IT Provider Evaluation Guide 

Choosing the right IT partner impacts your security, your operational efficiency, your team’s productivity, and your reputation with your own customers. Many business leaders rely on gut instinct: “Something feels wrong, but I can’t see it.” 

This guide will help you make the invisible visible. 

Below is a structured set of questions—with ideal answers, red flags, and explanations—that you can use to evaluate whether your current provider is truly protecting and supporting your business… or simply reacting to problems as they arise. 

1. “How are you identifying risks in our environment before they become problems?”

Ideal Answer (What Good Looks Like): “We complete regular, structured reviews of your security, stability, and configuration. We compare your environment against industry best practices, cybersecurity frameworks, and learned experiences to identify and bring risks to your attention with recommendations and timelines for remediation.”

Red Flags: “We fix things as they come up.”, “We haven’t noticed any major issues.”

What to Look For: A mature provider should have a documented and recurring risk assessment process.
Lack of structure = unseen gap

2. “What risks are you actively tracking for our business right now?”

Ideal Answer: A clear, specific list of active risks such as missing MFA, outdated firewalls, unsupported systems, backup gaps, and unpatched vulnerabilities—plus what’s being done about each.  All risks and recommendations should be tied back to cybersecurity frameworks like CIS Controls, and NIST Cybersecurity Frameworks.

Red Flags: “I’d have to check.”, “We don’t see any major risks.”, “Everything seems fine.”

What to Look For: Cybersecurity and business risk require a proactive, predictable process which is assigned to a dedicated resource.  If identifying and reviewing risk falls on the support desk technicians it won’t be done consistently.  A mature IT service provider will have resources dedicated to this function within their org chart.

3. “How do you ensure we don’t have unseen gaps like missing MFA, outdated systems, or configuration drift?”

Ideal Answer: “Your system is measured against a defined security baseline. If something drifts—like MFA disabled or updates missed—our tools notify us and we fix it proactively.”

Red Flags: “We assume MFA is turned on.”, “We patch when needed.”, “We rely on Microsoft for most of that.”

What to Look For: You want automation and standards, not guesswork.  There should be a defined process, with people assigned to maintaining your technology to current standards and requirements.  This cannot fall on the support desk, or technicians who have other responsibilities.

4. “How do you plan our IT needs in advance to avoid surprises?”

Ideal Answer: “We forecast hardware lifecycles, licensing, security, growth, and infrastructure needs so you can plan your budget well in advance.  We’ll meet with you on a periodic basis to review the state of your technology to and to share recommendations for your consideration.”

Red Flags: “We’ll let you know when something breaks.”, “We don’t forecast that far ahead.”

What to Look For: Budget predictability, not lastminute emergencies.  -You want to receive regular review meetings, with actionable reports and investment opportunities ahead of time.

5. “How do you keep our technology aligned with modern best practices over time?”

Ideal Answer: “We have a recurring standards review process—biweekly or monthly—where we evaluate your systems and update configurations to keep everything modern and secure.  We align ourselves with cybersecurity frameworks like CIS Controls and NIST Cybersecurity Framework.”

Red Flags: “We upgrade things when they need it.”, “Your system has been working fine for years.”

What to Look For: If you never hear about standards, your provider is reactive.  The world of technology management and cyber risk is changing so fast that it’s essential to follow proven frameworks and best practices.  This is an objective approach to reviewing and managing risk instead of gut-feel recommendations.

6. “How do you track and reduce the number of support tickets we have each month?”

Ideal Answer: “We review your ticket patterns monthly and eliminate the root causes through proactive alignment work. Our goal is to identify trends and find ways to reduce the number of interruptions you have from technology over time so that your staff can be more productive.”

Red Flags: “We can’t really control that.”, “We just focus on fast responses.”

What to Look For: A mature provider should be obsessed with reducing tickets—not celebrating how fast they close them.  A mature IT Services Provider can reduce the number of tickets by having people in proactive roles (who do not sit on the support desk) that are focused exclusively on improving the Stability, Security, Strategic Alignment, and Supportability of your systems.

7. “How do you shorten the time it takes to resolve issues, not just respond to them?”

Ideal Answer: “We reduce complexity by standardizing your environment, improving documentation, and eliminating recurring issues.  We aim to resolve 70% of the tickets on the same day they’re created.  That way we know our team is responding quickly, working efficiently, and helping your team get back to work and serving your clients.”

Red Flags: “Our goal is fast response times.”

What to Look For: Fast response ≠ fast resolution. Better design = faster fixes.

8. “How do you prevent recurring issues from disrupting our staff?”

Ideal Answer: “We analyze recurring tickets, identify the root cause, and work to permanently fix the underlying issue.”

Red Flags: “If it happens again, just send another ticket.”

What to Look For: Recurring issues = poor design or poor process.

9. “What is your process when you discover a pattern of recurring issues?”

Ideal Answer: “We document it, escalate it to alignment, update standards, correct configurations, and report back on the improvement.”

Red Flags: “We fix problems as they appear.”

What to Look For: Patterns should result in systemic fixes, not repeated tickets.

10. “How do you align your IT work with our business goals—not just fix technical problems?”

Ideal Answer: “Through regular strategic reviews, we map your IT plan to your business plan so your technology supports growth, margin, efficiency, and risk reduction.”

 Red Flags: “We handle support—strategy is up to you.”

What to Look For: Technology should be a business tool, not just a technical service.

Your next steps

At this point, you don’t need to rely on instinct anymore.

You now have a clear set of questions to understand what your IT provider is actually doing, how they’re managing risk, and whether they’re proactively supporting your business or simply reacting when issues arise. 

The next step is simple.

Start asking these questions.

Pay attention not just to the answers, but to how clearly and confidently they’re explained. A strong IT partner should be able to show you what’s being done, how it’s being measured, and how it’s improving over time.

If the answers feel vague, inconsistent, or reactive, that’s your signal to dig deeper.

Your technology should be making your business more stable, more secure, and easier to run not adding uncertainty.

If you’d like a second perspective or help evaluating what you’re hearing, we’re always available to have that conversation.

Author: Jesse Hill, is the president of Tier 3 I.T. Solutions, optimizing business technology since 1990.