Who really owns your IT — you, or your MSP?
Outsourcing your IT support is not the same as outsourcing ownership. Too many organisations have quietly handed over the keys to their own infrastructure — and only find out when the relationship sours.
Here’s a question more boards should ask, and few do: if your managed service provider walked away tomorrow, could you still get into your own systems?
For a surprising number of organisations, the honest answer is no.
Renting your own equipment
A good MSP is one of the best decisions a growing business can make. But supporting your IT and owning it are different things — and the line gets blurred over years of trust and convenience.
I was once asked to help an organisation that had no credentials to any of its own infrastructure. The same MSP had held everything for fifteen years, and nobody had ever thought it a problem. Then the relationship soured — price disputes, slipping performance, finger-pointing — and the provider effectively held the business to ransom. No service, and nowhere to turn.
That isn’t a service arrangement. That’s renting your own equipment from someone who holds the only key.
It rarely happens on purpose
Nobody sets out to lose control of their systems. It accumulates quietly: “don’t touch it, you’ll break it”, a provider who’s always just handled it, a tidy arrangement that suited everyone at the time. Entirely reasonable in the moment, and genuinely risky over a decade.
The endings all look the same. Providers get acquired and the people who knew your environment leave. Relationships break down. Disputes escalate. And the organisation discovers it cannot access the systems its entire operation depends on.
What good governance looks like
You don’t need to distrust a good MSP to fix this. You need defined ownership:
- Hold your own break-glass administrator accounts. Secured properly — in a safe if that’s what it takes — tested periodically, and never used casually.
- Separate identities for your people, the provider’s people, and anything genuinely shared. No more single shared logins that nobody can attribute.
- Log everything, so there’s an audit trail when a question is asked.
- Document responsibilities plainly: what’s covered, what voids the SLA, what becomes billable.
With that structure in place, the supposed risk an MSP worries about — clients “tidying up” firewall rules and breaking things — is manageable, and stops being an excuse for withholding access.
The tell
If your provider will happily put this in place, you almost certainly have a good one. If they refuse outright to let you hold emergency access to your own systems, that refusal is the answer to the question you started with.
Outsourcing your IT support should never mean outsourcing ownership of your infrastructure. Making sure it doesn’t — and holding suppliers to account on your behalf — is exactly the kind of oversight a fractional CTO is there to provide.
Written by James Calderwood
James Calderwood is the principal at NorthCTO — board-level technology and cybersecurity leadership for UK organisations, drawn from 25+ years building, securing and running the systems most advisers only ever talk about.