6 Questions Smart Manufacturers Ask Their IT Provider Every Quarter
If you're
responsible for IT, compliance, cybersecurity, or plant operations, you're
carrying two responsibilities that often pull in opposite directions.
You need to protect
the business from cyber threats, compliance failures, and operational risk.
At the same time,
you can't do anything that disrupts production.
That's why quarterly
IT reviews matter.
Unfortunately, most
quarterly reviews aren't actually reviews. They're status meetings.
Tickets get
discussed. Projects get updated. Someone says everything looks good.
Then six months
later, an unsupported server fails, a customer security assessment uncovers
gaps, or a ransomware incident exposes weaknesses nobody knew existed.
The manufacturers
that consistently avoid these surprises do something differently.
They use quarterly
reviews to measure business risk, assign ownership, and make decisions.
Not discuss
technology.
The Question Most Manufacturers Are Asking Wrong
Most companies ask:
- Are we secure?
- Are our backups
working?
- Are systems up
to date?
Those aren't bad
questions.
They're just too
vague.
Elite manufacturers
ask questions that require proof.
Questions that
produce documentation.
Questions that
create accountability.
Questions that
reveal whether the organization is becoming stronger or simply getting lucky.
Question #1: What Security Risks Need Attention Right Now?
A good IT provider
should never answer this question with:
"Everything
looks great."
Instead, they should
identify:
- Systems that
remain unpatched
- Unsupported
hardware or software
- Vendor accounts
that still have access
- Privileged
accounts that need review
- Suspicious
login activity
- Risks being
deferred due to production constraints
The best providers
go one step further.
They rank risks by
business impact.
Manufacturing Risk Scorecard
|
Risk |
Likelihood |
Production Impact |
Score |
|
Unsupported engineering workstation |
Medium |
High |
8 |
|
Open vendor tunnel |
Medium |
High |
8 |
|
Wireless dead zone in production |
High |
Medium |
9 |
|
Shared engineering credentials |
Medium |
Medium |
6 |
|
Incomplete recovery testing |
Low |
High |
6 |
This prevents every
issue from becoming an emergency.
When everything is
critical, nothing is.
Question #2: Have You Tested Recovery, Not Just Backups?
This is where many
organizations discover the biggest gap in their preparedness.
Backups are not
recovery.
Backups are data.
Recovery is business
continuity.
A Real Recovery Failure Example
Imagine a
manufacturer hit with ransomware at 7:30 AM on a Monday.
The engineering file
server is encrypted.
The ERP environment
is taken offline as a precaution.
Production
supervisors can no longer verify inventory.
Purchasing loses
visibility into material requirements.
Scheduling cannot
generate reliable production plans.
The backup system
works exactly as expected.
That's the good
news.
The problem is
nobody has ever tested restoration sequence.
The IT team restores
engineering documentation first.
Then file shares.
Then authentication
systems.
ERP restoration
doesn't begin until later.
By Tuesday
afternoon, data has returned.
Operations hasn't.
Production spends
nearly two full days manually piecing together inventory, work orders, and
priorities.
The backup system
succeeded.
The recovery process
failed.
The Recovery Benchmark Mature Manufacturers Use
Strong organizations
don't simply ask whether backups exist.
They ask:
- Have recovery
procedures been tested this quarter?
- Do we know
restoration order?
- Can critical
production systems recover within business expectations?
- Have recovery
gaps been documented?
- Who owns each
recovery action item?
Recovery confidence
comes from testing, not assumptions.
Question #3: Where Is Technology Quietly Slowing Production?
Not every expensive
technology problem creates a help desk ticket.
Many become accepted
as part of daily operations.
Examples:
- Slow CAD
workstations
- Repeated
scanner disconnects
- Wireless dead
zones
- ERP jobs that
take longer every month
- Workstations
that need frequent reboots
- Machines that
lose connectivity intermittently
Each issue seems
small.
Together they
consume hundreds of productive hours every year.
Ask your provider:
- Which issues
occur most often?
- Which systems
generate the most complaints?
- What aging
equipment needs replacement?
- What
workarounds have employees created?
One of the biggest
warning signs isn't the number of complaints.
It's when complaints
stop because employees no longer expect improvement.
Question #4: Would We Pass a Security Review Today?
Many leaders view
compliance as an annual event.
Unfortunately,
that's not how customers, insurers, or auditors think.
Today, security
reviews can come from:
- Customer
security teams
- Cyber insurance
carriers
- Supply-chain
partners
- Defense
manufacturing requirements
- Regulatory
auditors
The strongest
organizations prepare before those requests arrive.
How These Questions Align With External Reviews
|
Review Area |
Why It Matters |
|
Risk Management |
Common expectation across security
frameworks |
|
Recovery Testing |
Frequently reviewed during audits
and insurance renewals |
|
Vendor Access Controls |
Common focus in customer security
questionnaires |
|
Network Segmentation |
Frequently evaluated within
operational technology environments |
|
Access Reviews |
Core requirement in most mature
security programs |
|
Documentation & Ownership |
Often determines whether controls
can be proven |
The real question
isn't:
"Are we
compliant?"
The better question
is:
"Could we prove
our controls work this week?"
Question #5: What Should We Budget for Before It Becomes an Emergency?
Most emergency
spending starts as a visible risk.
Nobody acted early
enough.
Every quarterly
review should include:
- Aging servers
- Firewall
replacement timelines
- Warranty
expirations
- Storage growth
- Wireless
infrastructure health
- Network
hardware lifecycle concerns
- Backup platform
upgrades
- High-availability
improvements
The goal isn't
spending more.
The goal is
eliminating surprises.
Elite organizations
replace infrastructure before it becomes a production event.
Question #6: Where Are We Falling Behind?
This may be the most
valuable question in the entire review.
Ask your provider:
- Are IT and OT
networks properly separated?
- Are vendor
sessions monitored?
- Are remote
access sessions logged?
- Are firewall
rules documented?
- Are engineering
systems protected differently than office systems?
- Are new
smart-factory initiatives creating hidden risk?
- Are we prepared
for future customer security requirements?
Strong providers
don't simply maintain technology.
They identify gaps
before someone else finds them.
How One Manufacturer Reduced Recovery Risk in 90 Days
One manufacturer
believed recovery readiness was solid because backups completed successfully
every night.
During a quarterly
review, a deeper assessment uncovered several problems:
Findings
- Recovery
procedures were undocumented.
- Critical system
restoration order was undefined.
- Vendor access
reviews had not been completed recently.
- Engineering and
business recovery priorities conflicted.
Actions Taken
- Documented
restoration sequence.
- Assigned
recovery owners.
- Conducted
recovery testing.
- Reviewed remote
vendor access.
- Updated
executive risk reporting.
Results
Within 90 days,
leadership had:
- Defined
recovery ownership.
- Documented
restoration priorities.
- Identified
recovery gaps.
- Established
quarterly testing requirements.
- Improved
confidence in outage response.
The technology
barely changed.
The process improved
dramatically.
That's usually where
the biggest gains happen.
The Quarterly Review Maturity Scorecard
Use this scorecard
during every quarterly review.
|
Area |
Score (1-10) |
|
Security Risk Management |
8 |
|
Recovery Readiness |
7 |
|
Vendor Access Governance |
5 |
|
Network Segmentation |
6 |
|
Compliance Documentation |
7 |
|
Asset Lifecycle Planning |
8 |
|
Executive Visibility |
6 |
Any score below 7
deserves discussion.
Any score below 5
deserves action.
The Executive Dashboard Leadership Should Receive
A quarterly review
should result in a one-page executive dashboard.
Top Risks
- Unsupported
engineering workstation
- Vendor access
review overdue
- Recovery
testing gaps
Status Changes
- One risk closed
- Two risks
reduced
- Three risks
remain open
Budget Requests
- Wireless
infrastructure refresh
- Firewall
replacement
- Backup storage
expansion
Assigned Owners
- IT Manager
- Engineering
Lead
- Infrastructure
Lead
If leadership cannot
understand the organization's technology risk in five minutes, the reporting is
too complicated.
Five-Minute IT/OT Assessment
Answer yes or no.
- Are IT and OT
networks separated?
- Are vendor
connections controlled?
- Are remote
sessions logged?
- Are PLC
networks isolated?
- Are firewall
rules documented?
- Is every OT
device inventoried?
- Can you
identify every connected production asset?
Scoring
0-2 Yes Answers
Immediate improvement needed.
3-5 Yes Answers
Moderate maturity with visible gaps.
6-7 Yes Answers
Strong foundation with room for refinement.
What Elite Manufacturers Do Differently
Average
manufacturers hold quarterly IT meetings.
Elite manufacturers
leave with artifacts:
- Risk register
- Assigned owners
- Due dates
- Recovery test
results
- Vendor access
review findings
- Executive
dashboards
- Budget
recommendations
One creates
discussion.
The other creates
accountability.
Next Week's Action
Ask your IT provider
for three documents:
- The latest
quarterly risk summary.
- The most recent
recovery testing results.
- The latest
vendor access review.
The answers will
tell you more about your security posture than another hour-long meeting ever
will.
Schedule Your 10 Minute Discovery Call
Schedule your 10
minute discovery call with 911 IT.
Bring your latest
quarterly risk summary, recovery test results, and vendor access review. This
helps you confirm whether these risks apply to your environment and identify
the one gap that deserves attention first.
