Managed IT for SaaS Companies: What a Good Setup Looks Like at 50–100 Employees

Operational Maturity · 9 min read

Quick answer

At 20 people, ad-hoc IT works. At 100 people, it has already broken — most leadership teams are just waiting for the security questionnaire that forces the issue.

A "good" Managed IT setup for a 50–100 person SaaS company has six observable properties: a clean identity baseline, managed devices, working joiner-mover-leaver flows, verified backups, centralised logging, and a documented policy framework that someone actually owns.

You can build this in-house (typically 3 hires, €100–110K total, 12+ months to operational maturity) or you can partner with an MSP that already runs this for similar companies. The right answer depends on whether IT is going to be a core competence for your business. For most SaaS companies, it isn't.

Why ad-hoc IT breaks at this stage

Up to about 25 people, IT runs on goodwill. A founder, a senior engineer, or whoever happens to be technical handles it on the side. That works because the surface area is small: a few SaaS subscriptions, a small device estate, everyone knows everyone, and nobody has left yet.

Around 40–50 people, three things change at once.

The device estate becomes invisible. Nobody can answer "how many laptops are out there, what's installed on them, and are they encrypted?" with confidence.

Joiners and leavers become a process problem. New hires don't have the right access on day one. People who leave keep access for weeks. Contractors come in and never get removed.

The first enterprise security questionnaire arrives. And the answers are uncomfortable — because they're honest.

By 70–80 people, the cost of waiting becomes visible: stalled deals, frustrated new hires, security gaps that any auditor would find immediately, and a leadership team that has no defensible answer to "who has access to what?"

What a good IT setup actually looks like

Strip away the vendor talk. The components are not exotic. The standards are:

Identity baseline. Every business application behind SSO. MFA enforced everywhere, phishing-resistant where it matters (admin accounts, finance tooling, customer data). Role-based access groups, not individually assigned permissions. Quarterly access reviews with named owners. Privileged access elevated only when needed, not granted as a standing condition.

Device management. Every company-issued laptop enrolled in an MDM. Encryption enforced. OS and browser updates monitored. Endpoint detection and response (EDR) running on every device, with real alerting — not just a logo in a dashboard. A clear BYOD policy with boundaries, if BYOD is allowed at all.

Joiner-mover-leaver workflows. A documented, repeatable process for every employment lifecycle event. New hires have correct access on day one. Role changes update access automatically. Departures revoke every account, device, and token within 24 hours — not "when IT gets to it."

Backup and recovery. SaaS data is not automatically backed up. Microsoft 365, Google Workspace, your CRM, your code repositories — independent backup with tested recovery is non-negotiable. "We assume the vendor backs it up" is not a backup strategy.

Logging and monitoring. Centralised logs from identity, endpoints, and key SaaS applications. Alerting configured for the conditions that actually matter (suspicious sign-ins, privilege changes, mass data access). A defined response process — not just a Slack channel where alerts go to die.

Policies and documentation. Acceptable use, data classification, incident response, vendor management, access control. Not shelf documents. Living policies that match how the business actually operates, reviewed annually, with named owners.

If you have all six running, you're in the top 10% of companies at your stage. If you have three or fewer, you're average. Average is not good enough for enterprise procurement.

The "should we hire internally?" question

Most founders we work with started here. They asked: "Shouldn't we just hire an IT person?"

The answer depends on what you actually need.

A single "IT person" at this stage typically becomes a glorified helpdesk: provisioning accounts, helping with logins, replacing laptops, chasing licence renewals. That work is necessary, but it does not build the six components above. Building those requires three different competences:

  • A security engineer to design and implement controls.
  • A compliance or IT operations lead to write policies, run access reviews, and prepare for audits.
  • A general IT operations person to handle the day-to-day work.

Each of these roles, hired at the seniority required to operate independently, costs €90,000–€110,000 per year in our region. Total: roughly €270,000–€330,000 per year before tooling, training, and the 12+ months it typically takes to reach operational maturity from a cold start.

If IT and security are going to be a core competence of your business — say, because you're a fintech, a healthcare SaaS, or you handle highly regulated customer data — that investment makes sense. Build it.

If IT is necessary infrastructure that needs to be done well but is not core to your product, the economics rarely justify three hires at this stage.

The MSP question

A good MSP for a growing SaaS company is not the same thing as a generic IT support company. The model is different.

What you should expect from a senior MSP at your stage:

  • A structured methodology, not just hourly tickets.
  • Implementation of the six components above as a defined engagement, with a clear timeline and outcome.
  • Ongoing operations after implementation: access reviews, monitoring, evidence collection, monthly reporting.
  • Compliance experience — the team has done ISO 27001, SOC 2, or both for companies your size.
  • Documentation and handover quality such that, if you switched providers, the next team could continue without rebuilding.
  • Senior people on your account. Not just a ticket queue.

What you should not accept:

  • Vague "managed services" with no defined deliverables.
  • A team that pushes tools without designing the operations around them.
  • An MSP that resists writing things down or sharing the runbook.
  • Pricing that scales linearly with users without a defined service catalogue.

The hybrid model

The pattern that works for many SaaS companies at this stage: one strong internal IT owner — not a full team — plus an external partner that handles the design, the security operations, and the compliance work.

The internal owner runs the daily operations: laptop deployments, account provisioning under the documented process, vendor liaison, internal escalation. The external partner builds and maintains the security baseline, runs access reviews, prepares for audits, and handles the work that requires deeper specialisation.

This usually costs less than three internal hires, scales better, and delivers a stronger compliance posture faster. It's the model we run for most of our clients.

Common mistakes

  • Hiring an "IT person" before deciding what good IT looks like. You will get good ticket resolution and no structural progress.
  • Buying tools before designing the operations around them. Tooling without process produces dashboards no one looks at.
  • Treating IT as a cost centre. Done properly at this stage, IT is what unlocks enterprise deals.
  • Waiting for an incident or a failed audit to start the project. The cleanup is always more expensive under pressure.
  • Choosing the cheapest MSP. The work is the same; the difference is whether it's done with seniority. Cheap MSPs are expensive eventually.

FAQ

At what headcount should we start thinking about this? Around 40–50 people is when the ad-hoc model starts breaking. Around 70–80 is when waiting becomes commercially expensive.

Can we just do this with one good IT hire? You'll get day-to-day operations covered. You won't get a defensible security and compliance baseline without specialist support.

What's the typical timeline to get to "good" from a cold start? With a focused partner: 90 days for implementation, 6–9 months for full audit readiness. Without external help: 18–24 months is realistic.

How do we know if our current setup is "good enough"? Run an honest assessment against the six components above. If you can't confidently say "yes, all six, with evidence," you have work to do.

Is the in-house route ever right? Yes — when IT and security are genuinely core to your product (regulated industries, security-as-product companies, very large engineering organisations). For most SaaS companies between 50 and 100 people, the maths favours a strong partner.

The bottom line

At 50–100 people, ad-hoc IT has already cost you something — you just may not have the data to prove it yet. Stalled deals, slow onboarding, security gaps that any auditor would find immediately, leadership without a defensible answer to basic access questions.

Building the six components above is not optional. The only question is whether you build them with internal hires, an external partner, or a hybrid of both. The answer depends on whether IT is going to be a core competence of your business.

For most SaaS companies, it isn't. And that's the point.

"Average is not good enough for enterprise procurement. And average is where you are at this stage if you haven't built the basics."

Next step

See whether your current setup meets the bar.

Start with The Clarity Assessment — we'll map your IT and security posture in 2 weeks.

View the Security Assessment Book a Fit Call