6 Questions Smart Engineering Firms Ask Their IT Provider Every Quarter
If you're only talking to your IT provider when something breaks, you're
doing it wrong.
Most engineering firms don't worry about technology every day. They worry
about project deadlines, staffing challenges, client expectations, and keeping
work moving.
Then an RFP asks for proof of cybersecurity controls.
A municipality wants documentation showing how project data is protected.
A healthcare client requests evidence of security practices.
A cyber insurance renewal asks questions no one is completely confident
answering.
Suddenly, technology isn't an IT issue anymore.
It's a leadership issue.
The firms that navigate these situations well aren't necessarily spending
more on technology. They're reviewing it consistently, documenting what they
find, and addressing issues before they become problems.
Here's the simple version:
A quarterly IT review shouldn't tell you whether everything is fine.
It should tell you exactly where you're exposed, what's improving, and
what needs attention next.
Question 1: What Security Risks Need Attention Right Now?
Every engineering firm has vulnerabilities.
The important question is whether anyone is actively identifying them.
Ask your IT provider:
- Which systems
are missing security updates?
- Have there been
unusual login attempts?
- Are any users
carrying unnecessary administrative privileges?
- Does anyone
still have access who shouldn't?
- Which
vulnerabilities have remained unresolved for more than 30 days?
Avoid vague answers.
"Everything looks good" is not useful.
You want specifics.
A good provider should be able to show what was discovered, what was
fixed, and what remains under review.
Because invisible risks are usually the ones that create the biggest
surprises.
Question 2: Have You Tested Our Backups Recently?
Many firms believe they're protected because backups exist.
That assumption causes problems.
Ask:
- When was the
last recovery test?
- What data was
restored?
- How long did
recovery take?
- Were any issues
discovered?
- Are cloud
applications included in backup coverage?
A backup that has never been tested is not a recovery strategy.
It's a theory.
When a project folder is accidentally deleted or a server experiences a
failure, that's a terrible time to discover recovery isn't working the way
everyone assumed.
Quarterly reviews should eliminate uncertainty long before an outage
occurs.
Question 3: Where Is Technology Slowing Engineers Down?
Not every technology problem generates a support ticket.
Most productivity losses happen quietly.
Examples include:
- Revit models
taking too long to synchronize
- Civil 3D files
loading slowly
- Drawing sets
transferring slowly between offices
- Field staff
struggling with remote access
- Engineers
waiting on systems multiple times each day
Each delay seems minor.
Combined, they become a significant operational expense.
Ask:
- What recurring
performance issues are we seeing?
- Which systems
generate the most complaints?
- Are
workstations still appropriate for current workloads?
- What should be
upgraded, optimized, or replaced?
Technology should help engineers move faster.
Not teach them to tolerate inefficiency.
Question 4: Are We Still Aligned With Current Compliance Requirements?
Compliance isn't static.
Requirements change.
Contracts change.
Cyber insurance requirements change.
Client expectations change.
Engineering firms often encounter requirements connected to:
- Municipal
infrastructure projects
- Utility
contracts
- Healthcare
facility work
- Defense-related
engagements
- Cyber insurance
renewals
Ask:
- Have any
requirements changed recently?
- Are there gaps
in our policies?
- Is additional
employee training needed?
- Do we have
current documentation supporting our controls?
- Could we answer
a client questionnaire confidently tomorrow?
This matters because external evaluators don't judge what you intended to
do.
They judge what you can prove.
That distinction becomes very important during audits, procurement
reviews, insurance renewals, and client security assessments.
Question 5: What Should We Budget For Next Quarter?
The most expensive IT purchases are usually the unexpected ones.
Quarterly reviews should provide visibility into:
- Aging
workstations
- Infrastructure
nearing end-of-life
- Warranty
expirations
- Software
renewals
- Storage growth
- Security
investments that should be planned rather than rushed
Good planning creates options.
Poor planning creates emergencies.
You shouldn't be learning about critical upgrades only when something
fails.
Question 6: Where Are We Exposed Because No One Owns The Process?
Many technology failures aren't technical failures.
They're ownership failures.
Ask:
- Who reviews
access permissions?
- Who validates
backup recovery?
- Who reviews
security alerts?
- Who maintains
compliance documentation?
- Who removes
former employee access?
- Who verifies
unresolved vulnerabilities are addressed?
When ownership is unclear, responsibility quietly migrates toward
leadership.
Eventually, someone discovers an important task was assumed to be handled
by someone else.
Quarterly reviews should expose those gaps before they become incidents.
How One Engineering Firm Found Three Hidden Risks In 30 Minutes
A 45-person engineering firm believed its technology environment was in
excellent shape.
Projects were on schedule.
No major outages had occurred.
Employees rarely complained.
During a quarterly review, three issues surfaced:
Risk #1: Former Contractors Still Had Access
Several inactive contractor accounts retained access to archived project
folders.
Risk #2: Backup Testing Had Stopped
Backups were running successfully, but no recovery test had been
performed in nearly a year.
Risk #3: MFA Wasn't Fully Deployed
A handful of accounts still lacked multifactor authentication.
None of these issues had caused an incident.
Yet all three represented unnecessary risk.
Within two weeks:
- Contractor
access was removed
- Recovery
testing was completed
- MFA deployment
reached full coverage
No emergency.
No breach.
No disruption.
Just visibility.
That's the value of a quarterly review.
How Mature Is Your Quarterly IT Review?
|
Level |
What It Looks Like |
|
Level 1 |
No formal review process |
|
Level 2 |
Occasional discussions |
|
Level 3 |
Documented quarterly reviews |
|
Level 4 |
Evidence-based reviews with metrics
and ownership |
|
Level 5 |
Executive reporting, accountability,
and trend tracking |
Most firms believe they're operating at Level 4.
Many are actually operating at Level 2.
Documentation is usually the difference.
The Quarterly IT Scorecard Every Leadership Team Should Review
|
Area |
Status |
Risk Level |
|
Backups |
Green |
Low |
|
Multifactor Authentication |
Yellow |
Medium |
|
Access Reviews |
Red |
High |
|
Vulnerability Management |
Yellow |
Medium |
|
Endpoint Protection |
Green |
Low |
|
Compliance Documentation |
Yellow |
Medium |
This type of scorecard provides leadership visibility without requiring
technical expertise.
Five Metrics Worth Tracking Every Quarter
At minimum, request:
- MFA coverage
percentage
- Backup recovery
success rate
- Number of
inactive accounts removed
- Average
workstation age
- Critical
vulnerabilities open longer than 30 days
Without metrics, you're relying on opinions.
With metrics, you're measuring progress.
Questions Your IT Provider Should Never Dodge
A strong provider welcomes these questions.
Ask:
- Show me the
last recovery test.
- Show me
privileged accounts.
- Show me
unresolved vulnerabilities.
- Show me
evidence of access reviews.
- Show me MFA
coverage.
- Show me
compliance documentation gaps.
The goal isn't perfection.
The goal is visibility.
One-Page Quarterly Review Template
|
Review Item |
Owner |
Risk Level |
Due Date |
|
Backup Recovery Validation |
IT Provider |
High |
Quarterly |
|
Access Review |
Operations |
High |
Quarterly |
|
MFA Verification |
IT Provider |
Medium |
Quarterly |
|
Compliance Documentation Review |
Leadership |
Medium |
Quarterly |
|
Asset Lifecycle Review |
IT Provider |
Medium |
Quarterly |
|
Risk Remediation Assignment |
Leadership Team |
High |
Quarterly |
Use this framework every quarter and you'll have more operational
visibility than most firms.
Your Next-Week Action
Before next week ends, ask your IT provider for the results of the most
recent backup recovery test.
Not whether backups are running.
Ask what was restored, how long recovery took, what issues were
discovered, and what changes were made afterward.
The quality of that answer will tell you a great deal about your actual
level of resilience.
Schedule your 10 minute discovery call with 911 IT. Use it to verify
whether your quarterly review process is identifying risks, assigning
ownership, and providing evidence instead of assumptions. You'll leave with a
clearer understanding of where you stand.
