They Already Have an IT Department. Good. That’s Why You Should Call.

Last night I was at dinner with the CEO of an MSP. Good operator. Growing. Adding clients. Doing the work.

We were walking around his town before dinner talking about the usual founder stuff. Processes. How to get people to actually follow them. How to delegate without having half-finished work boomerang back onto your desk. How exhausting it is when the same two people are always solving the hardest problems.

You know. Tuesday.

Then the conversation shifted to growth. He’s added a handful of new clients recently. Solid wins. Companies that came to him because they needed IT support.

Then he mentioned another company. Let’s call it XYZ Company. His wife has lunch with their CFO every couple of weeks.

I asked, “Are you doing business with them?”

He laughed.

“Bruce, of course not. They have their own IT department. They have everything under control.”

And that right there is where most MSPs shut the door on themselves.

Because “they have IT” does not mean they have:

• A cyber liability defense strategy

• Evidence aligned to their cyber insurance policy

• Third-party validation of their controls

• Governance around the AI already running inside their network

It just means they have IT. And those aren’t the same thing.

Mid-sized businesses with internal IT are some of the most exposed environments in the market right now. They are big enough to be targets. Confident enough to assume they are covered. And rarely inspected from the outside.

AI usage is exploding inside these companies. Copilot is drafting contracts. ChatGPT is summarizing board decks. Engineers are pasting logs into public tools. Finance teams are uploading spreadsheets for analysis.  Internal IT did not design that usage. It just happened.

Now layer that onto cyber insurance.

Most mid-sized companies signed an application stating they:

• Use MFA everywhere

• Encrypt sensitive data

• Monitor for suspicious activity

• Maintain incident response procedures

• Train employees on security awareness

Here’s the uncomfortable question. Can they prove it?

Not say it. Prove it.

If a ransomware event hits and a claim is filed, the carrier will ask for documentation, logs, validation, and proof that the controls committed to on the application were in place and functioning.

That is not an IT operations question. That is fiscal risk. And it is owned by the CFO.

So, what does my friend actually have to lose?

He goes to lunch. He says, “I know you have an IT department. This isn’t about replacing them. This is about making sure you can defend a cyber insurance claim if something happens.” The CFO will likely say, “We’re covered. We have insurance.”

Perfect.

Now he asks, “Would you be open to having us review your policy and confirm you’re collecting the evidence needed to defend a claim? We can perform an independent analysis to validate the controls you committed to are actually working.”

That is not threatening. That is responsible.

If they say yes, you review the policy. You perform a Level 1 penetration test with third-party validation. You map findings to insurance commitments. You identify gaps in AI governance, documentation, and incident response defensibility. You are now in the room as the independent voice.

If they say no, you finish lunch. Keep it light. Plant the seed.

When the next renewal questionnaire hits, or the next AI headline rattles the board, you will get the call. Because you framed the conversation correctly.

Your opportunity is not “we do IT better.”

Your opportunity is “we help you prove it.”

At minimum, you uncover gaps in AI governance, insurance alignment, or documentation. At best, you establish an ongoing cyber liability defense program. Either outcome creates value.

Because inspection creates defensibility.

And defensibility is what gets a claim paid.

I wrote a companion blog outlining how CFOs think about this responsibility and where cyber risk lands inside the organization. Read it. Understand it. Then start having this conversation upstream.

The companies with internal IT are not closed doors.

They are some of the highest-value conversations you are not having.

The only question is whether you are willing to ask it.