Skip to main content

Business Owners — Tactical

Altitude: quarters. This is where strategy becomes procurement, contracts, and oversight you can actually run.

You've set the direction. Now you have to buy the right things, hold the right people accountable, and fund the right projects — without becoming a technician to do it. This page is about the decisions and conversations that turn intent into a working arrangement.

Reading an MSP contract and SLA

A managed services agreement is where a lot of risk hides in plain sight. You don't need to understand every clause, but you should be able to find and challenge a few:

  • Scope — what's explicitly included, and just as importantly, what's billed as "out of scope." Vague scope is where surprise invoices come from.
  • Service levels (SLAs) — response and resolution targets, the hours they apply, and what happens when they're missed. A response-time SLA with no resolution commitment is weaker than it looks.
  • Security responsibilities — who is responsible for patching, backups, MFA, and incident response? Get this in writing. "We assumed they were doing it" is the most common gap in a post-incident review.
  • Exit and data — how you get your data and access back if you leave, and how long that takes. Lock-in is a real cost.

What a reasonable IT budget looks like

There's no universal number, but IT spend as a percentage of revenue is a useful sanity check — it varies widely by industry (a professional services firm and a logistics business have very different profiles), so benchmark against your sector rather than a generic figure. The more important test is composition: a healthy budget funds not just "keeping the lights on" but also security uplift and planned refresh. A budget that is 100% reactive is a warning sign.

Vendor selection criteria

When choosing a provider or major platform, weigh more than price:

  • Fit for your size and sector — a provider built for enterprise may not serve a 20-person firm well, and vice versa.
  • Security posture — do they practise what they'd sell you? Ask about their own certifications, their breach history, and how they'd handle being compromised (relevant given supply-chain attacks on IT providers).
  • References and continuity — talk to clients like you, and understand their key-person risk.

Cyber insurance prerequisites

Cyber insurance has quietly become a backdoor security mandate. Insurers increasingly require MFA, tested backups, endpoint protection, and patching discipline as a condition of cover — and will reduce or decline payouts if you attested to controls you didn't actually have. Treat the insurance questionnaire as a free security audit: every "no" is both a premium problem and a real risk. Aligning to a recognised baseline like the Essential Eight makes these renewals far less painful.

Essential Eight uplift as a funded project

The strongest way to handle security maturity is to stop treating it as a vague aspiration and fund it as a project with milestones. Pick a target maturity level (the Essential Eight defines Levels 1–3), get a current-state assessment, then fund the gap as a roadmap with dates and owners. That turns "are we secure?" — an unanswerable question — into "we're at Level 1, funded to reach Level 2 by Q3," which a board can actually govern. The control detail lives in the Technical Library; your job is to fund it and track it.

Questions to ask in a quarterly IT review

You don't need a technical agenda — you need accountability. A useful quarterly review answers:

  • What changed this quarter, and what risk did it add or remove?
  • Show me the evidence: patching status, last successful backup test, MFA coverage.
  • What's our Essential Eight maturity, and did it move?
  • What are the top three risks you're worried about, and what would it cost to address them?
  • What's coming end-of-life, and when do we need to budget to replace it?

If those questions get clear, evidenced answers, your oversight is working. If they get hand-waving, that is the finding.