1. Documentation and Communication
- IT providers should deliver regular documentation including:
- Backup reports
- Executive summaries
- System status reports
- Recommendations for implementations
- Clear communication about outdated systems and necessary upgrades
- Lack of documentation often indicates broader neglect of systems
2. Front-End vs Back-End Service Quality
- Poor response times and customer service usually indicate deeper technical issues
- If client-facing service is poor, behind-the-scenes maintenance is likely neglected
- Common issues include:
- Outdated firewall firmware
- Expired security subscriptions
- Poor system maintenance
- Neglected updates and patches
3. Regular Strategic Planning Meetings
- Quarterly or bi-annual meetings should occur
- Meetings should cover:
- 3-year strategic planning
- 1-year detailed plans
- 90-day action items
- Progress reviews
- Security updates and improvements
- Lack of strategic planning can be legally problematic in case of breach
4. Clear Role Segregation
- IT provider should have specialized teams or roles for:
- Help desk support
- Proactive maintenance
- Project implementation
- Security oversight
- Without role segregation, reactive work often overtakes proactive maintenance
5. Third-Party Security Validation
- Regular third-party vulnerability scans should be conducted
- Independent security assessments provide unbiased evaluation
- Reports should be shared unchanged with clients
- Quarterly assessments recommended minimum
6. Established Security Standards
- IT provider should have clear, documented security standards
- Standards should be:
- Transparent and shareable with clients
- Based on recognized frameworks (CIS, NIST, PCI, HIPAA, etc.)
- Regularly reviewed and updated
- Tailored to client's regulatory requirements
Red Flags to Watch For
- IT provider unable to articulate their security standards
- Reluctance to share specific security practices
- No regular planning meetings or documentation
- Poor response times to support requests
- Lack of proactive system maintenance
- No third-party security validation
- Disorganized server rooms or infrastructure
Recommendations for Business Owners
- Document and track IT provider's performance
- Request regular security and system reports
- Participate in strategic planning sessions
- Ask about security standards and frameworks
- Consider third-party security assessments
- Act quickly if concerns arise ("hire slow, fire fast")
- Start vetting new providers if current one shows warning signs
Notable Quotes
"97% of breaches could have been prevented almost always." - Justin Shelley
"If everybody's responsible, nobody's responsible." - Bryan Lachapelle
"How you do anything is how you do everything." - Referenced from Robin Robins