor market for the last year or so, or more, and just curious: is it important to ask prospective MSP about their staff tenure?
Steve: It’s definitely worth asking that question. It’s an important question. I do think what you just said is true, and it’s impacted Community IT also. Basically, if you’re in IT right now, and you have any reason to look for a new job, you’ll get offers. So there is a lot of bouncing around.
We historically just didn’t have turnover at all; we still have really low turnover by industry standards. Our median staff tenure, I’m sure it’s in… I don’t even know. So I shouldn’t say I’m sure, I would imagine it’s certainly in the top quartile and probably more like, top percents. So I just can’t imagine that a lot of companies are much better. I think what you’re saying, Johan, just points to the fact that expectations have to be tempered, particularly I think with a more junior staff, who are sort of getting their career started. I think it’s just natural in this labor environment, there’s going to be a certain amount of bouncing around. “What is your staff tenure?” is a question. It’s an important question. I think it speaks to perhaps the morale and overall job satisfaction of the staff that you’ll be working with, and those are certainly important things to consider when you’re outsourcing your IT. You want the people that are serving you to be people that are happy in their jobs and glad to be there. You just want, if you can, the highest level of retention by your MSP is the better, because it means that they’re not constantly training staff and transitioning staff into new jobs. Everyone does their job better once they’ve been doing it for a while. I think Community IT really stands out in this regard, even Community IT has had probably more turnover certainly than we’re used to in the last three or four years as people are able to just move around as they want. Nonetheless, you probably happen to know the figures.
Johan: Our average staff tenure is seven years. That goes up dramatically for our more senior staff. I just recently celebrated my 20th year with the company. Steve, as you’re in the 15 year range. As with many of these questions, it’s something that the MSP should know about their business and should be able to communicate to you.
Steve: The bottom line for sure is: What you don’t want is someone who’s just a revolving door employer. There’s just no way for them to really be able to do great service, if that’s their approach.
Johan: As competitive as the market is, certainly when I look at some of our peers, the ones who are doing good work, providing growth opportunities for their staff, even though there’s turnover across the board, do have some amount of retention.
(23:24) Another question you want to ask is pricing. How does your pricing work? Which seems like an obvious question, the reality is that every MSP has a slightly different approach to how they price their work. Chances are, if you were to get the invoices of three or four different MSPs, you’d end up with three or four unique ways of pricing service.
It can be frustrating. I understand that when you’re trying to compare your options as you’re evaluating MSPs to have such wildly different approaches to pricing. We’d encourage you to ask who you’re looking at to explain their pricing to you, and they should be able to explain it to you in a way that makes sense. Again, there’s basically two different dimensions to look at pricing around.
- The first dimension is what’s fixed cost or what’s covered and what’s being billed on an hourly rate basis.
- Then the other dimension is what services are included and what services are optional.
It’s really a matter of bundling, like, what time is bundled and what services are bundled.
Partly because we work with nonprofit organizations, we have a pricing approach that is flexible. We have three different pricing options, one where everything is included for a fixed monthly price. Another where calls to the Help Desk are included on an unlimited basis on a fixed monthly price, then another option where our support suite of desktop and the server management software is included at a very low monthly price but then all support work is handled on an hourly rate basis. We’ve found that having those different options works really well in the nonprofit sector, because different nonprofits have different funding sources. They can pay for things in different ways. It just gives them the flexibility they need to purchase exactly the amount of service that they need, not any more than that.
So that’s something to ask about. I think that, as clear as it is in our proposal, we really appreciate the opportunity to just walk through it with any prospective clients that we’re talking to. We find that that conversation is always an eye opener, for them. We encourage that to be a topic: How does your pricing work? Then the other dimension, if you will, the services that are included or not included. Is spam filtering included as an option? Is backup included? Is email phishing training included? Different MSPs have very different approaches to what services they make optional and what services they include by default as part of their package.
Steve: The reality is that it’s really difficult to, in a sales process, actually get a sense for… I see the slide “Pricing,” and I think this is about, what does it cost per month? What am I going to expect to pay per month and what’s the value delivered for that? Really, what you’re saying Johan is: because of the way things are bundled, and not bundled, each comparison between three different bids from three different MSPs, you’re almost comparing apples to oranges along each one of those. If you don’t have someone to explain it through to you in a way that you can trust, it can be very difficult to evaluate upfront.
Johan: That’s exactly right. I do think most MSPs should be able to give you a good ballpark estimate for what they think a monthly price is going to be for supporting the organization. Information that can really help them put together a better estimate would be if you have any data on the number of tickets, or support requests that are currently being submitted on a monthly basis by your organization. That information really helps to come up with an accurate estimate. Then also the state of the network, if you will. Are most services in the cloud? Is it a lot of old hardware that might need to be replaced? Are there funny problems that seem to keep coming up on the network that might need to be addressed? That information also is very helpful in putting together an accurate estimate. An MSP should be able to give you a ballpark figure for what they think the monthly cost would be for supporting the network and if they can’t, then it would raise concerns for me about their ability to anticipate what the support requirement is.
Steve: I’ll make another plea here on that before we go to the next slide, Johan, and that is, probably our audience knows this already: It costs money to provide IT support to nonprofits or small businesses. You should expect to pay for good service and the cheapest priced service is not always the service that is going to be the service that you should be choosing. I said that quite right. For people to understand that there is no free lunch here, obviously. For a company, for an MSP to provide good value to you, you would expect to pay for that.
Johan: Yes. Part of that gets to what the specific need is and that goes back to this idea that not all MSPs are created equal and there are different fits for different organizations. The last question, the value question, I think we’ll come back to that. We’ll come back to this idea, then.
Want to ask them about their onboarding process. Part of the reason for this is that it just gives you a bit of a window into how they deliver service overall. Onboarding, sometimes can be a little challenging to cover how service is going to be provided. Obviously some of the basics of, how the helpdesk is run, and so forth, can be explained in advance. But oftentimes, certain details about what the experience of working with an MSP is going to be like, are hard to communicate in advance. But onboarding is one process that essentially, the MSP has complete control over. When you sign the contract… here’s what happens next. Here’s what happens after that. We’re going to come meet with you. We’re going to install the software. We’re going to deliver this to you after this amount of time… That’s a process that the MSP has control over. So it gives you insight into their ability to develop and run effective business process. Other MSPs may say: “We assign an engineer to you send that person in, and they collect information about your network, and then you’re good to go,” which again, is not necessarily a bad answer, but it just again, gives you insight into how they’re going to operate long term in terms of their service delivery.
Steve: The insight being that they don’t have a lot of processes, maturely laid out. Whoever you happen to be working with flying by the seat of their pants, perhaps very effectively, but just a different experience than if there’s a real mapped-out process for the onboarding process. This maybe betraying that we have a good onboarding process and we’re proud of it. Maybe that’s the way we think, it works really well for us. It’s different fits for different organizations.
Johan: Well, and on the flip side, I know there are MSPs who like to come in and talk with lots of key stakeholders and put together more sophisticated technology planning documents, which may be overkill in certain situations. Just having a clear understanding of how your staff are going to be impacted, what’s the end user experience going to be like, during the onboarding process? It helps you to figure out how they think about the user experience and your staff’s experience.
Steve: It’s the first experience you’re going to have with this MSP potentially, and they should be able to describe it in a way that you can hear and understand and evaluate and if that’s not happening, then that’s a pretty big red flag.
(32:39) Johan: Once you ask them about the onboarding process, you can also ask them: “How would you work with us over time?”
Steve: Johan kept on saying, “Oh, it’s hard sometimes to explain it,” and that’s absolutely true, but these are some key things you can ask. We already talked about the help desk and who’s staffing it and how it works, who answers the phone and stuff. “If I have a ticket, if I have a service request, what are the different ways I can submit that service request? How will I know it’s been acknowledged? Do you prefer that I use the phone? If I use the phone will it be answered within a certain amount of time? Or will I be on hold? Or do I need to leave a voicemail and wait for a callback?”
None of these things are good or bad because everything that you like might cost more money to deliver. You have to balance costs against benefits. But those are things that you should know. Another question to ask is: What is expected from us/ me in the organization? Do I need to have a primary contact identified and what does that primary contact need to know? So when the managed service provider wants to send an alert to its clients about a security vulnerability that Microsoft has identified in Windows, who does that email gets sent to? What’s the responsibility of the person who gets it? These are questions that you want to know, because it’s going to impact how you work with them.
You can get into more processes, you can certainly ask questions about how projects are delivered. That’s worth asking, if you anticipate doing any kind of project work. Questions that you might have would be also about, how do you onboard a new staff member? “So if I hire someone new, what’s that process look like? What does my HR department need to do in terms of interacting with the managed service provider and what can I expect from the managed service provider in terms of getting that newly hired person into the IT systems?”
These are all questions that you can ask. It’s also a good time to bring up technologies that you have that might be outside the cookie cutter box, like email and print and file sharing and stuff. “By the way, we have this really strange database that someone custom built for us 10 years ago, and really, no one knows much about, how can you help us with that?” These are questions you should definitely draw out at this time as well. Just sort of brainstorming here a little bit, Johan, but I think I covered it.
(35:41) Johan: Yeah, no, that’s great. Related to that is the question: “How will you report on your work?”
To us that is central. We feel very strongly that managed service providers should be held accountable by the organizations that they’re providing service to, but we also understand that there’s a challenge in that because the reason you’re hiring a managed services provider, by and large, is because you don’t have inhouse IT expertise. You’re outsourcing that to someone else. It’s important for the managed services provider to be able to explain their work to a nontechnical audience. Generally, the nonprofit organization will have somebody who’s managing the vendor relationship with the MSP and we refer to that person as our primary contact. We do our best to help the primary contact to understand the work that we’re doing.
We have a lot of different tools in place that help us communicate the work that we’re doing, that includes a recurring monthly meeting with one of our IT business managers. In that meeting, we have a series of reports that we can use to explain the state of the network, the number of computers, their patched status, their age, that can show the number of tickets that have been submitted, the types of issues that those tickets have related to, the responsiveness of our helpdesk to responding to those issues. We do our best to hold ourselves accountable, and then share that accountability with our customers. That’s something that managed services providers should have a process in place for and should be prepared to do. This is something that I know that the MSP industry as a whole has really made a lot of progress in this area. I go to a lot of MSP events and talk with a lot of peers in the industry.
I know that this is something that has become really critical over the last five or six years: finding ways to share accountability with customers, so that it’s not a black box so that it’s not, a complete unknown to them, the work that they’re doing. I think related to that, it’s really important to find a managed services provider who can explain technology and technology decisions to you effectively, and that’s something that can start the process of asking them those questions in the interview process in the review of the MSP. “We have this going on in the network. I don’t completely understand it. What does this mean to you?” or, “What would you do in this situation?” They should be able to both understand the situation technically, but also explain it to you in a way that makes sense.
(38:40) We’ll just move right along. Vendors and technology. This is related to the previous point to some degree, you want to ask them, “What vendors do you work with? What technologies do you support?” The jargon for that in our line of work is “stack.” What technologies stack is the MSP working with and are they flexible? Are they inflexible in terms of the type of technology that they support? Steve, why is it important to ask that question of an MSP?
Steve: First of all, let’s say that half of your users are on Mac OS computers, you need to know that this MSP is going to support the Mac OS as fluently as they support the Windows operating system. That’s right from the start, some of the things that are almost like part of your culture or that aren’t easy for you to change. If you’re not anticipating that you’ll be able to change you need to know that your MSP can support the way you operate. That said, when you transition to a new MSP, it may be that there are things that you’re somewhat agnostic about that you don’t quite align with the MSP in terms of what stack they support or prefer, versus you know what you have in your technology stack, whether it’s because of choices that previous service provider provided. Maybe your brand of firewall is not the brand of firewall that another MSP prefers. Let’s find that out. Does that mean that you need to buy a new firewall or that part of the cost of switching to this new managed service provider is, in one way or another, paid for with a new firewall that’s in the MSPs preferred stack? That’s kind of what you were getting at Johan, with the degree of flexibility.
I don’t think it’s ideal to have a managed service provider who says, “ Oh, we support anything. We don’t care at all.” With technology, there’s just so much to know, that to me, knowing that an MSP has its preferred solution set that it’s most comfortable supporting means that they’re going to have a greater degree of proficiency and expertise in that solution set. It’d be nice if it was aligned with the solutions that you were using in your organization, knowing that you can change too over time.
So we frequently bring in clients that don’t have the firewalls that we recommend. We don’t insist that they replace that firewall, until that firewall has aged out of its regular, like a five year life cycle for a firewall. It’s a three year old firewall, we might anticipate that we’re going to support that firewall for two more years, even though it’s not our preferred solution. That’s okay, we’re generalists, we can make it work, but it’s not our bread and butter. It’s not the thing that we’re super comfortable in. So, in two more years when you’re getting a new firewall we’ll help you. We’ll recommend that you replace it with a firewall that matches our preferred stack. Hopefully that’s okay. That’s a question about flexibility. Now I have heard of MSPs that say, “Hey, look, when you sign up with us, everything’s going to be our way and it’s going to make it for a super efficient service because we know our way so well that it’s going to be, like a really, really, like great experience for your staff and also for our staff.” Those efficiencies are so great that the cost of all that switching is going to be worthwhile and that’s a direction to go. It is expensive to make all those switches immediately, but it could work.
One other thing that I would say on this is most MSPs these days are sort of recommending solutions based on their perception of what the best solution is for the cost to the client, but there was a day not that many years ago – in technology time it was like, two generations ago – but in real life, it wasn’t that long ago where there were value added resellers and that’s a business model that preceded the managed service provider business model and they still are around, you definitely want to be aware of it. It doesn’t mean that a value added reseller is bad. But you want to know that if the reason this provider wants you to buy, I don’t know, Watchguard firewalls is because they’re going to sell them to you and for every Watchguard firewall that they sell to you for $800 they’re going to pocket 150, that Watchguard is going to give them. If that’s the reason that they want you to buy a Watchguard that compromises, in a way. It’s like the old doctors who are prescribing pills where they’re getting taken out for dinner by the drug companies. It doesn’t mean that the drug is bad, but it’s certainly – you’d like to know that this is being recommended simply because it’s the best. Most times that you buy something from an MSP, probably there’s a one, two or 3% transaction on the back end that you may or may not be aware of that goes back to the MSP. But if it’s just one, two or 3%, I don’t think that compromises anybody, but if it’s a significant part of a provider’s business model, you need to be aware of that.
Then I also think that you want to be careful not to get yourself into a technology stack, that there’s not an easy exit from. So this is not something that I think is as common as it used to be. But there was a period of time, a few years ago, that people were signing up for service providers where part of signing up meant that the computers were actually joined to the service providers domain and it made for some very efficient management tools. But, it meant that when you wanted to leave that managed service provider, you had a lot of vendor locking in front of you.
Another place where that can happen is if, I hope no one is doing this, but if you’re buying from your provider what I call “white label computers,” where it’s not a Dell, it’s not an HP, it’s just a computer that your provider actually built. Those can be really solid machines and your provider might have a lot of expertise in building those. But if you leave that service provider, you stop working with them. Who supports those computers? They are basic computers. They have a motherboard, they have RAM. They have graphic interfaces and all that stuff, but you don’t have a Dell manufacturer’s warranty on it. What you have is your former service provider’s warranty on it and your service provider doesn’t work with you anymore. It’d be nice if you weren’t locked in by any provider in terms of your own technology stack, you’d be independent.
Johan: I think related to that, if you’re a nonprofit organization and you’re on Office 365, you should be purchasing your Office 365 licenses directly from Microsoft using their nonprofit pricing program. That’s not standard with for-profit organizations, because with businesses, in many ways, it’s often more efficient for them to purchase the license directly from the MSP. So a lot of MSPs that work with businesses are set up and their default is to include Microsoft Office 365 licenses as part of their managed services. Then you’re paying full freight for a license that you can get a deep discount on if you go directly to Microsoft. So that’s another thing to ask about and look out for when you’re evaluating MSPs.
The one thing I’ll add in terms of the VAR, the Value Added Reseller, is that what we’ve observed is that it’s not so much a problem at the beginning. Back five or six years ago, there were a variety of firewalls: Fortinet, Sonicwall, Watchguard, more or less all doing the same thing, all created equal. The problem with technology lock-in with a vendor isn’t that they’re necessarily recommending bad technology, but they oftentimes will get stuck on older types of solutions. Whereas nowadays, a lot of people are moving towards Meraki, which is a cloud based, cloud-managed firewall, which has a lot of advantages over the more traditional type of firewall. If a vendor is locked into a certain type of firewall, it makes it harder for them to move on to newer technology.
Steve: You’re locked in because it’s an important part of their business model..
Johan: Exactly. Not because it’s necessarily the best technology solution now, for an organization.
Actually, we have a quick funny aside, they went out of business a long time ago. It’s called Zenith Infotech and they provided hardware solutions to MSPs back in the 2000s – 2008, 2009. I remember at the time, a lot of MSPs and a lot of VARs in particular, were very concerned about the cloud because the problem was, once your clients move to the cloud, they’re not going to be buying hardware from you anymore. So, Zenith released this product called the Zenith Cloud. I remember we got emails about it, and we were looking into it. We’re like: this Zenith Cloud, it looks like just a rolling half-rack of servers that you put into your closet. That can’t be right, because if it’s in your office, in a little rack, that’s not the cloud! Like that’s the opposite of what the cloud is. This thing they were calling the Zenith Cloud! And, we looked into it and sure enough, like it was literally a cheap server that they sold you that they called the Cloud. No wonder that they went out of business pulling stunts like that. That’s the kind of thing that you have to look out for at times with MSPs. You want to make sure that they’re really forward thinking and embracing the future of technology in helping you embrace it, as well as an organization.
Steve: I mean, maybe we should bottom line this. The bottom line probably is that: you do want an MSP that has a preferred stack, I can’t tell you what that stack is, Microsoft or Google for email or, whatever. They tell you what they think their clients should be on. Yet, a certain amount of flexibility is probably also important for nonprofits that they can support what you have, even if it’s not in the preferred stack, allowing for the fact that over time you’ll try to match what you have in your environment with what the MSP prefers as their stack over time.
Johan: We’re coming into the last 10 minutes of the Webinar. My thanks to everyone for hanging in there. We’ve got three questions left. Then we’ll open it up to your questions if you have any. Feel free to chat those in now if you want. We’ll take them the order they come in.
(51:14) Question number 10 is about Cybersecurity. It’s a critical part of service these days and there’s a range of solutions around Cybersecurity. Every organization nowadays needs some level of Cybersecurity protection. Not every organization needs the gold standard in Cybersecurity. If you’re an organization that’s being targeted, maybe you’re focused on international issues, you’re doing work that would make you a target of nation state actors, then obviously you need to seek out an MSP that’s got more advanced experience with Cybersecurity. But every MSP should be able to be conversant with Cybersecurity threats and explain how they protect their customers against those threats.
I don’t know if there’s much more to say there. The only thing I’ll add is that at Community IT, we have a core set of required services that we provide as part of basic Cybersecurity and then we have a pretty extensive set of optional services that we talk through with our customers. We’re not big into fear mongering, we know that there are threats out there, but we also understand that the threats vary widely depending on the nature of the organization and the work that they’re doing. We really like to sit down and talk with our customers and find out specifically, what threats they’re facing and help come up with an appropriate Cybersecurity solution.
Steve: I’ll temper that a little, we’re not into fear mongering and I’m not going to turn around and start doing it. Being targeted by a nation state is a whole different animal than just being on the internet, which every organization is. They are, therefore, potentially a target for opportunistic hacking, where it’s just more a matter of not having managed MFA on your Office 365 accounts: not having multi factor authentication on your office 365 accounts and not having a training so that your staff uses passwords for their personal life. They use the same password for everything that they do and it’s not a very difficult password. Their Netflix account gets compromised and that password then gets used to get into Office 365. Cybersecurity is a real thing and even the small nonprofit that just does some community events could easily be a victim of a cybercrime, as compared to someone who’s doing analysis of nuclear warheads and who-has-what and might be targeted by a nation state. I don’t want to undersell this either. You need to have an MSP who can talk about Nonprofit Cybersecurity very intelligently.
Johan: No, that’s very true.
(54:35) Johan: The second to last question is just asking the MSP: just use the word “strategy” in a question, basically. We frame it in our white paper as: “How will you help my organization strategize for the future? Do you assist with strategic planning? What’s your capacity to engage with us strategically? However, you want to frame the question, you just want to make sure that the MSP is capable of thinking about business strategy broadly, and is capable of helping to connect technology solutions to business needs. It’s probably not reasonable to expect a managed services provider to also be an extensive strategic technology planner. There are large IT support companies that can offer managed services and then they have another division that provides strategic planning services, so that does exist.
But generally, the way that you need to organize a business to effectively deliver managed services is different from organizations that focus on strategy, even IT strategy and strategic planning. But you want to make sure that your MSP is capable of engaging with other stakeholders, whether with another firm or with other people in your organization, around strategic topics, and that they can help you put together a three year budget and technology plan. They can think ahead to what the organization might need in three years, and that they can assist with technology decision making, that keeps in mind all of the different needs that the business might have over an extended period of time.
Johan: I won’t say much more than that. We help our customers.
Steve: We do a lot with this. We could talk about it, but we’re running out of time. This is one of our strengths, I think.
(56:34) Johan: The last question is: “How do you deliver value?” I think that’d be a good question to end with when you have an interview with an MSP – How do you deliver value? and it gives you a glimpse into how they see their own role, and it gives you a glimpse into how they see their business. That’s, it provides a nice summary of all the other things that we’ve talked about in this webinar. How do they see their role in delivering value to your organization?
I think, well, I’ll add one more thing. This is something that Steve and I talked a little bit about as we were preparing for this webinar. This is a particularly important question if you’re talking to an MSP that’s not that familiar with nonprofit organizations. Because the MSP that typically works with for-profit businesses is going to take a certain approach to talking about the value of technology, talking about making decisions around technology solutions, and if they’re not familiar with or comfortable with working with nonprofits, they may not understand the very different dynamic that occurs within a nonprofit organization where revenue generation is concerned. Fundraising is critical, obviously. But maximizing profit is not really a concept that is useful in a nonprofit setting. If that’s how the MSP thinks about the value that they deliver, it might be a struggle for them to really relate to the organization as a nonprofit.
Steve: I’d say that also this goes back to what I think of in terms of job interview questions. There’s not necessarily a right answer here. It’s just a way to hear more from the MSP, that helps explain who they are. There’s not any answer you’re looking for but the answer that they give, and if they can’t give an answer, that’s a big red flag. But if they do give an answer, it helps you get a better feel for who they are in a way that can be very helpful.
(59:08) Johan: All right. We are at time. Just want to quickly announce our chief technology officer, Matt Eshleman, is going to be announcing and presenting on the 2020 Nonprofit Cybersecurity Incident Report, where we report on our survey of Cybersecurity incidents in the nonprofit sector. Please join us for that on April 15, next month.
Thank you very much for joining us today. Our thoughts are with all of you, we can all return now to focusing on some of the more important matters and pressing matters in our world right now. We certainly thank you for your time this afternoon. If you have any additional questions for us, feel free to follow up after the webinar and we’d be happy to answer them for you. Steve, thank you for your time, have a good afternoon.Steve: Thank you, Johan. Okay, bye folks