Your IT Systems: How Well Do You Really Know The Providers Who Help Support One Of Your Most Important Assets?

Your IT Systems: How Well Do You Really Know The Providers Who Help Support One Of Your Most Important Assets?


As the leader of your organization, or even the head of your IT team, you rely on resources to help you accomplish your goals. Many organizations use 3rd party IT providers to support projects, services, or perhaps even as a means to transfer the entire organization’s IT function responsibilities externally.

Co-sourcing resources like this is becoming a more widely accepted practice. It is a common function in the industry as a cost-effective means of accomplishing goals with limited resources, allowing for access to skilled, experienced personnel backed by proven processes.

Selecting the right partner will provide great benefits and is a win-win for everyone.

But how do you select the right partner? IT is a tough business. While it is true that just about anyone with some technology prowess can hang out a shingle and start providing IT services, not everyone should. Much like noses, everyone seems to have an opinion on how to “do” technology, and every day there’s an article in the news about how technology makes things faster, cheaper, and easier to do. The harsh reality is that the current business technology environment is more complex due to that “simplicity”. Additionally, the threats and exposures we face make both the providers, and the purchasers, of technology services more complex.

When was the last time you spoke with your IT partner, team, or provider about their business practices? Here are some elements worth considering, regardless of the specific services you receive from the provider.

Key Relationship Questions

Have you had a business relationship conversation with your IT partner to understand their business, and how it operates? How big are they? How many employees do they have? Have you been to their office? Have you met their company executives? Are they local, or do you interact with a branch office? How long have they been in business? How are they organized? Are they a corporation, a partnership, or a sole proprietor? Do they have a contingency plan in the event of something happening to one of the principles? Do you have a file of your IT vendors, like you would for some of your key relationship vendors, such as your CPA firm, your legal firm, or your insurance broker?

These questions help to identify your IT positioning strategy which in turn will assist you in determining the right IT partner for your organization. For example, if you’re a smaller organization, perhaps a smaller company is an appropriate fit. However, if you are a larger organization, and have an IT staff of your own, it would probably be more important to choose an organization with a team familiar with your business activities, and which possesses the resources necessary
to allocate for both support needs, as well as for projects.

It’s equally important to have access to the IT firm’s executives. They are a valued resource for escalation assistance, to get clarity on an issue or to simply get a question answered, or even a strategic partner that may serve as both a resource and a sounding board. Sometimes having access to another executive, with a different perspective on your concerns,
is exactly what is needed to put your
mind at rest.

Operational Approach

How does the vendor operate? Do they have a formal team approach? Do you have a dedicated account manager that supports you on a day-to-day basis, or does your team call a technical resource that will “take care of everything”? How are projects estimated and documented? How are invoices formatted, and do they help you understand the charges (have you made a point to review them)? Do they have project managers, or do the technical resources perform the work, communicate and schedule their time, and are also responsible for providing status updates for the projects?

Taking a professional approach to these answers will increase your confidence in both the solutions and their execution. This leaves you to focus on your organization goals, knowing that you’ve selected the right partner to keep your systems aligned with those goals.

Have you asked your IT provider about their internal controls? What are they doing to protect their systems, and essentially, yours as well? Do they engage in a third-party risk assessment by a reputable firm? Are they willing to share the assessment results with you? Are they willing to disclose their policies and procedures to you? If they’re unwilling to share that information, or are not doing these things, how can you possibly know that their systems are secure? Remember, you have permitted your provider full, backdoor access to your systems in order to protect you, not to expose you, unwittingly, to threats that may compromise your business.

Strategy and Communications

Does your vendor work with you and your IT team to regularly discuss your IT operations activities, and how those activities can be improved? Do they provide reports, or dashboards, highlighting status of key activities like your antivirus updates, patch level status, or backup history? Do they manage your user security awareness training programs, review the results with you, as well as document all of the reported phishing emails that your users send to IT? Do they provide regular educational opportunities and training sessions for your IT staff or contact to improve their skills or knowledge?

Do they help your team build an IT road map that outlines your IT strategy, keeping your IT systems and resources aligned with your business goals? You have quite a bit invested in your technology assets and resources, so it would be advisable to have a road map illustrating how IT is, or can be, aligned with your goals.

Errors and Corrections
Do you require that your IT partner have both business liability, and errors and omissions insurance? In today’s environment, you should require your IT provider to have both, and that they be willing to add you as a covered entity under each policy. If they don’t carry both types of coverage, you are undertaking a significant risk in light of the challenges posed by cyber security threats and exposures, as well as the risks from breaches of protected data, including employee information, that has occurred across many industries.


Even if you’ve had a long-term relationship with an IT provider, you should consider a discussion to address these questions. Regardless of whether they just sell you product, or manage your entire IT Department, you will be best served by creating a file on the organization, as they are a key component of your organization’s success. Equally, they may also be a risk that, as an informed leader, you will want to mitigate by understanding and managing your exposure to the best of your abilities.

If you’d like to discuss this topic in detail, or are interested in an evaluation document we complied for a couple of our public entity clients, please call the office at 614.495.9658 and ask for Jason Long. Jason will coordinate a quick conversation, and help provide you with the document, along with some information and questions that you can ask your provider.