The starting point
The Spanish subsidiary needed to run its IT infrastructure with the reliability an an operation where every hour of downtime carries a direct business cost — and under the governance of a European parent that sets standards, requires evidence and audits. Building and retaining an internal team with that profile was slow and expensive; a conventional remote provider offered neither the proximity nor the business knowledge that daily operations required.
The answer was a hybrid model that remains in place nearly a decade later: a Hard2bit team based at the client's offices, working shoulder to shoulder with its internal departments, with the whole of our company behind it. Three years ago the service took a further step: the group required its subsidiaries to run a formal vulnerability management programme with corporate KPIs, and the subsidiary entrusted it to us in full — not just detecting and reporting, but resolving.
How we approached it
- Embedding the dedicated team under clear governance — Hard2bit professionals based at the client's offices, part of the daily routine but with roles, responsibilities and escalation paths defined by contract. Who decides what, who answers to whom and what gets measured each month was agreed from day one: embedding works because governance is never improvised.
- Infrastructure operations with evidence discipline — systems, network and platform administration with every change documented, every incident traced and every procedure written down. When the parent company audits the subsidiary — and an international parent does audit —, operations have nothing to reconstruct: the evidence already exists, because it is produced as a by-product of operating properly.
- The full vulnerability cycle: detect, prioritise, resolve, verify — recurring infrastructure scanning, prioritisation by real risk — technical severity, exposure and business context —, remediation executed by the team itself (patches, reconfigurations, coordinated change windows) and subsequent verification that each vulnerability is gone. The report is not the end of the service: it is the by-product of a loop that closes.
- Monthly reporting to the parent with the group's corporate KPIs — every month, the security indicators the group requires from its subsidiaries, calculated to the corporate criteria and backed by traceable evidence. The subsidiary reports to its parent with figures that withstand a group audit, not with promises.
- Continuous improvement and successive renewals — periodic service reviews with the client: what worked, which KPIs moved, what the business needs next year. Every annual renewal has been an exam passed, and the scope has grown with the relationship — vulnerability management with remediation being the most recent example.
Results
~10 years
of a relationship renewed year after year, with a growing scope
100%
of the parent company's security KPIs met over the last 3 financial years
1 single team
Hard2bit staff embedded as part of the client's own workforce
Nearly a decade on, the subsidiary's infrastructure is run by the same service — by people who know every system, every process and every stakeholder — and security has gone from being a parent-company requirement to a metric the subsidiary shows off: three consecutive financial years meeting every corporate KPI in the group, with evidence that has passed every internal audit without significant findings.
The figure that best sums up the case is not a technical one: at the client's offices, the Hard2bit team is not treated as a supplier. It is treated as the part of the workforce that has sat at the next desk for ten years — because, to all practical purposes, it is.
What made it work
- Long-term outsourcing is trust re-validated at every renewal: ten years are not signed once — they are earned ten times.
- Resolving — not merely reporting — is what moves the KPIs. A vulnerability report without remediation is an inventory of pending problems.
- Operating under the governance of an international parent demands traceability and evidence, not promises: every reported figure must survive somebody pulling the thread.
Frequently asked questions
What does having staff based at the client's offices mean, and when does it beat a remote service?
It means Hard2bit professionals work day in, day out at the client's premises, embedded in their teams, using their tools and keeping their hours — with the backing, training and accumulated knowledge of our whole company behind them. It pays off when the infrastructure is business-critical, when there is constant interaction with internal departments, or when the context — group audits, regulation, legacy systems — demands people who know the house from the inside. For narrower or one-off scopes, a remote service is usually more efficient; many clients combine both models.
What is the difference between vulnerability management "with remediation" and a detection-only service?
A detection service scans, prioritises and hands over a report: remediation is left to the client, and that is exactly where most programmes stall. In a service with remediation, the same team that detects also fixes — patching, reconfiguring, coordinating change windows — and then verifies the vulnerability is genuinely gone. The loop closes inside the service, and that is what shows up in the KPIs: they do not count findings, they count exposure removed.
How do you report to an international parent company — KPIs, evidence, group audits?
With the discipline a parent company expects: corporate KPIs calculated to the group's criteria — not ours —, delivered monthly in its format and to its calendar, and backed by traceable evidence: scan records, remediation tickets, post-fix verification. When the group's internal audit reviews the subsidiary, every reported figure has a documentary trail behind it. Reporting well to a parent company is not about polished slides: it is about no number falling apart when somebody pulls the thread.
How does an outsourcing relationship last nearly a decade?
By being renewed on results, not on inertia. Every annual renewal is an exam: the year's KPIs, incidents handled, audits passed, and an honest conversation about what to improve next year. Continuity of the on-site team matters too — the people who know the infrastructure and the business do not rotate every six months —, as does the ability to grow with the client: today's service is not the one originally signed, because the client's needs are not either.
Related services
Does your infrastructure deserve a team that stays?
We manage infrastructure and security with dedicated teams — on-site or remote — that resolve, document and report with KPIs that withstand an international parent company's audit. Ten years of renewals back it up.