Get Started
All Services Managed IT Cybersecurity Ransomware Remediation Infrastructure & Low Voltage Who We Serve Why DC Plus Resources & Case Studies Areas We Serve Get a free assessment
Home / Resources / Blog
Partnership Models · Managed IT

Co-Managed IT: What It Actually Looks Like When You Already Have an IT Person

Most MSPs sell a replacement for your IT team. Co-managed IT is a partnership with your IT team. Here's what that looks like in practice, and where it works.

8 min read

The most common mistake managed service providers make is trying to replace internal IT.

It's an honest mistake. The MSP business model originally evolved to serve businesses that couldn't justify a full-time IT hire. The pitch was "you don't need a tech person — you have us." That worked for a long time, and for many small businesses it still works.

But somewhere between 25 and 250 employees, most businesses do hire someone. And that hire is rarely about cost. It's about presence. The IT person who walks the floor of a manufacturing plant, who knows which credit union branch has the temperamental teller workstation, who can sit in the executive's office and help with a printer issue at 2 PM — that person is doing work no MSP can do remotely.

The question for businesses at that size is not "internal or outsourced." It's "what does each side do well, and how do we structure the relationship so both sides add their value?"

That's co-managed IT.

What "co-managed" actually means in practice

Co-managed IT is a partnership where the client retains their internal IT person (or team), and a managed-service provider brings additional capability that's harder to staff in-house. It's not "we do everything." It's not "you do everything and we do nothing." It's two teams operating together, with clearly defined responsibilities.

What that looks like for a typical engagement:

The internal IT person owns:

  • Day-to-day end-user support and the relationships that come with it
  • The institutional knowledge — who needs what, what runs where, why the previous administrator made that decision
  • Project execution for things they're well-positioned to handle
  • The on-site presence the business expects and pays for

The MSP owns:

  • 24/7 monitoring, after-hours coverage, and SOC + SIEM operations
  • Specialized security work — incident response, advanced threat hunting, compliance support for regulated industries
  • Senior IT leadership — a virtual CIO function for strategic decisions, budget planning, vendor selection, roadmap conversations
  • Capacity surge — extra hands for a buildout, a migration, a server refresh, or a project that's bigger than one person can handle alone
  • Vendor escalations — the call to Microsoft, the ISP, the security vendor that takes four hours of someone's day to resolve

Both sides own:

  • Joint decisions about architecture, security posture, and roadmap
  • Documentation — kept up to date, accessible to both teams, useful to whoever comes next
  • Communication with leadership and the board

There's no single right division of labor. The above is typical. Real engagements move work back and forth based on what each side is well-positioned to handle.

How decisions get made

This is the part most co-managed engagements get wrong, and the part where the most value lives when it's done right.

A few principles that work in practice:

1. The internal IT person should not be evaluated against the MSP. The temptation is to ask the IT person to "manage" the MSP relationship — to grade their work, to push back on their recommendations, to defend the IT person's turf. This sets up an adversarial dynamic that hurts the business. The right framing is: both teams report (in different ways) to the business. The MSP is not the IT person's employee, and the IT person is not the MSP's customer.

2. Big decisions should involve both teams. Architecture changes, security posture decisions, vendor selection, budget planning — these should be conversations where both the internal IT lead and the MSP's senior advisor are at the table. The internal person brings context. The MSP brings breadth — they see how similar decisions played out at fifty other businesses.

3. Small decisions should be made by whoever's closest. The IT person doesn't need to ask permission to reboot a server. The MSP doesn't need to call the IT person before responding to a 3 AM EDR alert. Drawing the line about which decisions need joint sign-off and which don't is one of the early conversations of a healthy engagement.

4. Disagreements should be handled honestly. Both sides will sometimes disagree about the right answer. A healthy co-managed relationship resolves these the way two professional colleagues would — with data, with experience, and with a clear escalation path when the technical experts can't agree. The business leader needs to know they can ask either side, "tell me what you'd do if it were your call," and trust the answer.

Where co-managed shines vs. where it gets messy

Co-managed works best when:

  • The internal IT person has clear strengths in user-facing work, project execution, and institutional knowledge.
  • The business has security or compliance needs that exceed what one person can keep current on (credit unions, healthcare, regulated manufacturing).
  • After-hours coverage matters — the business runs 24/7 or operates across time zones, and "the IT person is on vacation" can't mean the SOC is down.
  • The internal IT person wants to grow into more interesting work and is willing to let the MSP handle the routine items that crowd out development time.

Co-managed gets messy when:

  • The business hired the IT person partly to avoid dealing with vendors, and the MSP feels like one more vendor to manage.
  • The IT person is protective of their job and treats the MSP as a threat rather than a partner.
  • The business leader hasn't decided which side they want owning the strategic conversations. Both sides keep getting pulled into roadmap discussions that nobody is empowered to decide.
  • The MSP tries to take over rather than partner. (This is the most common failure mode, and the one our industry has earned a reputation for.)

The way to avoid all of these is to discuss them explicitly during the engagement design. The first conversation in a co-managed setup shouldn't be technical. It should be: what does each side do, what does each side not do, how do decisions get made, and what does success look like for both sides?

Three common arrangements

There's no standard model, but a few patterns recur often enough to be worth describing.

Pattern 1: "IT person + after-hours coverage + security stack"

The internal IT person runs the business during the day. The MSP layers in 24/7 monitoring, the SOC and SIEM, the EDR platform, the email phishing defense, and the backup architecture. The IT person owns the relationships with users and leadership; the MSP owns the security operations and the after-hours pager.

Works well for businesses with one solid IT person who could handle daytime support but doesn't want to wear a pager.

Pattern 2: "IT team + vCIO + compliance overlay"

The internal IT team handles operations day-to-day. The MSP provides a virtual CIO function — quarterly strategy sessions, budget input, vendor selection guidance, board updates. The MSP also owns compliance work specifically: examination prep, audit support, policy maintenance, evidence gathering.

Works well for credit unions, healthcare practices, and regulated mid-market companies where compliance is a real burden but a full-time CIO isn't justified.

Pattern 3: "IT person + project hands"

The internal IT person runs the business. The MSP is on a retainer that provides surge capacity for projects — a new facility buildout, a server migration, a Microsoft 365 hardening project, an OT cybersecurity initiative. The day-to-day relationship is light; the project relationship is intense when active.

Works well for businesses that have a competent IT person but periodic capital projects that exceed one-person capacity.

These aren't menu items to pick from. The right structure for any specific business is something both sides discover together over a few months of working together. Almost every healthy co-managed relationship looks somewhat different from the others.

A direct ask

If you have internal IT and you've been pitched by MSPs that wanted to replace them, you've heard the wrong pitch. We don't do that. The best work we do is alongside an internal team that already knows the business better than we ever will.

If you've got an internal person who's stretched, or a team that's strong on operations but light on the security and compliance work the modern environment demands — that's exactly the gap a co-managed engagement is built for. We can describe what it looks like for your specific situation in 30 minutes, with no commitment.

The internal IT person you already have is an asset, not a problem to solve. Build the relationship around making that asset more effective, and the partnership pays for itself.

If you'd like to talk through what a co-managed engagement could look like for your business — including the conversations you'd want to have with your internal IT person before bringing in a partner — we'd be glad to walk through it. Schedule a free conversation and we'll make it useful regardless of what you decide.

More from DC Plus

Keep reading.

All resources & case studies Credit Union Compliance Guide

Let's make your IT the thing you never have to think about.

Free assessment. No obligation. A real conversation with a local team.

Schedule your free assessment