IT Sourcing for SMEs: The Model That Fits You

TLDR
Most SMEs make one of two mistakes in IT sourcing: they try to do everything themselves, or they hand everything over to an MSP. Both extremes cost more than necessary and increase risk. This guide shows you four sourcing models, a decision matrix with five criteria, and the most common mistakes we keep seeing in the Swiss market. Read it once, and you'll know which model fits your situation.

The uncomfortable truth about IT sourcing in the Swiss SME market

Here's something we see in almost every SME project: the IT decision was never really made. It just happened.

At some point, someone from accounting was appointed "IT manager". Or the founder knew someone who runs an MSP. Or the first vendor who called got the job. For years, things somehow work. Then you grow to 80, 120, 200 employees and realize: the IT structure was never designed deliberately. It grew like weeds.

IT sourcing is not a procurement process. It is a strategic decision. And it affects every SME differently, because companies have different risk profiles, capabilities, and growth plans.

We regularly help Swiss companies structure this decision retroactively or build it from scratch. What we keep noticing: there are no bad sourcing models. There are only bad matches between a model and a situation.

The four sourcing models that exist in practice

A lot of theory about IT sourcing oversimplifies things. In practice, the same four models keep appearing. None of them is automatically better than the others.

1. In-house: you do everything yourself

Your company builds an internal IT department. IT employees are on your own payroll, infrastructure is run in-house, and know-how stays within the company.

This works well when IT is a core part of your business model. Think of a fintech building its own platform, or an industrial company with highly specific OT/IT environments. In such cases, IT is not a cost item but a differentiator. That's where in-house has its place.

The downside: operating fully in-house means you need to be competent in every area. From the helpdesk to cloud architecture, from endpoint security to backup strategy. That's expensive, slow to build, and for an SME with 100 employees almost never economical.

2. Managed Services: you hand over operations

You hire a Managed Service Provider (MSP) to run a defined IT stack for you. Infrastructure, monitoring, helpdesk, and sometimes security too. You pay a monthly flat fee, and the vendor takes over operational responsibility.

This model is attractive for many SMEs because it creates predictability. Fixed costs, defined scope of services, no staffing risk. In Switzerland, there are hundreds of MSPs offering exactly that.

But that's also where the danger lies. Many SMEs buy managed services the way they buy electricity: just take the cheapest offer. In doing so, they ignore the fact that poorly negotiated contracts can lead to massive dependency. More on that in a moment.

3. Co-sourcing: the hybrid model

Co-sourcing means you have an internal IT person or a small team that keeps the strategy and oversight in place. For operations and specific expertise, you bring in external partners.

In our day-to-day work, this is the most common model for companies between 100 and 500 employees. And it is also what we would recommend in most situations. Why? Because it combines the best of both worlds: internal context knowledge with external scalability.

The internal IT lead understands the business, maintains vendor relationships, and makes strategic decisions. The MSP runs infrastructure and helpdesk. Specialists are brought in for projects. That way, you build know-how without having to keep everything on hand yourself.

4. Project-based sourcing: external support for specific initiatives

You keep little or no internal IT capacity. External specialists are engaged for specific projects: a migration, a security audit, an ERP implementation.

This is not a permanent solution, but it is a legitimate model for very small companies or for phases in which you buy exactly what you need. It also works well as a complement to an existing model: your MSP runs the standard setup, and a specialist handles the complex migration.

The decision matrix: five questions that really matter

Before deciding on a sourcing model, you should honestly assess five dimensions. This isn't complicated science. It's simply the right questions.

Question 1: How strategically important is this IT function?

Separate commodities from differentiators. Helpdesk and backup are commodities. Almost no SME gains market share because its helpdesk is particularly good. An MSP could do that just as well, probably even better.

It's different for systems that feed directly into your product or customer experience. If your ERP configuration is a competitive advantage, you don't want to fully outsource that know-how. The rule of thumb: if external people knowing this function hurts your competitive position, it belongs in-house.

Question 2: Do we have the internal capabilities?

Be honest here. Not what you could theoretically build, but what exists today. An SME with one generalist IT employee does not have a real in-house option for cybersecurity, even if one might wish it did.

Capability gaps can be closed, but it takes time and money. If you have no internal expertise in an area and no realistic plan to build it, the model should reflect that.

Question 3: What does it really cost (TCO, not list price)?

This is the most common mistake. People compare the MSP contract with the gross salary of an IT employee and think the comparison is done.

It isn't. Total Cost of Ownership means: gross salary plus social contributions plus office costs plus training plus turnover plus the opportunity cost of the time you as a manager put into the topic. On the vendor side: monthly flat fee plus additional services outside scope plus price increases over the contract term plus switching costs at the end.

We have seen SMEs that were certain their MSP contract was cheaper than an internal role, until we ran the TCO calculation. And vice versa. Without this calculation, you are making a gut decision, no matter how professional it looks.

Question 4: How high is your risk tolerance?

Two dimensions: data sensitivity and vendor dependency.

Data sensitivity is about which data you hand over to whom. If your MSP has access to customer data, financial data, or information relevant to regulation, you need to ensure this is properly governed contractually and technically. Many Swiss SMEs underestimate how broad the data access in a typical MSP contract is.

Vendor dependency is the second risk. The more you outsource, the more you depend on your vendor's service quality and pricing policy. Without an exit strategy, after three years you are a customer that can be held over a barrel. More on that shortly.

Question 5: What do your growth plans look like?

This is forgotten almost every time. What is the right decision today may be the wrong one in 24 months.

If you want to grow from 80 to 200 employees, your IT needs change dramatically. If you are planning an acquisition, integration becomes an IT task. If you are internationalizing, compliance requirements are added. Your sourcing model must be able to scale with your company.

What we see too often in the Swiss SME market

The MSP market in Switzerland is well supplied. There are many providers that work reliably and deliver real value. But we also see recurring patterns that end up costing SMEs a lot.

Choosing the cheapest MSP. IT services are not a commodity purchase. Those who optimize solely for price usually buy undefined SLAs, poor support, and a lack of proactivity. If your system fails at 10 p.m. and the helpdesk only responds the next morning, the low price has lost its context.

(We wrote a separate article about this: You chose the wrong MSP. Worth reading if you're currently in the evaluation process.)

Not defining SLAs before signing the contract. SLAs are not a formality. They are the only reliable basis for holding a vendor accountable. Without defined response times, availability guarantees, and escalation paths, you don't have a contract; you have a statement of intent.

No exit strategy. This is the most expensive mistake. After three years, you are deeply embedded in an MSP contract. Your configurations live on their systems. Your team knows their tools. Switching would take six months and create double costs. So you extend, even if you are not completely satisfied.

We call this digital sovereignty on a small scale: you must always know how you get out before you go in. Which data belongs to you? Where are the configurations stored? Who has access to what? This must be clarified before signing the contract, not after.

(We have another article exactly on this problem: You want to switch, but you can't. Anyone who understands how vendor lock-in arises can avoid it.)

Outsourcing the strategy. This is the most subtle mistake. Many SMEs outsource not only operations, but also strategic thinking. The MSP says what should be bought next. The MSP recommends the new tools. The MSP sets the IT agenda.

That sounds convenient, but it is dangerous. An MSP has its own interests. It earns more from some products than from others. It has no interest in reducing its own service scope. Strategy must remain internal or be supported by a vendor-neutral consultant. Operations can go out.

The hybrid model for companies with 100-500 employees

If we're honest: for most SMEs of this size, we recommend a variation of the same pattern.

An internal IT lead or a small team (1-3 people) handles strategy, vendor management, and internal communication. This lead understands the business and can translate between IT and management. They know which systems are critical and which can be outsourced.

An MSP handles day-to-day operations: helpdesk, infrastructure monitoring, backup, M365 administration. That relieves the internal lead of routine work and gives them capacity for strategic topics.

Specialists are brought in for specific projects: a security firm for the annual audit, a cloud architect for the migration, a compliance consultant for NIS2. Project-based sourcing as a complement, not as the foundation.

(By the way: whether outsourcing really saves money is more complicated than it sounds. We explored this in detail in Outsourcing saves money, or does it?.)

This hybrid model has proven itself because it combines scalability with control. You are not dependent on a single vendor. You have internal know-how that can assess vendor quality. And you have the flexibility to react quickly when your needs change.

How to really evaluate an MSP in Switzerland

Reading a good offer without knowing what to look for leads to bad decisions. We are currently working on a separate guide for that, but here are the most important points in advance.

Look at how detailed the SLAs are. An MSP that promises you "24/7 support" without defining response times, escalation paths, and exceptions is making a marketing promise, not a contract.

Ask explicitly about exit governance: what happens to your data and configurations when you terminate? Who has access to what? How long is the transition period? If a vendor dodges these questions or dismisses them as standard clauses, that is a warning sign.

And don't check references as a formality. Call the reference customers. Ask specifically how incidents were handled, not just whether the vendor is "recommended".

What you should take away

• IT sourcing is a strategic decision, not a procurement process. Treating it as one leads to systematically worse decisions.

• There are four models: In-house, managed services, co-sourcing, project-based. None is automatically better. It depends on strategic relevance, internal capability, TCO, risk tolerance, and growth plans.

• For most SMEs with 100 to 500 employees, the hybrid model is the sweet spot: internal IT lead plus MSP for operations plus specialists for projects.

• The three most common mistakes are: buying the cheapest MSP, not defining SLAs, and not planning an exit strategy. All three are avoidable.

• Strategy belongs inside. Operations can go out. That is the most important dividing line.

If you are currently structuring your sourcing decision or reviewing your existing model, we'd be happy to show you how we approach this in practice. You can find more on our IT Sourcing page.