Choosing a managed IT provider is a bit like hiring a surgeon you will never watch operate. You are trusting someone with the thing that keeps your business alive, mostly based on a sales call and a gut feeling. And the sales calls all sound the same. Everyone says “24/7 support,” everyone says “proactive,” everyone has a slick deck and a friendly account manager.
So how do you actually tell them apart? You ask better questions. Here are the ones that cut through the pitch and reveal who you are really dealing with, plus the answers that should make you nervous.
“Is your help desk and security team in-house, or outsourced?”
This is the single most revealing question, and almost nobody asks it. A lot of providers quietly subcontract their after-hours support and their security monitoring to a third party, sometimes overseas, sometimes a white-labeled service they have never met. That means when you have a real emergency, the people helping you do not know your environment and have no skin in the game.
The answer you want is that the team is in-house. It matters most for security. A provider running its own Security Operations Center can respond faster and with real context, because the people watching your alerts are the same people who set up your systems.
“What is your guaranteed response time, and is it in the contract?”
“We are very responsive” is not an answer. You want a specific, contractual number for how fast they acknowledge an issue, and ideally separate numbers for routine tickets versus emergencies. Then ask how they measure it and whether they will show you the data. A provider who tracks first response and resolution rates and shares them openly is a provider who is confident in them.
For reference, the standard we hold ourselves to is a 10-minute average first response, with most issues resolved on the first contact. Ask any provider for their real numbers. Vague answers here are a tell.
“What happens in the first hour of a ransomware attack?”
This question separates the IT shops from the security companies. A weak provider will talk vaguely about restoring backups. A strong one will walk you through a real plan: how they contain the threat, preserve evidence, restore from protected backups, and handle your compliance and notification obligations. If security sounds like an afterthought or an add-on product, that is your answer about how they actually think.
“How do you price, and what is not included?”
The dangerous providers are the ones with a low monthly rate and a long list of things that trigger extra invoices. Ask directly: is this all-inclusive per user, and what would generate a surprise charge? You are looking for predictability. The cheapest quote often becomes the most expensive relationship once the project fees and “out of scope” invoices start arriving.
“Can you handle our compliance and industry requirements?”
If you are in a regulated field, this is not optional. A medical practice needs a provider fluent in HIPAA. A defense supplier needs one who works in CMMC and NIST 800-171. A law firm needs matter-level access controls and wire-fraud defenses. Ask whether they work in your specific frameworks daily, and whether they can show their own posture. We hold our own SOC 2 Type II attestation, for example, which means we can show you our audit rather than just describe one.
“Who actually owns the relationship, and will it change?”
Ask who your point of contact will be and how often that changes. One of the most common complaints about IT providers is the revolving account manager, a new face every few months who has to relearn your business each time. Continuity is part of the service.
“How do you onboard us, and how long does it take?”
A serious provider treats onboarding as their project to manage, not a burden they hand to you. Ask for the steps and the timeline. A clear answer (discovery and documentation, a security baseline, a help desk cutover, a stabilization period) signals a mature operation. A hand-wave signals chaos ahead.
“Will you give me references in my industry?”
Finally, ask to talk to a client who looks like you, in your industry and roughly your size. A confident provider says yes immediately. Then actually make the call and ask that reference the simplest question of all: when something went wrong, what happened?
The meta-point
Notice the pattern in these questions. They are all really asking one thing: when it matters, will this provider actually show up, and do they treat security as the core of the job or as a product they upsell? The slick deck cannot answer that. The specific questions can.
This is the gap we were built to fill. We are a cybersecurity-first managed IT provider with an in-house team and SOC, clear response standards, and transparent pricing, serving businesses across Southern California. You can see how we approach the work on our managed IT services and cybersecurity services pages, with dedicated support for fields like healthcare, law firms, and professional services.
Shopping for a new IT partner?
If you are evaluating providers and want one that answers every question above without flinching, reach out. We support companies across the region, from Los Angeles to Orange County and San Diego, and switching to us is our project to manage, not yours.