You’re Only As Good As Your Weakest Vendor
You invite someone to a party. When that person shows up, they have brought 5 more people with them, and you don't know any of those 5 individuals. This is a great analogy for how customers view MSPs who bring undisclosed 3rd parties into a managed services relationship.
MSPs have always relied upon 3rd party organizations to help deliver managed services. These 3rd parties could be data centers, remote monitoring software, even other MSPs. The point is, this is not a new practice! It has been going on for decades.
Use of 3rd parties is not only an acceptable practice in managed services, it is also a practical necessity. Most MSPs do not have (nor do they need) all the capabilities required to deliver their managed services to customers. It is much easier for an MSP to partner with a 3rd party to host internal or customer servers rather than build a data center.
Now that we have dispensed with the usefulness and appropriateness of involving 3rd parties in the delivery of managed services let's turn our attention to how these 3rd parties are used.
3rd Party Disclosure
The issue of 3rd parties comes up so frequently I feel safe saying it is a global characteristic of the managed services profession. MSPs need to bridge the gap between using 3rd parties and telling their customers that they use 3rd parties. It is likely a form of insecurity that using another company to perform a specific managed services function is wrong. MSPs privately communicate this business practice to other MSPs in the profession all the time. So, why not disclose it to customers and prospects?
There are a lot of reasons why this doesn't happen more frequently than it should, but whatever those reasons the practice needs to stop immediately. Failure to disclose 3rd parties is not a best practice and may also add significant risk to the MSP and their customer.
There are some regulated and geographic markets where 3rd party disclosure is required. Financial services and GDPR covered entities immediately come to mind. In the US banking industry, use of 3rd parties when delivering a managed service is a question of security. Is the MSP properly managing its vendors and do those vendors increase the risk to the bank?
In Europe, GDPR has now addresses 3rd parties with access to European personal data. These 3rd parties must be disclosed via the consent requirement of GDPR and must be managed by the customer (or MSP, in the case of a sub-service provider relationship). The unauthorized use of 3rd parties without disclosure to the owner of the personal data can come with significant liability.
Vendor Management & Risk
MSPs are responsible for the 3rd parties they introduce into a managed services relationship. The more 3rd parties they use, the more management and due diligence needs to be employed to keep those companies performing and keeping their risk to a reasonable level.
Ultimately, customers just want to know that 3rd parties are being managed by their MSP. If the MSP manages the 3rd party effectively, then there should be no risk flowing through to the customer.
Voluntary Disclosure vs. Forced Disclosure
I have been saying for a long time that MSPs need to enact and hold themselves to internally defined best practices and standards of conduct if they want to avoid official licensure or direct regulation. To date, there is no direct regulation of MSPs. But, those days could come to an end if we don't begin to change.
My advice to MSPs is to start using your 3rd parties as a positive selling point for your services. If your 3rd party is not a positive to your organization, why are you doing business with them?