I recently read an article (in a CIO magazine of all places) posing the question whether MSPs should be offering CIO services to their managed customers. At first glance, you may ask ‘why wouldn’t a MSP offer CIO services to their customers’? CIO (or sometimes called virtual CIO) offerings deliver valuable consulting and advisory services to customers who need that high level IT strategy advice, chiefly because they do not have anyone on staff to fulfill that role. MSPs are frequently in good positions to offer these services to their customers.
But, are there any scenarios where the MSP should not deliver a CIO type of service to the customer? Let’s examine two common situations where a virtual CIO service being offered by a MSP might be problematic.
Segregation of Duties
What is segregation of duties? According to Wikipedia, segregation of duties “is the concept of having more than one person required to complete a task.” For those of you not familiar with this concept within the context of managed services, segregation of duties is the concept of separating the responsibilities of a particular control or process, and having more than one person participate in the delivery of that control or process. The reason for this is to prevent fraud or error by having a single person being responsible for the control or process.
The principle of segregation of duties is important for MSPs and is even embedded within the MSP/Cloud Verify program, to prevent intentional or unintentional actions by MSPs which could damage networks and systems, both internal and customer. Having a MSP perform managed and cloud services as well as serve as the CIO could be problematic if the appropriate controls are not in place.
If the customer is in a specialized field, it goes without saying that any MSP not possessing that domain level business expertise may not be capable of delivering true CIO services. However, this is different from a MSP operating in a specialized field and providing IT guidance, even without knowledge of the customer’s field.
For example, there are quite a few medical providers who are experts at delivering medical services but completely ignorant about IT. In this scenario, the MSP acting as CIO would be appropriate, provided they a) understood enough about the medical field and b) had the appropriate controls in place to deliver both consulting and managed services.
CIO or consulting services are highly desired by managed services customers. I also understand the need for segregation of duties and relevant domain level expertise as pre-requisites for delivering these solutions. Should we have a blanket rule that says MSPs cannot/should not also deliver CIO services? Probably not. Should MSPs be aware of possible conflict of interest and other risks when delivering CIO solutions? Absolutely.