Solved: How to look for a good MSP

Source: Dev.to

Why You Need an MSP

In today’s fast‑paced digital landscape, IT infrastructure is the backbone of almost every business. When that backbone falters, the symptoms are clear and costly. Many organizations seek an MSP not out of luxury, but out of necessity, often driven by a series of persistent IT headaches:

• Reactive IT Support – Your current solution (in‑house or outsourced) only responds when something breaks, leading to unplanned downtime and frantic fire‑fighting.
• Unpredictable Costs – Hourly rates for every issue make budgeting nearly impossible.
• Lack of Specialized Expertise – Critical projects (cloud migration, advanced cybersecurity, compliance) stall due to missing expertise.
• Frequent Downtime & Data‑Loss Concerns – Systems crash, backups are unreliable, and disaster‑recovery plans are non‑existent or untested.
• Poor Communication & Slow Resolution – Issues linger, you’re left in the dark, and you feel unheard.
• Security Vulnerabilities – Constant worry about cyber threats, inadequate endpoint protection, and a lack of proactive security posture.
• Absence of Strategic IT Planning – IT is treated as a cost center, not a strategic asset, with no clear roadmap for growth or competitive advantage.

These symptoms are not minor annoyances; they directly impact productivity, profitability, and reputation. Recognizing them is the first step toward finding an MSP that transforms your IT from a liability into a strategic advantage.

Step 1 – Define What You Need

Before you even begin interviewing potential MSPs, clearly define your requirements. A good MSP is a partner that aligns with your specific business objectives, not just a vendor offering a generic service package. This clarity will save you time and prevent misalignment later on.

1. Identify Current Pain Points & Priorities

Document the specific IT challenges you face daily. Example:

Small architecture firm – Pain points: slow CAD performance, unreliable access to project files on a local server, and no off‑site backup for critical design data.
Priorities – System stability, data integrity, and swift support for design applications.

2. Inventory Critical Systems & Applications

Create a comprehensive list of all essential hardware, software, cloud services, and network infrastructure. Include proprietary applications vital to your operations.

3. Determine Required Service Categories

Based on your inventory and pain points, specify the exact services you expect from an MSP.

• 24/7 Monitoring & Alerting – Servers, network devices, critical services.
• Helpdesk Support – Define tiers (L1/L2/L3), hours of operation, and communication channels.
• Cybersecurity – EDR, SIEM, vulnerability management, security awareness training, dark‑web monitoring.
• Backup & Disaster Recovery (BDR) – On‑site, off‑site, cloud backups; define RTO & RPO.
• Cloud Management – Optimization, security, administration of public cloud environments.
• Network Management – Firewall rules, VPNs, Wi‑Fi management, performance tuning.
• Strategic IT Consulting (vCIO) – Technology roadmap, budget planning, vendor management.
• Compliance Assistance – GDPR, HIPAA, PCI DSS, ISO 27001, etc.

4. Establish Budgetary Guidelines

Be realistic about what you can afford, but also understand the cost of doing nothing or receiving sub‑par service. A good MSP is an investment, not just an expense.

Step 2 – Rigorous Vetting & Technical Due Diligence

Once you have a clear picture of your needs, evaluate potential MSPs with a critical eye. This goes beyond a superficial sales pitch; it requires deep dives into their technical capabilities, operational processes, and client success stories.

1. Client References & Case Studies

Request references from clients similar in size and industry. Ask specific questions:

• What was the most challenging IT issue you faced, and how did the MSP handle it?
• How often do you have strategic IT review meetings (QBRs), and are they valuable?
• Has the MSP helped you achieve specific business goals through technology?

2. Technical Capabilities & Tooling

A reputable MSP invests heavily in its technology stack. Inquire about the tools they use and how they leverage them.

3. Service Delivery & SLA Review

• Response Times – How quickly will they acknowledge and begin working on incidents?
• Resolution Times – What are the target times for different severity levels?
• Escalation Procedures – Who is contacted at each escalation tier?
• Reporting – Frequency, format, and metrics included in performance reports.

4. Security Posture & Compliance

• Do they conduct regular vulnerability assessments and penetration tests?
• How do they handle patch management for operating systems and third‑party applications?
• Are they familiar with the compliance frameworks relevant to your industry?

5. Financial Stability & Business Continuity

• Request audited financial statements or proof of insurance.
• Ask about their own disaster‑recovery plan—if they can’t serve you, how will they maintain service continuity?

6. Cultural Fit & Communication Style

• Do they use a dedicated account manager or vCIO?
• What is their preferred communication channel (email, ticket portal, Slack, phone)?
• Are they proactive in suggesting improvements, or purely reactive?

Step 3 – Navigating Contracts & Agreements

A well‑crafted contract protects both parties and sets clear expectations.

Final Checklist

• Document pain points, priorities, and inventory.
• Define required service categories and budget.
• Shortlist MSPs and gather references/case studies.
• Evaluate technical tooling, security posture, and SLA terms.
• Review contract language for scope, pricing, and exit strategy.
• Conduct a pilot or proof‑of‑concept (if possible) before full rollout.

By following this structured approach, you’ll select an MSP that not only resolves today’s IT headaches but also becomes a strategic partner driving future growth.

Data Protection & Monitoring

• Backup Solutions: Datto, Acronis – common for robust data protection.
• Network Monitoring Tools: PRTG, SolarWinds, or specialized firewall monitoring.

Example Question to an MSP

“Beyond simply deploying an EDR solution, how do your security analysts manage, triage, and respond to alerts? Can you provide a high‑level overview of your SOC/NOC operations?”

Sample Diagnostic Output (hypothetical)

While not a command you run, an MSP might show you logs or reports generated by their tools. For instance, demonstrating network health monitoring:

Network Device: Core-Switch-01
Status: Online
CPU Utilization: 12%
Memory Utilization: 45%
Port 24 (Uplink to Firewall):
    Status: Up
    Bandwidth In: 120 Mbps
    Bandwidth Out: 85 Mbps
    Errors/Drops (24h): 0
Critical Services Monitored: DNS, DHCP, AD, ERP_DB
Service Status: All services healthy.

This demonstrates they monitor key metrics proactively, not just wait for an outage.

Evaluating an MSP

Team Expertise & Certifications

Ask about the team’s qualifications. Relevant certifications might include:

• Microsoft Azure Administrator
• AWS Solutions Architect
• CCNA
• CISSP
• CompTIA Security+

These indicate a commitment to professional development and deep technical knowledge.

MSP’s Own Security Posture

• How does the MSP protect itself (and thus your data)?
• Do they follow best practices?
• Are they SOC 2 compliant?
• Do they perform regular security audits on their own systems?

Reporting & Communication Frequency

• How often will you receive performance reports?
• What metrics are included?
• How are Quarterly Business Reviews (QBRs) conducted?
• How is technical jargon translated into business‑relevant insights?

Break/Fix vs. Managed Services

Understanding the fundamental difference between these two models is crucial when selecting an MSP. While break/fix seems cheaper upfront, its hidden costs and risks are substantial.

The MSP Contract: Blueprint of the Partnership

Service Level Agreements (SLAs)

SLAs are non‑negotiable. Ensure they are clear, measurable, and align with your business’s operational needs. Look for specifics on:

• Response Times: How quickly will the MSP acknowledge a ticket? (e.g., 15 min for critical, 1 hr for high, 4 hr for medium).
• Resolution Times: Targets for resolving issues based on severity (e.g., 4 hr for critical, 8 hr for high).
• Uptime Guarantees: For critical infrastructure (e.g., 99.9 % network uptime).
• Escalation Paths: A clearly defined process for escalating issues that aren’t being resolved satisfactorily.

Example SLA Configuration

{
  "SEVERITY_P1": {
    "DESCRIPTION": "Critical System Outage / Data Loss",
    "TARGET_RESPONSE_TIME": "15 minutes (Initial Contact)",
    "TARGET_RESOLUTION_TIME": "4 hours (Best Effort for Root Cause/Workaround)",
    "COMMUNICATION_FREQUENCY": "Every 30 minutes until resolved",
    "ESCALATION_PATH": "Helpdesk Tier 1 -> Tier 2 -> On‑Call Engineer -> Service Manager"
  },
  "SEVERITY_P2": {
    "DESCRIPTION": "Major Functionality Impaired",
    "TARGET_RESPONSE_TIME": "1 hour",
    "TARGET_RESOLUTION_TIME": "1 business day",
    "COMMUNICATION_FREQUENCY": "Every 2 hours",
    "ESCALATION_PATH": "Helpdesk Tier 1 -> Tier 2 Lead"
  },
  "SEVERITY_P3": {
    "DESCRIPTION": "Minor Issue / Request",
    "TARGET_RESPONSE_TIME": "4 hours",
    "TARGET_RESOLUTION_TIME": "3 business days",
    "COMMUNICATION_FREQUENCY": "Daily"
  }
}

Inclusions & Exclusions (Scope of Work)

Clarify what is covered under the monthly fee and what constitutes additional, billable project work. Common exclusions might include:

• Major hardware upgrades or replacements.
• New software license purchases.
• Development of custom applications.
• Extensive project work (e.g., office moves, large‑scale migrations).
• On‑site support beyond a specified frequency or travel radius.

Always ask for examples of “in scope” vs. “out of scope” for specific scenarios.

Onboarding & Offboarding

A smooth transition is essential. Ensure the contract outlines:

• Detailed onboarding steps (asset discovery, documentation, access provisioning).
• Knowledge‑transfer procedures.
• Offboarding steps (data handover, revocation of access, termination of services).

Onboarding

• How will the MSP learn your systems, deploy their tools, and integrate with your team?

Off‑boarding

• What happens to your data, configurations, and documentation if you decide to switch MSPs? Ensure data portability and access to historical records.

Contract Length and Termination Clauses

• Be wary of overly long contracts (e.g., 3+ years) with punitive early‑termination fees.
• Look for reasonable terms, ideally with annual renewals or clear exit strategies.
• Understand notice periods required for termination.

Billing and Payment Terms

• Confirm the billing cycle, accepted payment methods, and any late‑payment penalties.
• Ask about any potential hidden fees or charges that aren’t explicitly outlined.

Regular Reviews and Reporting

• The contract should stipulate regular performance reviews (e.g., Quarterly Business Reviews – QBRs) where the MSP presents:
  • Performance metrics
  • Strategic recommendations