Co-managed or fully managed IT: what a 10-person firm actually needs

You are an office manager at a nine-person firm. You handle onboarding, vendor contracts, accounts payable, and now, apparently, IT. When something breaks, you search for the person who set up the network two years ago and hope they pick up. When a client asks for your data security policy, you stall. That is not an IT strategy. It is a liability that grows a little every day.

The question is not whether to get outside IT support. For a firm your size, that decision is already made. The question is which model — co-managed or fully managed — fits your situation without overspending on services you will not use.

Most firms under ten people have no dedicated IT staff and are better served by fully managed IT, which puts a dedicated team in charge of day-to-day support, security, and compliance. Co-managed IT makes sense only when someone inside the firm already owns IT as a primary job duty and needs a qualified partner to cover the pieces they cannot handle alone. Choosing the wrong model means either paying for services you will not use or leaving compliance and security gaps that regulators and clients will eventually find.

What each model actually means in plain English

Fully managed IT

You hand off responsibility for your technology environment entirely. A dedicated team that knows your environment handles helpdesk tickets, patches devices, monitors for security threats, manages your Microsoft 365 Business Premium licenses, and keeps your systems aligned with whatever compliance requirements apply to your industry. When something breaks at 8 a.m. before a client meeting, you call one number and someone handles it. You do not own the problem.

Co-managed IT

Your firm retains an internal point person — often someone handling IT as a portion of a broader role — and an outside provider fills defined gaps. The provider might manage security monitoring and patch management while your internal person handles day-to-day requests. Responsibility is split. Both sides need to agree in writing on who owns what, or the gaps will find you.

The honest pros and cons

Fully managed

Advantages

• Single point of accountability. One team owns the outcome.
• Predictable monthly cost with no surprise invoices when hardware fails or an incident needs response.
• Better fit for regulated industries. The provider handles documentation, compliance evidence, and security controls on your behalf.
• No internal IT knowledge required. Your staff does their jobs; the provider does theirs.

Disadvantages

• Less day-to-day control. Configuration changes go through the provider rather than happening on demand.
• Higher baseline cost than co-managed — though that gap narrows quickly when you calculate what your staff currently spends on IT-adjacent tasks.

Co-managed

Advantages

• More internal control. Your person knows the environment and the people in it.
• Lower cost for the outside portion, assuming your internal person is genuinely capable and has actual bandwidth.
• Faster resolution for simple issues that do not require escalation.

Disadvantages

• Divided accountability. When something goes wrong, both sides may point at the other.
• Your internal person is usually not a security specialist. Threat detection, incident response, and compliance documentation require depth that a part-time IT generalist rarely has.
• In regulated industries, undefined boundaries between internal and external responsibilities become audit findings.

Three questions that will tell you which model fits

1. Does someone in your firm own IT as a primary job duty — not a side task? If yes, co-managed is worth a serious look. If no, fully managed is the more appropriate starting point.
2. Are you subject to HIPAA, state data privacy laws, SEC or FINRA rules, or client security questionnaires? If yes, you need documented, auditable IT management. That is harder to maintain in a co-managed arrangement unless the scope is written down, enforced, and reviewed regularly.
3. What is your current IT arrangement actually costing you? Add up the hours your non-IT staff spend on IT problems each month. Multiply by their hourly rate. Include the cost of any outside vendor you call on an ad hoc basis. That number often closes the perceived gap between co-managed and fully managed pricing.

For most ten-person firms, the answers point to fully managed. There is no IT department. There are employees who stop doing their actual jobs when they are rebooting routers, resetting passwords, or trying to explain a data breach notification to a client.

What Microsoft 365 Business Premium covers — and what it does not

Microsoft 365 Business Premium includes a capable set of security and device management tools: Defender for Business, Intune, conditional access policies, and Azure Active Directory. These tools can meaningfully reduce your risk. But capability and correct configuration are not the same thing. Out of the box, most of those features are not set up in a way that satisfies regulatory requirements for a small professional services firm.

A managed IT team that works inside Microsoft 365 every day will configure those tools correctly and keep them current as Microsoft updates the platform. That is not a reasonable expectation for an office manager with twelve other priorities.

The bottom line

Co-managed IT is not a lesser option. For a firm with genuine internal IT capability and bandwidth to use it, co-managed is efficient and appropriate. For a ten-person firm where the office manager is already carrying accounts payable, vendor management, and HR tasks, adding IT ownership to that list is not a plan. It is a gap waiting to become an incident — one that a client, an auditor, or a breach notification will eventually surface.

If you are not sure which model fits, start by writing down what you are actually responsible for today and what happens when something goes wrong at the worst possible time. That exercise usually makes the right answer obvious.

Frequently asked questions

What is the difference between co-managed and fully managed IT?

Fully managed IT means an outside provider owns all IT responsibility for your firm. Co-managed IT splits responsibility between an internal point person and an outside provider, with each side handling defined tasks. The distinction matters most when something goes wrong and accountability needs to be clear.

Is fully managed IT too expensive for a firm with fewer than ten employees?

Fully managed IT carries a higher base cost than co-managed, but the gap often narrows when you count the staff hours currently spent on IT problems. For firms with no dedicated IT person, fully managed is typically the more cost-effective model when all costs are included.

Does Microsoft 365 Business Premium replace the need for a managed IT provider?

No. Microsoft 365 Business Premium includes capable security and device management tools, but most of those features require deliberate configuration to work correctly in a regulated environment. A managed IT provider configures and maintains those settings; the software license alone does not.

Can a co-managed arrangement satisfy HIPAA or FINRA compliance requirements?

It can, but only if the responsibilities between the internal person and the outside provider are clearly documented and the provider covers the security and compliance functions the internal person cannot. Undefined boundaries tend to become audit findings.

How do I decide which model is the right fit for my firm?

Ask whether someone in your firm owns IT as a primary job duty — not a side task — and has the security depth to manage threats and produce compliance evidence. If the honest answer is no, fully managed is the safer and usually more practical choice.