What Should I Ask Any IT Company Before Hiring Them?
The questions most owners don't think to ask, and what a good answer actually sounds like. Ask them of anyone you're considering. Ask them of us, too.
Get a cybersecurity assessment →Last reviewed: June 2026
Choosing an IT company is one of the higher-stakes decisions a business owner makes, and one of the few where most people don't know what they're supposed to be evaluating. So the conversation defaults to the one thing everyone can compare: price. That's exactly how businesses end up with the cheapest proposal and the weakest protection.
The fix isn't becoming an IT expert. It's asking a handful of the right questions and knowing what a good answer actually sounds like. Below are the questions most owners don't think to ask, and the honest answers a real partner gives versus the ones a vendor dodges. Ask these of anyone you're considering. Ask them of us, too.
1. "When something breaks, how fast will you respond, and will you put it in writing?"
Everyone promises great support. Far fewer will commit to it on paper.
What you're listening for is a real SLA, a Service Level Agreement that defines, in writing, how quickly you'll get a response. The vague version sounds like "we'll get to it as soon as we can." The real version is a number you can hold them to.
It's also worth asking who actually picks up and where they are. There's a meaningful difference between reaching a live person quickly and sitting in a queue, or being routed to an overseas call center reading from a script.
For reference, our standard is a real person on the phone in typically under three minutes, around the clock, and our help desk is completely US-based. If a provider won't commit to response times, or can't tell you who you'll actually be talking to, that tells you something.
2. "What exactly is in your security stack, and how would you prove it's working?"
This is the most important question on the list, and the one most likely to get a fog of buzzwords in response. (In our first article we called this "comparing oranges to seagrass": two security packages that look identical on paper but protect you completely differently.)
Push past the labels. A serious answer covers a few real layers:
- Threat detection and response. Modern protection like XDR (extended detection and response) that watches across your systems, not just antivirus on a laptop.
- A Security Operations Center (SOC). A real team monitoring 24/7. Ask what it actually watches. Ours ingests event logs, Microsoft 365 activity, and endpoint protection data and correlates it in real time, so threats are caught in the noise rather than weeks later.
- Multi-factor authentication (MFA), required, not "available."
- Ongoing user education, because your people are the most-targeted layer. We provide annual cybersecurity training with continuing-education credits.
- vCISO-level oversight. Someone accountable for your security posture over time, not a tool you were sold once.
Then ask the question that separates real protection from theater: "How would you prove it?" A real partner works from evidence (logs and records that show what happened and when) rather than a reassuring "we've got it handled." We hold ourselves to evidentiary logging, and we advise clients to do the same with their own policies: documentation that would actually stand up, not binders that sit on a shelf. The day you discover the difference shouldn't be the day you file an insurance claim.
3. "Which compliance frameworks do you actually work with, and which don't you?"
Here's a question where the most honest answer is the most reassuring one.
If a provider claims they do everything, be skeptical. Compliance is specialized, and a partner who tells you where they're not the right fit is a partner you can trust on everything else.
To model the kind of straight answer you should expect: we typically measure clients against the CIS framework and can measure against NIST. We do not currently work in CMMC or ITAR, so if those are central to your business, we'll tell you that up front rather than learning it together later. That kind of clarity is the whole point. Vague claims of "full compliance support" usually unravel at exactly the wrong moment.
4. "Will you help me plan, or just fix tickets?"
This is the line between a vendor and a partner, and it's the heart of the matter.
A vendor reacts. Something breaks, you call, they fix it, you wait for the next fire. A partner is engaged in where your business is going. Ask whether you'll have regular strategic reviews (we sit down with most clients quarterly to look at their current security status and what's ahead) and whether someone is providing executive-level guidance (the virtual CIO, CISO, and CTO role) rather than just closing tickets.
The simplest tell: does the relationship include someone thinking about your business, or only your devices? You're hiring for the former. The latter is a commodity.
5. "What's included, and what will I actually be billed for?"
We covered this in depth in our pricing article, so we'll keep it short: get the fully-loaded picture. Ask what's genuinely included in the monthly rate, what's a separate line item (software licensing and equipment usually are), and under what circumstances a "surprise" bill could ever appear. A low headline price stacked with add-ons (death by a thousand cuts) almost always costs more than an honest all-inclusive number. Make them show you the real total.
The short checklist
Bring these to any provider you're evaluating:
- Do you have written SLAs, and what are your response times? Who answers, and where are they based?
- What's in your security stack (detection, SOC coverage, MFA, training, oversight), and how would you prove it's working?
- Which compliance frameworks do you actually work with, and which don't you?
- Will I get strategic guidance and regular reviews, or only break-fix support?
- What's included in the price, and what will I be billed for separately?
The bottom line
A vendor sells you a service. A partner takes responsibility for an outcome: your business being secure, supported, and able to grow without technology getting in the way. The questions above are simply how you tell them apart before you sign, instead of after something goes wrong.
And that's why the right first step isn't a quote, it's a cybersecurity assessment. You can't prescribe the right treatment plan without the proper diagnostic.
Let's start there: an honest look at where your business actually stands, and a clear picture of what protecting it should involve.
Book a 15-minute intro →