Man inspects checklist with magnifying glass as old and new computer devices behave differently in factory setting.

6 Questions Smart Manufacturers Ask Their IT Provider Every Quarter

July 13, 2026

6 Questions Smart Manufacturers Ask Their IT Provider Every Quarter

If you're responsible for IT, compliance, cybersecurity, or plant operations, you're carrying two responsibilities that often pull in opposite directions.

You need to protect the business from cyber threats, compliance failures, and operational risk.

At the same time, you can't do anything that disrupts production.

That's why quarterly IT reviews matter.

Unfortunately, most quarterly reviews aren't actually reviews. They're status meetings.

Tickets get discussed. Projects get updated. Someone says everything looks good.

Then six months later, an unsupported server fails, a customer security assessment uncovers gaps, or a ransomware incident exposes weaknesses nobody knew existed.

The manufacturers that consistently avoid these surprises do something differently.

They use quarterly reviews to measure business risk, assign ownership, and make decisions.

Not discuss technology.

The Question Most Manufacturers Are Asking Wrong

Most companies ask:

  • Are we secure?
  • Are our backups working?
  • Are systems up to date?

Those aren't bad questions.

They're just too vague.

Elite manufacturers ask questions that require proof.

Questions that produce documentation.

Questions that create accountability.

Questions that reveal whether the organization is becoming stronger or simply getting lucky.

Question #1: What Security Risks Need Attention Right Now?

A good IT provider should never answer this question with:

"Everything looks great."

Instead, they should identify:

  • Systems that remain unpatched
  • Unsupported hardware or software
  • Vendor accounts that still have access
  • Privileged accounts that need review
  • Suspicious login activity
  • Risks being deferred due to production constraints

The best providers go one step further.

They rank risks by business impact.

Manufacturing Risk Scorecard

Risk

Likelihood

Production Impact

Score

Unsupported engineering workstation

Medium

High

8

Open vendor tunnel

Medium

High

8

Wireless dead zone in production

High

Medium

9

Shared engineering credentials

Medium

Medium

6

Incomplete recovery testing

Low

High

6

This prevents every issue from becoming an emergency.

When everything is critical, nothing is.

Question #2: Have You Tested Recovery, Not Just Backups?

This is where many organizations discover the biggest gap in their preparedness.

Backups are not recovery.

Backups are data.

Recovery is business continuity.

A Real Recovery Failure Example

Imagine a manufacturer hit with ransomware at 7:30 AM on a Monday.

The engineering file server is encrypted.

The ERP environment is taken offline as a precaution.

Production supervisors can no longer verify inventory.

Purchasing loses visibility into material requirements.

Scheduling cannot generate reliable production plans.

The backup system works exactly as expected.

That's the good news.

The problem is nobody has ever tested restoration sequence.

The IT team restores engineering documentation first.

Then file shares.

Then authentication systems.

ERP restoration doesn't begin until later.

By Tuesday afternoon, data has returned.

Operations hasn't.

Production spends nearly two full days manually piecing together inventory, work orders, and priorities.

The backup system succeeded.

The recovery process failed.

The Recovery Benchmark Mature Manufacturers Use

Strong organizations don't simply ask whether backups exist.

They ask:

  • Have recovery procedures been tested this quarter?
  • Do we know restoration order?
  • Can critical production systems recover within business expectations?
  • Have recovery gaps been documented?
  • Who owns each recovery action item?

Recovery confidence comes from testing, not assumptions.

Question #3: Where Is Technology Quietly Slowing Production?

Not every expensive technology problem creates a help desk ticket.

Many become accepted as part of daily operations.

Examples:

  • Slow CAD workstations
  • Repeated scanner disconnects
  • Wireless dead zones
  • ERP jobs that take longer every month
  • Workstations that need frequent reboots
  • Machines that lose connectivity intermittently

Each issue seems small.

Together they consume hundreds of productive hours every year.

Ask your provider:

  • Which issues occur most often?
  • Which systems generate the most complaints?
  • What aging equipment needs replacement?
  • What workarounds have employees created?

One of the biggest warning signs isn't the number of complaints.

It's when complaints stop because employees no longer expect improvement.

Question #4: Would We Pass a Security Review Today?

Many leaders view compliance as an annual event.

Unfortunately, that's not how customers, insurers, or auditors think.

Today, security reviews can come from:

  • Customer security teams
  • Cyber insurance carriers
  • Supply-chain partners
  • Defense manufacturing requirements
  • Regulatory auditors

The strongest organizations prepare before those requests arrive.

How These Questions Align With External Reviews

Review Area

Why It Matters

Risk Management

Common expectation across security frameworks

Recovery Testing

Frequently reviewed during audits and insurance renewals

Vendor Access Controls

Common focus in customer security questionnaires

Network Segmentation

Frequently evaluated within operational technology environments

Access Reviews

Core requirement in most mature security programs

Documentation & Ownership

Often determines whether controls can be proven

The real question isn't:

"Are we compliant?"

The better question is:

"Could we prove our controls work this week?"

Question #5: What Should We Budget for Before It Becomes an Emergency?

Most emergency spending starts as a visible risk.

Nobody acted early enough.

Every quarterly review should include:

  • Aging servers
  • Firewall replacement timelines
  • Warranty expirations
  • Storage growth
  • Wireless infrastructure health
  • Network hardware lifecycle concerns
  • Backup platform upgrades
  • High-availability improvements

The goal isn't spending more.

The goal is eliminating surprises.

Elite organizations replace infrastructure before it becomes a production event.

Question #6: Where Are We Falling Behind?

This may be the most valuable question in the entire review.

Ask your provider:

  • Are IT and OT networks properly separated?
  • Are vendor sessions monitored?
  • Are remote access sessions logged?
  • Are firewall rules documented?
  • Are engineering systems protected differently than office systems?
  • Are new smart-factory initiatives creating hidden risk?
  • Are we prepared for future customer security requirements?

Strong providers don't simply maintain technology.

They identify gaps before someone else finds them.

How One Manufacturer Reduced Recovery Risk in 90 Days

One manufacturer believed recovery readiness was solid because backups completed successfully every night.

During a quarterly review, a deeper assessment uncovered several problems:

Findings

  • Recovery procedures were undocumented.
  • Critical system restoration order was undefined.
  • Vendor access reviews had not been completed recently.
  • Engineering and business recovery priorities conflicted.

Actions Taken

  • Documented restoration sequence.
  • Assigned recovery owners.
  • Conducted recovery testing.
  • Reviewed remote vendor access.
  • Updated executive risk reporting.

Results

Within 90 days, leadership had:

  • Defined recovery ownership.
  • Documented restoration priorities.
  • Identified recovery gaps.
  • Established quarterly testing requirements.
  • Improved confidence in outage response.

The technology barely changed.

The process improved dramatically.

That's usually where the biggest gains happen.

The Quarterly Review Maturity Scorecard

Use this scorecard during every quarterly review.

Area

Score (1-10)

Security Risk Management

8

Recovery Readiness

7

Vendor Access Governance

5

Network Segmentation

6

Compliance Documentation

7

Asset Lifecycle Planning

8

Executive Visibility

6

Any score below 7 deserves discussion.

Any score below 5 deserves action.

The Executive Dashboard Leadership Should Receive

A quarterly review should result in a one-page executive dashboard.

Top Risks

  1. Unsupported engineering workstation
  2. Vendor access review overdue
  3. Recovery testing gaps

Status Changes

  • One risk closed
  • Two risks reduced
  • Three risks remain open

Budget Requests

  • Wireless infrastructure refresh
  • Firewall replacement
  • Backup storage expansion

Assigned Owners

  • IT Manager
  • Engineering Lead
  • Infrastructure Lead

If leadership cannot understand the organization's technology risk in five minutes, the reporting is too complicated.

Five-Minute IT/OT Assessment

Answer yes or no.

  1. Are IT and OT networks separated?
  2. Are vendor connections controlled?
  3. Are remote sessions logged?
  4. Are PLC networks isolated?
  5. Are firewall rules documented?
  6. Is every OT device inventoried?
  7. Can you identify every connected production asset?

Scoring

0-2 Yes Answers
Immediate improvement needed.

3-5 Yes Answers
Moderate maturity with visible gaps.

6-7 Yes Answers
Strong foundation with room for refinement.

What Elite Manufacturers Do Differently

Average manufacturers hold quarterly IT meetings.

Elite manufacturers leave with artifacts:

  • Risk register
  • Assigned owners
  • Due dates
  • Recovery test results
  • Vendor access review findings
  • Executive dashboards
  • Budget recommendations

One creates discussion.

The other creates accountability.

Next Week's Action

Ask your IT provider for three documents:

  1. The latest quarterly risk summary.
  2. The most recent recovery testing results.
  3. The latest vendor access review.

The answers will tell you more about your security posture than another hour-long meeting ever will.

Schedule Your 10 Minute Discovery Call

Schedule your 10 minute discovery call with 911 IT.

Bring your latest quarterly risk summary, recovery test results, and vendor access review. This helps you confirm whether these risks apply to your environment and identify the one gap that deserves attention first.