All articles

The Hidden Cost of Fragmented IT Vendors: Why Mid-Market UK Firms Are Consolidating

A typical 100-person UK firm now runs 15 to 20 separate IT vendors. The licence spreadsheet looks under control. The integration debt, finger-pointing, and contract sprawl underneath it are not. There is a quieter cost than the line items.

Most CEOs of UK mid-market firms believe they have an IT vendor problem. They are right, but rarely in the way they think. The problem presents as a single supplier failing — a backup that did not restore cleanly, an MDR provider whose alerting is too noisy, a helpdesk whose tickets sit untouched for three days — and the instinct is to replace that supplier. The replacement happens. Procurement signs a new contract. The board hears the matter is closed. Six months later, a different supplier in the stack fails, and the cycle restarts. What the leadership team is treating as a string of vendor problems is, almost always, a structural problem: the supplier count itself. Mid-market firms are not running too few good vendors. They are running too many vendors, full stop, and the cost of that arithmetic is rarely on anyone’s P&L line.

The 17-vendor problem (composite)

Picture a typical 100-person UK professional-services firm — a law practice, an accountancy, a regional insurer. Drawn from patterns we see consistently in audit, the stack typically looks like this:

  1. A Microsoft 365 reseller for licensing.
  2. A dedicated email security vendor sitting in front of Exchange Online.
  3. A managed detection and response (MDR) provider.
  4. A separate endpoint security vendor whose console is independent of the MDR.
  5. A backup software vendor.
  6. A secondary backup-target provider for off-site copies.
  7. An internet service provider for primary connectivity.
  8. A mobile carrier for the corporate fleet.
  9. A web hosting provider for the firm’s website and one or two marketing microsites.
  10. A multi-factor authentication platform, often inherited from a long-discarded VPN deployment.
  11. A password manager with its own admin console.
  12. An outsourced helpdesk for first-line support.
  13. A specialist consultant on retainer for one legacy line-of-business application.
  14. A second specialist consultant on retainer for the finance system.
  15. A separate cybersecurity audit provider, used once a year for the regulator-facing report.
  16. A SaaS spend-management tool, ironically procured to bring the others under control.
  17. A HRIS-adjacent IT vendor sitting between the people system and identity.

That is a composite — no one client we have audited has exactly this stack — but every figure is conservative. It is not unusual to find north of twenty. The licence spreadsheet shows seventeen recurring line items. What it does not show is what those seventeen relationships actually cost the firm to operate.

What the 17-vendor problem actually costs

There are three categories of hidden cost, none of which appear on the invoice.

Integration debt. The seventeen vendors above do not share APIs, alerts, or context. The MDR vendor cannot see the email security vendor’s quarantine telemetry. The backup tool has no knowledge of the patch manager’s state. The HRIS-adjacent vendor does not push leaver events into the identity platform until someone logs in and pushes a button. Each gap between two vendors is a hairline crack, and the firm pays to bridge it with human triage hours — an internal IT manager, a paid consultant, or a long-suffering operations lead reconciling four dashboards by hand. Operational visibility, in the seventeen-vendor stack, is paid for in salaried minutes rather than software.

Finger-pointing on incidents. When something fails, accountability fragments. A short, concrete pattern, drawn directly from audit work: a wire-transfer fraud is detected on a Tuesday afternoon. The MDR vendor is paged. The MDR vendor reviews the endpoint telemetry, sees nothing on the device, and concludes the issue is upstream — it is email’s problem. The email security vendor reviews the inbound flow, finds no malicious attachment, no spoofed sender, and concludes the issue is identity — someone’s credentials are being abused. The identity vendor reviews the sign-in logs, finds the credentials were used from a normal location at a normal hour with a valid MFA token, and concludes it is a process problem — the finance team was socially engineered, not technically compromised. Each vendor is, in narrow technical terms, correct. None of them owns the incident. Days are lost. The firm’s response is forensically slow because no single party has the full picture and each has commercial incentive to push the question elsewhere.

Contract proliferation. Seventeen vendors means seventeen renewal cycles, typically staggered across the calendar. Each renewal requires a procurement review, a vendor security questionnaire response, an internal approval chain, and — in regulated sectors — a refreshed third-party risk assessment. A senior finance director’s time becomes hostage to vendor management. The cost of running the procurement function around the stack rarely appears in the IT budget at all; it is absorbed quietly into finance and operations overhead, where it is invisible to the board. The annual renewal hostage time is one of the largest unmeasured costs of vendor sprawl, and it grows linearly with each additional supplier.

Why senior-led consolidation is the answer, not a procurement squeeze

The wrong response to this picture is a procurement squeeze. The leadership team commissions a cost-out exercise, the supplier list is rationalised on price, and the firm ends up with a single provider whose capability is shallow across the surface area it has just been handed. The cracks have been collapsed into one supplier, but the supplier cannot cover the whole stack with depth. Six months later, the same fragmentation reappears as missed alerts, slow tickets, and quietly degraded backups. Bad consolidation is cheaper for one cycle and more expensive thereafter.

Good consolidation is structurally different. It looks like a senior-led managed services partner who genuinely runs the firm’s IT and security as one estate, not as a portfolio of bolt-on contracts. The relational moat matters more than the technology stack. An MSP that has run a firm’s IT for three years knows its people, its processes, its quirks, the line-of-business applications nobody documented, the partners who answer the phone after hours, the auditor who needs the access pack in a specific format every March. That relational knowledge is the cost of the stack the firm has been paying for, paid back. The audit-led MSP brings that relational depth with security depth on top, rather than as a bolt-on.

What a credible managed IT relationship looks like

A credible managed IT relationship for a regulated mid-market UK firm includes, as a baseline:

  • Governance. A named senior contact, a monthly service review with a board-readable report, and a single point of accountability for every escalation.
  • Security operations. 24/7 monitoring of endpoints, identity, email and cloud tenant, with a named analyst rather than a ticket queue.
  • Endpoint management. Patch, configuration, encryption and lifecycle handled as one workflow, not three.
  • Cloud tenant administration. Microsoft 365 or equivalent run by the partner — licensing, identity, conditional access, recoverability.
  • Helpdesk. First and second line under the same roof as the security team, so a phishing report does not bounce between vendors.
  • Software licensing. Procurement absorbed into the partner relationship, with the partner accountable for cost optimisation rather than the firm.
  • Backup and disaster recovery. Tested, documented, and owned end-to-end by the partner.

The same senior contact for every escalation. One throat to clear, in plainer terms.

How Rhentech helps

Rhentech delivers senior-led managed IT services for UK mid-market firms, with audit-first onboarding so we understand the estate we are inheriting before we run it. We start with a paid cybersecurity audit — the same engagement we would deliver as a standalone — so the managed service that follows is calibrated to real exposure, not an assumed baseline. Every client gets a named senior contact, monthly board-level reporting, and a single line of accountability across IT operations and security. The audit is the typical entry-point into the relationship.

If the seventeen-vendor stack feels familiar, the right next step is a conversation about the estate as it actually is, not as the licence spreadsheet describes it. Book a free initial consultation with a senior consultant.

Back to all articles
Free consultation

Ready to act on
what you've read?

Book a free consultation with a senior consultant to discuss your cybersecurity posture and next steps.

Book a free consultation