Most firm owners did not plan to become the IT department.
It happened one request at a time. Someone could not log in. Someone needed a new laptop set up. Someone asked whether the firm had a backup of a file that was lost. All questions that they thought only the owner could answer.
Then the owner kept answering them.
Until one day, without anyone making a formal decision about it, the firm owner was carrying IT.
—
How This Happens in Practice
Here is a scenario that will feel familiar to more people than you might expect.
A managing partner at a mid-size law firm is running a staff meeting when someone asks a routine question about their document management system. She is the only person in the room who knows the admin credentials. Same for the backup software. Same for the Microsoft 365 tenant.
When asked who handles IT for the firm, she says they have an IT company.
What she means is they have a number they call when things break.
The day-to-day ownership, the decisions, the access, and the risk? That all lives with her.
This is not a story about a firm that made a bad decision. It is a story about a gap that quietly filled itself in, the way gaps tend to do, with whoever was closest and capable enough to fill it.
In most firms, that person is the owner.
—
Why the Gap Fills This Way
Law firms are built around client service. Every hire, every system, every process is oriented toward doing the legal work well. IT rarely gets a seat at the table during those early decisions. It gets handled.
A vendor gets selected. Computers get set up. Email gets running. That also means then the vendor fades into the background, available when something breaks but not actively managing anything.
Meanwhile, the firm grows. More staff. More systems. More access points. More decisions that need to be made about who has access to what, whether the backups are actually running, and what happens if someone clicks the wrong link in an email.
Those decisions do not go to the vendor. They go to whoever is already making decisions. Which is usually the firm owner.
The distinction here is important. Having a vendor is not the same as having someone accountable for your IT environment. A vendor responds to requests. A partner manages your environment proactively, flags risks, and owns the function day to day. Most firms have the first thing. They think they have the second.
—
What This Costs Beyond the Obvious
The easy answer is time. That also means yes, time is a real cost.
The deeper cost is what happens to decision-making when one person is carrying too many categories of responsibility.
Firm owners who have quietly absorbed IT are operating with a kind of split attention that is hard to fully account for. There is always a low-level awareness of things that need to be checked, questions that might come up, problems that might surface. That background noise does not show up on a time sheet, but it is real.
From a security standpoint, the arrangement creates concentration risk. When one person holds all the credentials, all the context, and all the institutional knowledge about how the firm’s systems are configured, the firm is exposed in ways that go beyond convenience. If that person is unavailable, whether due to illness, travel, or simply a chaotic week, the firm can find itself unable to respond to a problem that needs immediate attention.
There is also a liability dimension worth naming. When a firm owner is functioning as the de facto IT administrator and a breach or data loss event occurs, the decisions that led to that moment, or the decisions that were never made, trace back to one person. That is a significant amount of exposure for someone who was never supposed to be carrying that function.
—
The Difference Between a Vendor and a Partner
This is a distinction that matters more than most firms realize until they experience both.
A vendor shows up when called. They fix what is broken, bill for the time, and leave. They are not thinking about your firm between calls. They are not monitoring your environment, reviewing your access controls, or asking whether your current setup still makes sense given how your firm has grown. When something goes wrong, you call them. They respond. That is the full scope of the relationship.
A real IT partner operates differently. They know your environment. They track changes. They flag things before those things become problems. When a staff member leaves, they are already thinking about offboarding and access removal. When Microsoft pushes an update that affects your document management workflow, they are already on it. They carry the function so you do not have to.
The practical difference shows up in how a firm owner feels on a normal Tuesday. With a vendor, there is always a quiet awareness that you might be one broken thing away from a bad day that lands entirely on you. With a partner, that weight lives somewhere else. Someone who should be carrying it is carrying it.
—
What a Better Arrangement Looks Like
If you recognize yourself in any of this, here is a practical way to think about what needs to change.
1. Credentials and access should not live with one person.
There should be a documented list of every system the firm uses, who has admin access, and where those credentials are stored securely. If you are the only person who knows this information, that is the first thing to address.
2. Someone other than you should own the monitoring function.
Your backup should be checked regularly, not assumed to be running. Your security settings should be reviewed on a schedule. Someone other than you should be responsible for knowing the state of your environment.
3. You should have a conversation about the scope of your current IT relationship.
Ask your current vendor directly: what are you monitoring proactively? What will you flag before it becomes a problem? What does the offboarding process look like when someone leaves? The answers will tell you alot about whether you have a vendor or a partner.
4. IT decisions should not require your personal involvement.
If a staff member needs a new device, a password reset, or a software question answered, there should be a process for that which does not route through you. That is not a luxury. That is basic operational structure.
5. The goal is a function that belongs to someone other than you.
Not a number on a sticky note. Not a vendor you call when things break. A function with ownership, accountability, and proactive management.
—
A Few Questions Worth Sitting With
Before moving on, it is worth slowing down for a moment with a few honest questions.
– If you were unavailable for a week, who would know how to manage your firm’s IT environment?
– When did you last have a proactive conversation with your IT vendor, not because something broke, but because they reached out?
– Do you know whether your backups ran successfully last week?
– Is there a documented process for removing access when someone leaves the firm?
– If something went wrong today, who owns the response?
These are not gotcha questions. They are clarity questions. If the answers are uncomfortable, that is useful information.
—
You Were Not Supposed to Be Carrying This
The firm owners who end up as their own IT department are usually the most capable, most resourceful people in the building. That is exactly why it happened to them.
However, capability is not the same as appropriate responsibility. That also means carrying a function that belongs somewhere else has a real cost, even when you are managing it well.
You built something worth protecting. The goal is to protect it in a way that does not require you to personally hold everything together.
If this piece felt like a mirror, and you are ready to think about what it would look like to hand that function to someone who should be carrying it, I am happy to have that conversation. You can find a time at https://diasystems.net/schedule-now/.
For everyone else:
What is one thing in your firm’s IT setup that you know belongs somewhere other than on your plate?