Fully Managed vs Co-Managed IT: Choosing the Right Security-First Model

Speaker 1 00:02

This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity.

Jason Pufahl 00:10

Welcome to CyberSound. I’m your host, Jason Pufahl. We have a big group, actually.
I was just told that this is our biggest group on any podcast that we’ve had. I think we’re going to do it slightly differently today, which is ask you all to quickly, like five seconds, who are you and what do you do? Maybe, Michael, I’ll start with you today.

Michael Grande 00:33

Sure. Thank you.
Excited to be here today and talk about this subject. I’m Michael  Grande. I’m the CEO of Vancord.

Dan Kaupp 00:41

Good morning. Dan Kaupp, VP of Professional Services here at Vancord.

Jim Riley 00:47

Morning. I’m Jim Riley. I’m here on the infrastructure team at Vancord.

Lou Ardolino 00:52

Good morning. Lou Ardolino, VP of Client Success here at Vancord.

Jason Pufahl 00:58

All right. We assembled a big group because we want to actually talk a little bit about our managed services. We get a fair amount of questions. What is a security-enabled managed service provider? I think that’s a little bit of a unique term, one that we tend to use. But then also, we have people talking all the time about, well, why would I need a fully managed offering or can you actually work alongside of our existing IT folks in a more co-managed offering? This is probably going to be a little bit more of a discussion around how does an MSP typically engage? What do we do? Maybe that brings a little bit of something different to the service.
What are the different models? The objective here, if you’re thinking about managed services, if you’re thinking about how to at least maybe even augment work that you’re doing, what types of qualities do you want to discuss with the companies that are out there? Certainly, Vancord being one of them, there’s a whole bunch. We think we do it differently. We hope we do it better. Maybe, Michael, if I could start with you. From your perspective, and you’ve been in this business for a long time now, why do you think the conversation is coming up so often, and even almost more recently, more often?

Michael Grande 02:24

Yeah. I think the conversations and the needs from a diverse set of clients has evolved over time. Maybe what traditionally was viewed as technology services and service provider years ago from a value-added reseller or an integrator perspective has evolved into managed services.

That’s now evolved into much more of a security focus. Obviously, every organization is seeing so much increase in their complexity, the levels of applications that they’re running, the types of technology that they need to implement. They need support in a variety of different areas.
Some organizations need a full suite of support. They need from the desktop to the data center. Some may only need specific services that fit into what their team maybe doesn’t have capacity to do or may not have expertise. We’re seeing the pressure for cybersecurity, of course, continue to evolve and enhance. Then at the same time, the traditional support model of just remote help desk has changed drastically. I think we’ll talk about a few reasons why, but those are probably the key drivers that we’ve seen from a lot of our different clients across the spectrum of industries and sectors. They have very similar issues when it comes to why they’re reaching out and need help from a service provider like us.

Jason Pufahl 03:52

Lou, you all coined the term security-enabled MSP. Maybe spend a second on that and tell people what that is in plain English. What do we deliver in that?

Lou Ardolino 04:07

I think, it really means security is baked into the day-to-day operations of IT. It’s not bolted on after the fact. Ten years ago, managed services meant patching servers, running antivirus, helping to fix help desk tickets. Today, those things are table stakes. The reality is most breaches start with stolen credentials or phishing, not on patch systems. We have to include things like MDR, 24-7 SOC, monitoring, security awareness training, MFA, dark web monitoring. The focus has shifted, certainly from just keeping systems running to actively defending the business. If you’re reachable, you’re breachable. There you go.

Jason Pufahl 04:56

Dan, you deliver all of this. How does what we deliver today differ from what organizations may have currently to what we might be able to provide as an augmented service? How do we actually engage?

Dan Kaupp 05:14

To pile on what Lou was saying, traditional managed IT feels so 1990s to me, ultimately. A lot of the things that Vancord takes for granted, to Lou’s point, we bake in cybersecurity pieces into our standard managed service offering. We’re really focused on specifically tying together on the backend, our complete offensive and defensive security team, along with our strategy and compliance team, into our managed service service desk that actually delivers those outcomes to our customers.
We strive for full transparency with our customers. Which, if you look back at the managed IT model, it reminds me of the SNL skit where you call in the IT guy and he’s like, move, and he starts typing really fast. We’re sort of next generation.

Jason Pufahl 06:20

Work alongside them. Don’t make them get out of the way.

Dan Kaupp 06:23

That’s right. Exactly.

Jason Pufahl 6:29

Michael, when security isn’t embedded the way that we feel that we have, how does that manifest itself in the relationship? I assume not positively.

Michael Grande 06:41

Not great. I like the multiple throwbacks to the 90s. They were great times for a lot of reasons, but maybe our IT infrastructure and other relationships or other things weren’t as seamless and frictionless as they are today.
I think that friction that exists and the trust level. From our experience, when we work with a client or a prospect who isn’t interested in what Lou absolutely hit in the head, essentially table stakes of what we need to deliver and how we need to deliver it, it’s not necessarily just a stack, a technology stack. It’s much more than that, and it’s ensuring that there’s layers of appropriate defense and security built in.
There’s always frustration. It has negative outcomes, really, from the beginning. We aren’t able to set them on a roadmap and a path that we really want all of our clients to feel comfortable and understand that it’s a relationship, there’s a trust relationship there on what that roadmap looks like.
There’s always the potential for a lot of finger pointing. You didn’t tell me I needed this or we weren’t sure that we had to implement this different system or, hey, this isn’t efficient for our business operations and it’s holding us back from being productive. Those are all concerns, for sure, that we need to address.
But I think in order to instill confidence, we need to have clarity, we need to have transparency in what we’re talking about, and we need to have that communication early on. If we establish that early, the rest of the relationship has been built on a really solid foundation, and I think that’s always a key to success for us.

Jason Pufahl 08:24

So, Jim, you get firsthand visibility into the pain points that customers bring or clients bring often to the relationship. Spend a minute, if you would, what are the things that often they’re frustrated with internally or maybe that you identify right away as opportunities for us to make improvements? Why are people using services like us? What are their problems?

Jim Riley 08:50

I think, first of all, when they come to us, a lot of times there’s infrastructure that’s grown over the years. There’s maybe systems that have been rolled out by previous techs. There might be a team of people that’s no longer there, that used to be on top of a system.
The new people there or whoever’s in charge might not be clear on how something works. They’re afraid of it. They don’t want to touch it.
That’s a house of cards kind of feeling. They might have a feeling like they don’t really know who has access to what. They don’t have visibility into which devices are on their network even sometimes.
There might be shadow IT that influences the security of their business without them even knowing. Often, these people are just trying to keep things rolling. They’re firefighting.
Their hair’s on fire sometimes or it feels like it. They can come to us and we can comb through it and get a much better idea of what’s in place and what needs to change from a security infrastructure standpoint.

Jason Pufahl 10:05

Regardless of whether we’re fully managing somebody’s network stack or services or co-managing, onboarding is a key piece of what we typically do. We’ve spent a lot of time. I know, Dan, you in particular have given a lot of thought to what does onboarding look like? How do we really learn that environment? Then also, what qualities are we looking for when we onboard somebody so we better understand to some degree what risk we’re taking on but also what some of those opportunities are? Can you spend a few minutes on onboarding, the security posture assessment we do and what that engagement looks like?

Dan Kaupp 10:49

Yeah, sure. It’s like I always tell our customers. Onboarding is maybe the most important time that we spend with a customer for a bunch of reasons. It goes back to what Jim was saying. Customers don’t know what they don’t know. We get into situations where they had an incumbent vendor, maybe that was mismanaging things. Ultimately, I think a lot of times it just comes back to, hey, we don’t know. We’re in the same boat. When we bring on a customer, we don’t know. Onboarding is really focused on enabling our team to know through a lot of looking at configuration, configuration review, a lot of documentation, filling in our documentation management system, creating a brand new shiny visual representation of the environment. I always like to say, getting our tool set deployed. All of that really enables our security gap assessment, we call it, where we essentially ascertain the baseline that the customer is at from a security standpoint. What is the customer’s attack surface? What does it look like? Then what is a minimum viable attack surface look like? Our focus is to narrow that gap. That’s why we call it a gap assessment. Ultimately, it’s a fairly wide scope of things that we look at, starting with the edge of the network, firewalls, DMZ, internal servers, all the way down to what are your user endpoints look like? I always like to say users are the biggest threat to environment. Typically, part of the onboarding is also getting security training and phishing training stood up for the internal users. Try to go at all of that. The outcome there, again, back to full transparency, the outcomes there is a report back to the customer of, hey, this is all the things that we found that don’t follow best practice, don’t follow cybersecurity practices that we remediated, and here are the things that we need to have further conversation about. All of that goes back to enabling our team to provide that fast, efficient, accurate service to the customers.

Jason Pufahl 13:42

Lou, you’re obviously directly engaged with clients from a success standpoint. You see the onboarding, you have our customer business reviews that occur pretty regularly. Can you spend a second on just how important that early discovery phase is to sort of establishing that tone and building trust?

Lou Ardolino 14:07

Yeah, I think it’s really important. As part of my role, along with the account executive that works closely with the customer, I am shepherding that customer in the early stages, even during the sale portion of it. When we bring the onboarding team in to start the onboarding, I’m engaged part of it along with that technical team. Once the onboarding is completed, like Dan mentioned, it sets the stage for our first customer business review. We don’t call them quarterly business reviews. We call them customer business reviews because they might not be every quarter. They might not need to be happening every quarter, but that first onboarding closeout meeting, once we review everything that we’ve done for them, is essentially our first customer business review. We set the tone and we set the roadmap for that customer’s journey right from the beginning. It’s super important to be part of that so there’s no surprises later.

Jason Pufahl  15:17

We’ve briefly mentioned the idea of being fully managed or co-managed. Here’s the part of the podcast where we actually tell you what those are and what the distinctions are. I think we have a lot of both, and I think we have an increasing number of those folks who are probably co-managed. We’re working with them to assist. Dan, could you spend a minute? What is fully managed? What is co-managed? What are the key differentiators?

Dan Kaupp 15:48

Sure. I’ll try to do them justice. First, from a fully managed IT perspective, this is where typically the primary stakeholders or stakeholder at the customer is maybe a CFO or CEO type. They’re looking to us to be their IT department. That’s really the key. From an approach standpoint, there’s slight nuances, but ultimately, we like to take the same approach from a tool set standpoint, from an internal process standpoint that we take with every customer with some slight differences. Back to my point about seamlessly integrating our complete cyber security team, our strategy and compliance team with our service desk is to operate in either a fully managed environment where we are the IT department and bring those security elements to the relationship and to our approach. In a co-managed IT situation, the difference would be that the stakeholders at the customer are typically an IT department of sorts. Typically, the co-managed customer knows what they’re capable of. They know their capabilities and then they know where they need help. That’s where we come in. There’s customers where we’re delivering just network management or cases where we’re delivering just level one help desk support because they have their internal team focused on more of the strategy, the higher level stuff. Then the flip, the inverse is true as well where they have really good technicians. They handle all the level one and escalate to us and then look to us for strategy and compliance, really leadership because they understand that that’s not their sweet spot. It might make sense for others to pile on what I’m saying there, but I think overall that’s a high level of difference.

Jason Pufahl  18:14

I think that’s a good summary. I’m interested, Jim, in what does engagement feel like to you if it’s fully managed versus one maybe where you’re a little bit more integrated with an existing IT team?

Jim Riley 18:29

Sure. From a fully managed perspective, we feel we can bring our experience and advice and in our team to help make important decisions from a security standpoint, from an infrastructure standpoint on behalf of the customer. Of course, with their approval in partnership with them, but having a full team of people here that can act like a plug-in IT team top to bottom to make a difficult decision is something great that the customers can lean on. From a co-managed standpoint, a lot of times our customers already know which direction they want to go in for a new direction, whether it’s a new piece of infrastructure, a new technology, a department’s asking for something to be rolled out. We’re there just to help that happen, to reach their goals, to help them make decisions, but really they’re driving the bus. Both have their advantages. Sometimes it’s a little bit somewhere in between, depending on capabilities on their side and how busy they are with other things. Sometimes they have the knowledge to make those difficult decisions and roll out complex systems, but they’re just too busy keeping their day-to-day operations going.

Michael Grande 20:12

Jim, you once used an example I really liked, which is in a fully managed environment, sometimes the client is waiting for us to make the recommendation of where we want. They have an idea, but they really need us to deliver end-to-end that solution in some way, the roadmap, the project plan, whatever it might be. We’re pulled in from that perspective. Hey, we’d like to get here, but we don’t really know the way, versus in the co-managed, which is we’re a sound board, maybe a little bit more. They already have a decision or a path they’d like to pursue. How do we act as a force multiplier in those settings and support the needs of the organization as it evolves? I always like that example that you used in the differences between the two.

Jim Riley 21:00

Absolutely. In both situations, they work best when there’s somebody on the other end that’s invested in helping make those decisions. Our easiest clients to deal with have communication that’s always open with us. I love working with customers that know their capabilities, know the time they have to devote to an issue, and they rely on us to fill in the gaps, whether that’s in a co-managed situation where maybe they’re doing research and bringing something to us that they’re saying, we’d love to roll this out, but we don’t have time to do it. Here’s what we want to do. Here’s the timeline, whereas in a fully managed situation, we might identify those things that we feel would be the best solution for them and advise them. It comes down to how well we can communicate together. I think that’s one of our strengths here is just integrating with our points of contact and our customers to make them feel like we’re on the same team, whether that’s a co-managed or a managed situation.

Jason Pufahl 22:26

That was a great answer because I think it did sum up so much of what we try to do internally, which is really, really value the collaboration. Honestly, that we have internally among the different teams, but then also externally with our clients. I think, Lou, you’ve spent a lot of time over the last few years building out and improving the business reviews for the specific intent of getting better information from clients where we fully manage. We truly might be dealing with or working with somebody whose background is in IT and then utilizing that same format for organizations where we’re partnering with them in that co-manage. If you could spend a minute on really your philosophy around the customer business review and what you think often we get out of those.

Lou Ardolino 23:20

We’ve been doing a lot of them. It’s really where the technology strategy meets the customer’s business reality. Most of the time, we are meeting with the customer on a quarterly or semi-annual basis, but it’s structured in a way that we step back with the customer and we evaluate the entire environment. It’s not a ticket review or a technical deep dive. It’s more of a strategic conversation with the customer about their business priorities, of course, their security posture, risk and remediation, upcoming projects, their growth plans, infrastructure changes, but it’s designed to keep everyone aligned. Leadership, internal IT, if it’s co-managed, and us as the MSP. If we don’t do that on a regular basis, the environments tend to drift. Security controls don’t get implemented or they’re not revisited. It’s important to show them where they stand from a risk assessment. One of the things we like to do is we build on that onboarding project that Dan mentioned earlier and spoke about earlier. We take those recommendations that come out of the onboarding and we put them into a roadmap and we score the customer every time we meet. If their improvement increases, they get a better score. We check off what projects they’ve taken on and it’s all to make them better. Continuously aligning the technical environment with the customer.

Jason Pufahl 25:28

I’m going to stick with you for a second, Lou, because you really are involved in almost all of the initial conversations as we’re talking the pre-sales part. How do clients decide whether they should be fully managed or co-managed? I imagine there’s a couple of pretty straightforward criteria for that.

Lou Ardolino 25:47

I think that going back to how Jim and Dan explained it, we’re not really replacing their IT, we’re reinforcing their IT. If there’s a need to reinforce their bench with our technical bench, then that decision is made to get into that co-managed partnership. A lot of times, it’s the sweet spot for organizations and for security-enabled MSPs like ourselves. Most internal IT teams, from the customer perspective, don’t want to outsource everything. They want to stay involved, they want to keep ownership of the environment. It’s really helpful when we can bring in the scale of the bench, the tool sets, and the specialized engineers. I think that decision is made early on in the vetting process, in the sales process. Once we get to the contract and onboarding, it’s already established and all stakeholders come to the table during the onboarding.

Jason Pufahl 27:06

Now, Michael, I’m sure there’s a bunch of reasons, maybe financially, why clients might work with Vancord. I’m curious, how often do we see a client maybe evolve from co-managed maybe to fully managed? How much of a driver with working with a company like ours is keeping W2 costs down, things like that?

Michael Grand 27:31

Yes. I think we’ve experienced all aspects. We’ve seen folks who maybe are growing and scaling and have evolving needs from a technical perspective throughout their life cycle.
Perhaps they started without an existing IT staff, but have grown to a place where they have multiple locations and multiple complexities. They have some level of technology support native to the organization, and they’ve transitioned from a fully managed to co-managed. I think, ideally, our flexibility and this transparency and communication cadence that we maintain with our clients, it’s never a surprise. In some cases, this is what I think makes our client success team so valuable, not only the CVR process, but we’re seeing this on the roadmap. We’re able to understand that. Hey, you’re adding these new businesses, you’re expanding this, if it’s a manufacturing company, you’re expanding it to new territories, you’re doing other things, you’re opening up new warehouses. Maybe geographically, there’s changes. I think there’s a different use case in each scenario. We’ve seen it pretty consistently. It works in varying models. Very, very large organizations sometimes tend to really like the co-managed concept. Very, very small organizations don’t know, and we guide them along that path. But I think there’s always the right flavor to pick from, and we want to work from a budget perspective so that there’s clarity, and they could set expectations on what their budget needs to look like.
You hit one of the bigger points. We bring a team that has expertise in a variety of areas. Really hard to staff that up with internal employees that have the depth and breadth of experience and expertise that we may have or we do have.
I think it’s a win-win from that perspective for the client when they engage with us.

Jason Pufahl 29:44

Dan, it occurs to me, not that many years ago, I think there was a strong inclination by clients that we were local, that their service provider was within maybe a couple hour driving distance to be able to solve the problem. We have obviously spent a lot of time on ensuring our services are delivered remotely with the same quality as if we were on site. Can you spend a minute on that? How important is it really to be close by and does it matter?

Dan Kaupp 30:17

Yeah, so I sort of go back to the 90s again, right? Where it did matter. But the reality is now it’s 2026 and, you know, I always talk about tool set and enabling our team with tool set, right? And a lot of times it does come back to tool set. We have the ability to resolve customer issues, challenges much quicker with the technology remotely than we do, you know, rolling trucks, right? What we always say is for those customers that are either local or remote, we’ll roll trucks if we need to. But we would certainly first like to just solve the problem remotely because it’s just more efficient, quicker for the customer, your folks can get back to work, right? Like that’s the reality of the situation.

Jason Pufahl 31:16

Yeah, and I would imagine we have a lot of customers that actually have pretty either fully or largely remote workforces anyway. So it’s probably less of a focus.

Dan Kaupp 31:27

And a lot of the tech that we’re even implementing now on behalf of customers, right? Like Intune comes to mind, continues to sort of drive a more enhanced ability to not only fix things remotely, but avoid needing to.

Jason Pufahl 31:44

So in closing, you know, maybe a quick, you know, 30 seconds, 15 seconds each around the horn. You know, anything that you feel, you know, Vancord brings to the table that, you know, is unique or you’ve found that clients just really like with engaging with us. So I see, you know, Michael, you’re nodding. I’m gonna go with you first

Michael Grande 32:06

All right, well, I’m gonna take the easy, the low hanging fruit here, which, you know, I think it’s trust. It’s sort of a history built on trust and, you know, one of the things that our clients continually tell us as we go and seek feedback and try to improve our processes, nobody’s perfect, we’re not perfect. And we’re trying to help our clients on the road to perfection, but there’s a trust relationship there and it’s always evolving. The communication’s a big piece of it. I don’t wanna steal other thunder here, but I think those things sort of build together and always lead, they’re in the ingredients to success, and I think we’ve found a way in our history, over 20 years of doing this now, where we sort of maximize that level of trust and we’re an extension of a team, no matter how it comes down.

Jason Pufahl 32:57

Jim, what do you think?

Jim Riley 32:58

From my perspective, I wanna fix whatever problem the customer has just as much as they do. And I think that mindset is shared amongst our team. We wanna have things obviously be as smooth as possible so we can predict problems and act on them before they become an issue. But if there is an incident, we wanna be in the right place at the right time, we are, to help people get back on track as quickly as possible. And that’s what our customers rely on us for. And we build that relationship and our customers come to expect it. And like Michael said, it’s all about trust. And that’s what we build along with just our technical capabilities. It’s about that relationship, that trust and just showing that we’re here for success with our customers, not just some vendor on the other side of the phone.
We’re in this together.

Jason Pufahl 34:07

Yeah, that’s the important part. Dan?

Dan Kaupp 34:10

Yeah, I’m trying to come up with an answer that doesn’t involve saying the word trust.

Jason Pufahl 34:17

Yeah, it’s never good to go last. I put Lou there on purpose because he’s got flair. So he’ll close it out.

Dan Kaupp 34:25

Yeah, much more creative than I am, right? But I think a huge reason that I haven’t done the math in a little bit, but I can’t, hundreds of years of experience is what our team has, right?
We’re trusted. It’s easy to build trust as an engineer, I always like to say, because we know more than our customers. But the truth is, right, to pile on to what Jim says, not only do we know all the things, we care, right? And that is huge. I don’t know how many times I’ve been on the phone with customers and asked them how things are going and they can’t speak enough about the specific engineers, techs, security engineers. It’s like every time a customer gets the opportunity to interact with another one of our people, and usually that is because something bad is happening, they just don’t have enough good to say about that interaction, right?
Every single time.

Jason Pufahl 35:30

All right, Lou, let’s wrap it up with you.

Lou Ardolino 35:32

Yeah, I think it’s trust.

Michael Grande 35:38

Good answer, good answer.

Lou Ardolino 35:42

Honestly, it goes back to our very strong bench. Our human expertise operating together with the technology that we support and deliver. I can’t tell you how often we have conversations with customers that they’re just so happy with the way that our team, Jim in particular, and, and our engineering bench from the, you know, from the infrastructure engineers to the security engineers, it just goes a long way. Our, our deep, our deep knowledge in all the technologies that we support. It just makes my job easier from a client success perspective. Um, and I think that’s one of the things that, that really stands out when we’re, meetings with the customer, they, they’re always very, very happy with our technical expertise.

Jason Pufahl 36:44

All right. Thanks. Thanks everybody for participating.
Uh, I mean, I think, you know, honestly, I think we bring a, a level of collaboration, uh, and capability that sort of stands apart, uh, integrating all the security into our offering is a, is a huge differentiator. Uh, you know, this feels probably a little bit more like a Vancord advertisement than we often do with a, with a podcast, but, but honestly, we, you know, part of the expectation here was to give a little clarity on how these services delivered, what types of things should you be looking for with an MSP, uh, you know, hopefully, you know, listening to this makes you at least want to chat with us a little bit if you are considering it, uh, cause we do think we bring something unique and special to the table, uh, but you know, if you’ve just, just, it’s just got general questions around, you know, the services that you could expect from a company like ours, we’re happy to chat and just reach out any time.

Speaker 1 37:34

We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn, and remember, stay vigilant, stay resilient. This has been CyberSound.