The Myth of Managed Services (Full MSP vs Partial)

January 15, 2009

I talk a lot about Managed Services for credit unions. This should be no surprise. I want to be clear about what I mean when I talk about Managed Services. 

Sometimes I can hear people say, “Oh, I use Managed Services for security. …..Someone manages my firewalls and someone does my pen testing……… Someone does this and someone does that……..” 

I am not referring to this type of service at all. 

I am not suggesting that these services aren’t appropriate or warranted. In fact these services are critical as a part of one’s information security program. These are services are Partial MSPs and not Full.

With Full MSPs, I am referring to providers who are actually accountable for the security of your credit union. I am referring to an MSP that is responsible for the day to day operations of IT in addition to the compliance needs of the credit union. These are MSPs that actually can ‘stand in’ on behalf of the CU and answer questions for the auditors.

I hope this clarifies my meaning, and that if you have not been thinking of Managed Services in the context now you can.


Device-Focused MSPs Fail to Deliver Comprehensive IT Solutions to Credit Unions

January 1, 2009

I have had it with big companies attempting to monitor and manage small to medium business. Dell, HP, Ingram, and the list goes on, are now offering programs that only local businesses can deliver in a quality manner. And now Sonicwall has rolled out a managed security service. 

I am disheartened to see big vendors getting into Managed Services Programs (MSP). Big companies that stand up NOCs (somewhere) and try to deliver quality MSP services are not the route to success for a credit union. 

Credit Unions need to consider the following when selecting a good MSP:                                                                                     

  • How is third party due diligence  (covering insurance coverage, hiring, security controls, financials, etc.) handled? If your hard working IT manager has to rattle around to his vendors for this information then you have the wrong vendor.
  • What is the Disaster Recovery plan of the MSP? How can they help you?
  • How do they cover compliance and infrastructure?
  • Who owns them? Are they absent or involved?
  • Are they focused on growth for growth’s sake? Is there a reason for growing? What are their plans to handle growth?
  • Is the MSP focused on device management or is the MSP focused on being a trusted partner that will support the credit union from Architecture and Design all the way to Tier 1,2,3 IT operations support? 

I own a local MSP business that supports credit unions, and I strongly believe a credit union must partner with an MSP provider who has a vested local interest in the industry, the market, compliance needs, and all the other details and complexities that tend to escape large companies attempting to shoehorn “one size fits all” into the market. 

In my humble opinion, manufacturers of IT products like HP, Dell, Ingram and Sonicwall, should focus on building great products and less on delivering Managed Services.

Managed Services for Credit Unions: The Difference between Surviving and Thriving

December 15, 2008
When I search the internet, I see virtually no mention of managed services in the credit union space. This surprises me. 

I hear too many credit union CEOs wonder how to survive. I offer an alternative vision for what is possible for your credit union: Thriving. 

And I assert that any credit union from $20 million to $200 million in assets must be using a Managed Services Provider in order to thrive.  

Think this is a bold statement? Perhaps it is. Let’s look at the facts before you decide. 

Small to small/mid credit unions are faced with managing a level of IT complexity that no other business of the same size must manage (other than, perhaps, health care). The complexity is created because of five requirements: 

  1. Compliance
  2. Security
  3. Third party relationships (e.g., ATMs, Shared Branching, Home Banking, Core Processing, Fedline)
  4. Disaster Recovery
  5. Infrastructure Operations 

No small to small/mid credit union can effectively manage IT through in-house staff alone.  Staying focused on driving member value is critical. Diverting the IT department to review  and maintain “plumbing systems” when they could be reviewing, implementing, and evaluating systems that enhance the value of the credit union in the eyes of the members–that is where IT has to be focused. Resource coverage in the areas mentioned above is too challenging, and too risky to try with only in-house staff. 

In the IT space, a step that supports thriving is outsourcing your IT operations. Hire a Managed Service Provider (MSP) who can handle all the blocking and tackling of the five items I listed above. 

I have noticed that a credit union that has reached over $100 million in assets typically has one person on the IT staff who is smart and capable. Without an MSP in place, this person invariably ends up trying to do everything. Rather than tying up this valuable resource on housekeeping chores, have your MSP report monthly to this person. Require that the reporting be compliance based in nature and not all technical; if this is not required then you are still saddling your key IT Manager with the burden of producing the proof needed each month. 

I can’t stress this point enough: Shift your key manager’s focus to member-facing projects and have the MSP deliver the rest. This will put the company on the road to thriving and, from a professional growth perspective, it places your “shining star” IT employee in a position of managing the plumbing versus doing the plumbing, which should be a welcome step up for any bright, ambitious manager.


What’s Wrong with This Picture? (and How to Put It Right)

November 15, 2008


“I’m the CFO, it’s not my job to worry about IT.”


I have noticed an interesting trend over the past several months that I find exciting. This is the heavy involvement of Finance (Controller and CFO) in IT, not just in decision-making and approvals of IT investment, but in the strategic planning process. I am very encouraged by this.


If your senior financial management is not involved in the IT function of your company, I strongly suggest that you consider fixing this situation. Here is a cautionary story that illustrates the problems that a company can face when it doesn’t involve non-IT decision makers in the IT planning process. It illustrates why the CFO must care.


We had a non-credit union client recently who was experiencing tremendous pain around complaints from a user community of about 350 users distributed over 14 sites. They had just had a turnover of IT management at the highest level, and this is where I got involved.


The user community complaints were actually a symptom of a much deeper and more serious issue.  In the course of our engagement with senior management, we uncovered eight years of executive management neglect of the IT function. It wasn’t malicious neglect; it was unintentional neglect that arose from a lack of a vision, strategy, and long term IT roadmap upon which to base financial and management decisions. There had been no involvement of non-IT executives; as such, IT was not aligned with business vision or strategic objectives.


How did this happen? How did they get themselves into this predicament? Here are two examples among several:


  1. Their WAN was creaky and old (one of the oldest I have ever seen), but there was no attention on uplifting the infrastructure as part of an iterative and ongoing strategy. A major core business application was rolled out to all sites across , and since no attention was paid to shoring up the infrastructure before application installation, infrastructure performance took a steep (and problematic) drop.
  2. The company was encouraged by their VoIP vendor to purchase a brand new VoIP system. Three integrators later, they were left with the most complicated VoIP routing and switching installation I have ever seen. To make matters worse, they have never received the expected value from the investment.


The good news is that we are working with management to fix things. The company must now allocate significant spending to IT in order to make up for the years of little to no investment in infrastructure, disaster recovery, compliance, and other key program components. Though this is a somewhat bitter pill to swallow, it has had the good result of gaining the CFO’s attention and interest.


The new IT goal set collaboratively by the IT manager, the CFO, and the Controller is stable, simple, and maintainable systems that produce happy users. They wanted a high quality ‘austere’ network—not “cheap,” but “no frills.”


This company also made the decision to go with a Managed Services Provider (MSP) as part of a strategic move to focus their limited but talented IT resources on core business activities. They determined that as far as third-party relationships, they didn’t want a tactical IT partner—that is, a provider that only manages a device or set of devices. They wanted a partner that would participate in strategic planning, design, and architecture, as well as a partner who could assist them in day-to-day management of sophisticated devices from Tier 1-Tier 3 support.


Areas that we recommended they turn over to an MSP encompassed much of the security infrastructure, including the DMZ, firewalls, SPAM filters, SSL VPN, Load balancers, QoS devices, AD, Servers, and Consolidated Event Management. (The caveat, of which they are cognizant, is that an MSP can only be brought in after their infrastructure has been assessed and remediated.) Hiring and managing the in-house talent to effectively support all the equipment listed above would run $80-110k per year; the MSP we recommended performs the same services for $48k per year.


One of their primary goals, right after end user happiness, is network stability for the VoIP system. We encouraged them to focus on simplicity in order to make the network able and supportable. Since they had determined that they did not want their core IT staff supporting a non-business value add system then this system also had to be simplified so that the MSP taking over the VoIP management wasn’t saddled with the same issues.


We continue to work with senior management on effective IT strategy. As far as next steps, the CFO wants an IT roadmap, that is, a doable plan that is sized right for the company. Immediate action items include:


  1. Data Center power distribution and re-cabling.
  2. Replaced the 10-year-old ATT WAN with a new Sprint MPLS WAN.
  3. Virtualization (there is no more server rack space left)
  4. Disaster recovery site implementation
  5. Employing a different back up method from the tape backups currently being used.
  6. A comprehensive Microsoft licensing strategy that includes an audit of current licenses.


My reason for providing a high level of detail in this story is to give you clear examples of IT issues that may track with your own. If any of the problems or strategies that this client is dealing with ring any bells for you, it may be time to examine your own IT function and how your financial management relates to it. If your senior financial manager is not getting involved with IT strategy or decision making, you may want to better align the two. If you don’t, there may be trouble brewing behind the scenes.

Managed Services for Credit Unions – What a Great Idea!

October 15, 2008

Over the past few months, I have been hearing a similar complaint from a number of my clients. One after another, they have observed that “just can’t keep up the pace.” IT overload, in a sense. 

Frankly, I was amazed to hear this, especially since I kept hearing it over and over. These are very smart managers, and many are moving up the ranks in the credit unions they work for. I could understand “I can’t keep up” stress from a business person trying to manage enterprise technology, but I was shocked to hear these words from seasoned and more than capable technologists.  

I thought of Managed Services Programs (MSP) as a solution for my frazzled clients. Managed services could free up my clients to focus on member-facing value add and other strategic items. If credit union technology professionals could stay focused on increasing value to the member and less on the IT plumbing systems, credit unions and their members would be immensely better off. 

MSP for credit unions can cost half of the cost of the same in-house services. This gives credit unions a great advantage; they can obtain the plumbing expertise through contractors and invest their W2 resources in core systems and member facing applications. 

The path to MSP success starts with finding a Managed Services and Compliance Program Vendor who focuses specifically on credit unions. Credit unions are more complex than many similar sized companies in other sectors, and it is very important that your IT business partner knows this and has credit union expertise in their business.  

Here are other key items to check out before closing a deal with an MSP provider: 

  1. Do their programs match to an Information Security Program, NCUA, or FFIEC?
  2. Are compliance and IT operations the focus of their service (as opposed to devices and products)?
  3. Have you reviewed samples of monthly reports?
  4. Have they been questioned by NCUA auditors before? How did they do?
  5. Is access to Tier 1-Tier 3 talent included in the monthly fee?
  6. Is there a complete 3rd party due diligence package for: insurance coverage, financials, security controls, background checks, NDAs, etc.?

Finally, something to consider from your side: Will bringing this provider on board really enable you to focus your valuable in-house IT and business personnel on core systems and member facing activities? 

If the answers to these questions are positive, you stand an excellent chance of reaping big benefits from partnering with an MSP provider.

When to Consider Managed Services

September 15, 2008


I am often amazed at the lack of qualified technology staff at credit unions with less than $200 million in assets. In firms between $200 and $400 million, I do start to see more qualified staff across the necessary disciplines, but there are often talent holes.


Credit unions need to think creatively about how to staff for success. I have found that the best methods of staffing aren’t necessarily behind the company’s four walls, especially in the technology/IT arena. This is where Managed Services Providers are an option to consider.


Should you consider partnering with Managed Service Provider for your non-core technology needs? Here are some questions to help you with that answer:


  • Can you afford the personnel costs of managing and supporting your IT investments?
  • Does change in technology and the rate of that change negatively impact your staffing efforts?
  • Would you like your IT people to spend more time focused on core systems and member facing applications? Could you do this if the basic, everyday IT “plumbing” were handled?
  • Can you afford the raw hardware and software costs for IT today? Does this part of the budget frustrate you?
  • Does compliance risk associated with DR, Security, and infrastructure keep you up at night?
  • Are you keeping pace with requirements when it comes to compliance and IT?
  • Have you developed a multi-year approach to planning technology compliance?
  • How good is your reporting in tough areas of the network related to logging and auditing?


Working with a Managed Service Provider who is a credit union specialist will mitigate many of your every day IT concerns. When you have a trusted IT partner who understands and keeps up with compliance and the technical aspects of Disaster Recovery, IT Security, Infrastructure, and IT operations, you will free up valuable internal technology resources (hardware, software, and people) that can focus on more strategic, member-facing initiatives that directly impact your bottom line.