Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
Key Takeaways
- Co-managed IT pairs an internal IT lead with a managed services provider (MSP) that handles 24/7 monitoring, security, after-hours coverage, and specialist depth the internal lead cannot cover alone.
- The break-even between fully outsourced and co-managed lands between 50 and 100 users for most Canadian SMBs.
- Typical Canadian co-managed pricing runs CA$80 to CA$150 per user per month on top of internal IT salary, depending on security stack and compliance scope.
- Across Fusion Computing’s 24 Canadian co-managed engagements through Q1 2026, the median internal IT person reclaimed 12 to 18 hours per week of strategic time after the MSP absorbed help-desk overflow and after-hours response.
- Co-managed engagements only work when the RACI split is documented in writing before the contract starts.
Book a Co-Managed IT Consultation
What is co-managed IT for a Canadian SMB?
Co-managed IT is a shared-ownership operating model where an internal IT lead retains primary day-to-day responsibility and an external MSP fills the specialist and capacity gaps. The internal lead handles user-facing work, business context, and project ownership. The MSP handles 24/7 monitoring, security operations, after-hours response, and specialist engineering the internal lead cannot reasonably cover alone.
The model exists because the breadth of modern IT (help desk, security, cloud architecture, identity, compliance, after-hours response) exceeds what one person can credibly own, but most SMBs do not need three or four full-time hires. Co-managed splits the work along skill and time-of-day boundaries.
According to Innovation, Science and Economic Development Canada research on SMB technology adoption, smaller Canadian firms consistently struggle to recruit and retain cybersecurity talent. Co-managed IT is the operating choice that gives an SMB CISSP-level security and 24/7 SOC coverage without funding three or four senior hires.
How does co-managed compare to fully outsourced and in-house IT?
Three operating models cover most Canadian SMBs. Co-managed sits between the other two and wins the middle band (roughly 50 to 200 users). Below 50 users, fully outsourced is usually right because there is not enough work for an internal lead. Above 200, the calculus tips toward a real internal team plus vendor specialists.
| Model | Best for | Internal IT | MSP role | Typical cost (50-user firm) |
|---|---|---|---|---|
| Fully outsourced (managed IT) | 10-50 users | None | Owns everything end-to-end | CA$9K-15K/month |
| Co-managed IT | 50-200 users | 1-3 internal staff | Security, after-hours, specialist depth, overflow | CA$80-150/user/month + internal salary |
| In-house IT team | 200+ users | 3+ internal staff | Specialist gaps only (24/7 SOC, IR, vCIO) | Salary + specialist retainers |
The fundamental error Canadian SMBs make is hiring a single in-house generalist at 50 users and treating that hire as the whole IT team. The role works in isolation when the company is 18 people; it fails at 50, where breadth and after-hours demand cross what one person can cover.
When does a Canadian SMB actually need co-managed IT?
Five triggers signal that co-managed has crossed from optional to required: an internal IT lead who is drowning, a cyber-insurance renewal that asks for 24/7 monitoring, a regulatory framework that requires documented controls, a recent security incident, or a planned cloud or M&A transition. Any one of these alone is usually enough.
| Trigger | What it sounds like | Why co-managed fits |
|---|---|---|
| Internal IT overload | “Our IT person works weekends just to keep up” | MSP absorbs overflow, internal lead reclaims strategic time |
| Cyber-insurance renewal | “Carrier is asking for documented EDR and 24/7 SOC” | MSP provides documented monitored response |
| Compliance pressure | “We need PIPEDA / PHIPA / OSFI E-21 evidence” | MSP runs the audit-ready security stack |
| Recent incident | “We had a phishing breach and want to never again” | MSP brings post-incident programme rebuild |
| Cloud or M&A transition | “We are migrating to Azure / acquiring a 30-person company” | MSP brings architecture depth internal lead does not have |
What does the MSP cover, and what does the internal IT lead keep?
The single most important artefact in a co-managed engagement is the written RACI matrix. It documents who is Responsible, Accountable, Consulted, and Informed for every category of work. Co-managed engagements that fail almost always fail at this line; both parties assumed the other was handling something neither party was.
| Function | Internal IT lead | MSP |
|---|---|---|
| User-facing help desk (business hours) | Owns | Overflow + specialist escalation |
| After-hours and weekend coverage | Out of scope | Owns |
| Endpoint protection, EDR, MDR | Day-to-day administration | Owns 24/7 SOC, threat hunting, response |
| Patching and vulnerability management | Owns business-app patching | Owns OS, infra, security tooling patching |
| Backup and disaster recovery | Defines RPO/RTO with leadership | Operates backup, runs quarterly restore tests |
| Compliance evidence and audit prep | Internal liaison with legal/board | Generates evidence packs from controls |
| Strategic technology roadmap | Owns business context | vCIO advisory, quarterly review |
| Vendor and procurement management | Owns relationships | Specs and security review |
Get a custom co-managed RACI matrix scoped to your environment.
Field note
“The pattern in failed co-managed engagements is the same: nobody wrote down the split. Six months in, the internal lead thinks the MSP owns patching, the MSP thinks the internal lead owns it, and a server hits end-of-support without anyone noticing. The RACI is not bureaucracy. It is the contract that protects both parties from quiet drift.” Mike Pearlstein, CISSP, CEO, Fusion Computing
How much does co-managed IT cost in Canada?
Canadian co-managed pricing typically runs CA$80 to CA$150 per user per month on top of the existing internal IT salary, depending on the security stack tier and compliance scope. For a 75-user firm, that lands at roughly CA$6,000 to CA$11,250 per month for the MSP layer. The internal IT salary continues separately.
| Seat band | MSP layer monthly | Plus internal IT salary | Total annual (typical) |
|---|---|---|---|
| 50 users | CA$4,000-7,500 | 1 generalist (CA$85K-110K) | CA$133K-200K |
| 100 users | CA$8,000-15,000 | 1-2 staff (CA$120K-170K) | CA$216K-350K |
| 200 users | CA$16,000-30,000 | 2-3 staff (CA$220K-310K) | CA$412K-670K |
The pricing band varies most with the security stack tier (basic EDR vs full MDR + SIEM) and the compliance overlay (PIPEDA-only vs PHIPA + OSFI E-21 + SOC 2). Per-incident fees are a red flag and not part of standard co-managed pricing.
How do you onboard a co-managed engagement?
Standard co-managed onboarding for a 50 to 100 user Canadian SMB runs six to eight weeks from signed contract to steady state. The first two weeks are discovery and asset inventory. Weeks three to five build the security and monitoring stack. Weeks six to eight transfer help-desk overflow and run the documented handoff. The internal lead remains operationally responsible throughout the transition.
Across Fusion Computing’s 24 Canadian co-managed engagements through Q1 2026, the median internal IT person reclaimed 12 to 18 hours per week of strategic time after the MSP absorbed help-desk overflow and after-hours response. The reclaimed time landed in three places: project work, vendor management, and finally being able to take vacation without the company going dark.
How do you evaluate a co-managed IT provider?
Six criteria separate a credible co-managed partner from a vendor selling the label. Verify each before signing.
- Written RACI matrix in the contract. Not a placeholder. Names every category of work and who owns it.
- CISSP-led security practice. The 24/7 SOC and security strategy are the hardest parts to staff in-house. The MSP must bring genuine security depth.
- Documented SLA with response-time bands by severity. P1 / P2 / P3 / P4 with credit clauses for missed bands.
- Quarterly business review (vCIO) cadence. Built into the contract, not surfaced as an upcharge.
- Defined escalation path with the internal lead. Named contacts on both sides; clear authority for what the MSP can do without internal-lead approval.
- Exit and portability terms. 12-month renewable with documented off-ramp. Avoid 36-month lock-in without exit clause.
Related Resources
- Co-Managed IT Services
- Managed IT Services for Canadian Businesses
- Managed IT Services Cost in Canada
- Cyber Insurance Checklist for Canadian Businesses
- What Is an MSSP? A Canadian Guide for SMBs
Frequently Asked Questions
What is the difference between co-managed IT and fully managed IT?
Fully managed IT means the MSP owns everything end-to-end; the client has no internal IT staff. Co-managed IT means the client retains an internal IT lead who handles user-facing day-to-day work, while the MSP handles security, after-hours coverage, and specialist depth. Co-managed wins when the client has one to three internal IT staff and wants to keep them strategic rather than swamped.
When does co-managed IT make sense for a Canadian SMB?
Co-managed IT typically wins for Canadian SMBs in the 50 to 200 user band that already employ an internal IT lead. Below 50 users, fully outsourced is usually right because there is not enough work for an internal hire. Above 200, the calculus tips toward a real internal team plus vendor specialists.
How much does co-managed IT cost in Canada?
Canadian co-managed pricing typically runs CA$80 to CA$150 per user per month on top of internal IT salary, depending on security stack tier and compliance scope. For a 75-user firm, the MSP layer lands at roughly CA$6,000 to CA$11,250 per month, with internal IT salary continuing separately.
What does the MSP do in a co-managed engagement?
The MSP typically covers 24/7 monitoring and SOC, after-hours and weekend response, security stack operation (EDR, MDR, SIEM, identity), backup and disaster recovery operations, compliance evidence packs, and quarterly vCIO advisory. The exact split is documented in the RACI matrix at the start of the engagement.
What does the internal IT lead keep in a co-managed engagement?
The internal lead typically keeps user-facing help desk during business hours, business-application patching and management, vendor and procurement relationships, business-context decisions, project management for major initiatives, and the internal liaison role with leadership and legal. Strategic alignment with the company stays with the internal lead.
How long does co-managed onboarding take?
Standard onboarding for a 50 to 100 user Canadian SMB runs six to eight weeks from signed contract to steady state. Discovery and asset inventory in weeks one to two; security and monitoring stack build in weeks three to five; help-desk overflow handoff and steady-state transition in weeks six to eight. The internal lead remains operationally responsible throughout.
What is the most common reason co-managed engagements fail?
Undocumented RACI splits. When neither party has a written matrix of who owns what, both sides assume the other is handling something. Six months in, a server hits end-of-support, a backup fails to restore, or a security alert sits unread because both teams assumed the other was watching. The RACI matrix is the single artefact that protects both parties from quiet drift.
Can co-managed IT satisfy Canadian cyber insurance requirements?
Yes, when the MSP layer covers documented EDR or MDR, 24/7 SOC monitoring, immutable backup with tested restores, and incident response. Most Canadian carriers as of 2026 require these as renewal conditions. Documented co-managed coverage with a CISSP-led MSP satisfies the carrier control attestation in nearly every renewal we have observed.
Does the internal IT lead become redundant in a co-managed model?
No. The internal lead becomes more strategic, not less needed. The MSP absorbs the parts of the role that scale poorly with one person (24/7 coverage, security operations, specialist depth). The internal lead handles business context, project ownership, and the internal liaison role with leadership. Both seats exist for a reason.
How is co-managed different from staff augmentation?
Staff augmentation places an external technician inside the client team under client management. Co-managed is a partnership between the internal team and an MSP that operates its own security stack, SOC, and tooling. Co-managed brings depth and tooling that staff augmentation does not. Staff augmentation brings hands; co-managed brings hands plus stack.
Fusion Computing operates co-managed IT engagements with Canadian SMBs.
