Your MSP Manages Your Technology. Here's What That Doesn't Cover.

March 2026  |  7 min read

Four governance functions that live above the managed services layer, and why most small firms have no one owning them.

This is not a critique of managed service providers. If you have one, yours is probably doing exactly what it was hired to do: keeping infrastructure running, managing your help desk, patching your systems, and responding when things break. That's the job. It's valuable, and for most organizations under 100 employees, it covers the operational IT function entirely.

The problem is not what your MSP does. The problem is what lives above it.

Most 30-person organizations have someone managing technology operationally. They have almost no one managing it strategically. The decisions about cybersecurity posture, vendor accountability, long-term technology investment, and insurance compliance typically land on the CEO's desk with no senior technology advisor in the room. The CEO makes the call, or defers to the MSP, or puts it off until it becomes a problem.

Four governance functions sit above the managed services layer by design. MSPs were not built to own them; the managed services model was designed for operational support, not strategic governance.5 In most small firms, no one is. Here's what that gap looks like in practice, and why it matters more than most executives realize until something goes wrong.

1. Cybersecurity Governance Is Not the Same as Cybersecurity Tools

Your MSP manages your firewall, monitors your endpoints, and responds to incidents. That's cybersecurity operations. Cybersecurity governance is different. It's the question of whether your organization's risk posture matches its actual threat environment.

For small businesses, that threat environment is more serious than most executives assume. Verizon's 2025 Data Breach Investigations Report found that 88 percent of small and medium-sized business breaches involved ransomware, compared to 44 percent across organizations of all sizes.1 Small businesses are targeted nearly four times more than large organizations. The median ransom payment in 2025 was $115,000.1

The report's explanation for this disparity is a governance observation, not a tools observation: organizations facing the worst outcomes are those that "lack the layered defenses, segmentation, and recovery readiness seen in larger organizations."1

You cannot solve that by buying a better firewall. Layered defenses require someone to define what layers are needed, at what cost, and at what point the organization has done enough. Recovery readiness requires documented plans, tested scenarios, and a clear chain of command. These are governance activities. They require someone with the experience to know what good looks like and the authority to own the outcome.

For most small organizations, that person doesn't exist. The MSP handles the tools. The CEO handles the rest. Neither is positioned to own the governance function.

There's also a third-party risk dimension that rarely gets discussed. Verizon's 2025 report found that third-party involvement in breaches doubled to 30 percent of all incidents.1 Your MSP is a third party. Who is evaluating your MSP's security practices, and on what basis?

2. Managing the MSP Relationship Requires Expertise You Probably Don't Have In-House

Seventy-three percent of small businesses lack full confidence in their MSP's ability to protect them, according to ConnectWise's 2025 SMB cybersecurity research.2 That lack of confidence is reasonable given the threat landscape. The more important question is: what do you do about it when you don't have the expertise to evaluate it?

The MSP account manager is not the right resource for this. Account managers are incentivized to maintain the relationship and expand the contract. What you need at MSP review time is someone who can read through the service delivery reports, ask the questions that reveal performance gaps, benchmark the service against what a comparable organization should expect, and hold the vendor accountable when the answers don't add up.

That's not an operations conversation. It's a procurement and governance conversation that requires senior technology experience.

A Fractional CIO manages the MSP relationship as a vendor relationship: defining the right service level agreement for the organization's actual needs, conducting periodic performance reviews from an informed position, identifying when the MSP's capabilities have drifted from the organization's requirements, and evaluating whether the contract reflects the work being delivered.

For a 30-person professional services firm or nonprofit, the MSP is typically the most significant technology vendor relationship. Most organizations have no one who can manage it from a position of expertise.

3. Technology Investment Decisions Rarely Get the Scrutiny They Deserve

Sixty percent of businesses regret a technology purchase made in the previous 12 to 18 months, according to Capterra's 2025 Tech Trends Report.3 Among midsize companies, that regret rate climbs to 68 percent. The two most common causes: problematic vendor handoff between the sales and implementation teams (cited by 48 percent) and higher-than-expected product costs (36 percent). Both are governance failures, not product failures.

The technology decisions that matter most to a small organization are infrequent and high-stakes. ERP selection. Security vendor assessment. Cloud migration. Microsoft 365 licensing restructure. For a 30-person firm, these decisions might arise once every several years. When they do, the CEO and COO are typically not positioned to evaluate the options with the depth they require.

These are not decisions where general business judgment is sufficient. ERP evaluation requires understanding implementation methodology, integration complexity, total cost of ownership over a five-year horizon, and the risk profile of the vendor. Security vendor selection requires understanding what the technical controls actually do, whether the coverage is appropriate for the threat environment, and whether the SLA covers what the organization actually needs when an incident happens.

A Fractional CIO brings the expertise to structure these evaluations correctly: building requirements, running a disciplined selection process, negotiating contracts with the knowledge of what to ask for, and holding vendors accountable to implementation commitments. The 60 percent regret rate reflects what happens when organizations skip this step.

4. Cybersecurity Insurance Renewal Is Now a Governance Assessment

The cybersecurity insurance landscape has changed substantially over the past three years, faster than most small businesses have tracked. What was once a straightforward questionnaire is now a structured evaluation of cybersecurity maturity.4

Carriers now require documented evidence of specific controls as prerequisites for coverage. Multi-factor authentication is no longer optional; insurers expect it enforced across remote access, VPN, privileged accounts, and email. Documented incident response plans are required. Evidence of regular risk assessments is expected. Renewals in 2026 require more than "yes" answers to checkbox questions.4

The business incentive for getting this right is real. Organizations that can demonstrate documented governance maturity receive better coverage terms, lower premiums, and fewer exclusions. Those that cannot either get denied or pay more for less.

For most small organizations, the cybersecurity insurance renewal arrives as a PDF form that lands in the CEO's inbox. Without someone who understands what the questions are actually evaluating and how to document the organization's controls accurately, renewal becomes either a guessing exercise or a material liability. If the answers are wrong in either direction, the consequences appear at claim time.

A Fractional CIO can own this process: understanding the insurer's requirements, documenting the organization's actual controls, identifying gaps before the renewal date, and building the case for the coverage terms the organization needs.

The Scope Is Specific

A Fractional CIO engagement for a small organization is not a scaled-down version of mid-market technology leadership. At four hours per week, it's targeted to the decisions and governance areas that currently have no senior advisor. The operational IT function stays with the MSP. The four governance areas above get a senior technology leader who can own them.

This does not require a board seat, a standing technology committee, or a formal governance framework. It requires someone with the experience to know what good looks like in each of these areas, and enough time each week to apply that experience to the organization's actual situation.

The case for this model at small organizations is built on a simple observation: the cybersecurity threat environment does not scale by headcount. The governance questions that arise from an ERP selection or an insurance renewal do not get easier at 25 employees versus 250. And the cost of getting these decisions wrong does not scale down proportionally with the size of the organization.

The $115,000 median ransom cited in Verizon's 2025 report is a manageable, if painful, event for a 500-person company with reserves and a response team. For a 30-person nonprofit or professional services firm, it's a different conversation entirely.

Open Questions

What is the right threshold? At what organizational size does strategic technology governance become a necessity rather than a discretionary investment? The research suggests the threshold is lower than most CEOs assume, but there's no clean answer. A 20-person firm with a simple IT environment is probably fine with an MSP. A 35-person nonprofit managing donor data, cybersecurity insurance, and an ERP migration is probably not.

As insurance requirements tighten, does the math change? The governance documentation now required by cybersecurity insurers requires someone with expertise to produce it accurately. If the cost of unmet compliance is higher premiums, reduced coverage, or claim denial, does the calculus shift in favor of the advisory investment before renewal?

What distinguishes a vCIO from a Fractional CIO? MSPs are increasingly offering virtual CIO services as a premium add-on. Understanding the difference between a repackaged account manager and a senior technology executive with enterprise CIO experience is a real evaluation question. What criteria would you use to make that distinction, and who in your organization is positioned to apply them?

Where to Start in the Next 90 Days

Audit the four governance areas against your current structure. For each one, identify who actually owns it today. If the answer is "the CEO," ask whether that person has the expertise to own it well. If the answer is "the MSP," ask whether the MSP was designed to own it.

Pull your last cybersecurity insurance renewal questionnaire. Review the questions about controls, risk assessments, and incident response. For each one, note how confident you are in the accuracy of your answers and who would verify them in a claim situation.

Trace the incident response chain. If a ransomware incident began at your organization at 6 a.m. on a Monday, who gets the call? Who decides whether to pay? Who leads the recovery? How long before a senior technology leader is involved? How many steps before someone who knows what "recovery readiness" means is in the room?

Review your last major technology purchase. Walk through the selection process. Who drove it? What criteria were used? Who negotiated the contract? Was total cost of ownership modeled before signing? This exercise usually surfaces the gap clearly.

Conclusion

The managed services model works. It handles operational IT at a price point that makes sense for small organizations, and most MSPs do that job well. The governance layer above it is a different problem, one that the MSP model wasn't designed to solve and that most small organizations don't realize is unowned until it becomes a crisis.

Four hours per week is not a lot of time. Directed at the right decisions, owned by someone with the experience to make them well, it covers the governance gap for most organizations at this size.

Nova Group works with small organizations — nonprofits, professional services firms, and growth-stage companies — that are managing technology through an MSP without a senior technology advisor. The Fractional CIO engagement is structured for organizations where the operational IT function is covered and the strategic governance layer is not.

Book a 15-Minute Discovery Call

About Nova Group
Nova Group provides Fractional CIO and technology advisory services to small and mid-market organizations. Founder Greg Geary brings 27+ years of technology experience, including senior leadership roles at large financial services firms, with CISM and CRISC certifications and an MBA from USC Marshall.

Sources

1. Verizon Business. 2025 Data Breach Investigations Report. Verizon, 2025.

2. ConnectWise. SMB Cybersecurity Statistics and Trends 2025. ConnectWise, 2025.

3. Capterra. 2025 Tech Trends Report: SMBs vs. Enterprises. Capterra/Gartner Digital Markets, 2025.

4. Embroker. Cyber Insurance Requirements for SMBs in the USA by 2026. Embroker, 2025.

5. ChannelE2E. MSP Trends in 2025: Navigating What's Next for Managed Services. ChannelE2E, 2025.