Want to outsource your IT security? 43 questions to ask

When it comes to outsourcing IT security, there is no one size fits all.

In the last blog post, Is outsourcing your IT security right for your organization, we looked at why some companies choose to outsource their IT security requirements.

Here, we are going to find out how you identify a good IT security firm.

IT security is specific to every organization. It depends on what assets you are trying to protect, how your network infrastructure is configured, how users access the information, and what security services and polices are currently implemented, to list just a few.

For those of us not-at-ease with IT security, this statement can dishearten.

It’s a bit like taking your car to a new garage for repairs when you are completely unfamiliar with how cars operate. It makes sense that anyone lacking the knowledge to question the mechanic’s sharp intake of breath – code for ‘this job will be pricey’ – will feel stress levels climb skyward.

It’s normal for us to seek out value for money, but it can be difficult to establish value if we’re not armed with the right questions. In terms of IT security, how does one outsource cybersecurity elements without incurring additional risks or costs to the organization?

We have pulled together a list of questions to ask an IT security expert before you engage them to help manage your cybersecurity requirements.

We have focused on three main areas: reputation, expertise, and service.


The reputation held by a specific IT security consultancy can be a great indication of the quality of work and the breadth of expertise and services provided.

Not only is it important to digest content created by the potential IT security outsourcing candidate, such as the website and blog articles, it is also a good idea to find third-party views on the firm.

Here is our shortlist of questions that will establish whether the reputation of a specific IT security organization is up to scratch:

  • When was your organization founded?
  • Who is the CEO/managing director and what is his/her background?
  • Is the CEO a founder of the organization? If no, who is?
  • What is your company’s financial health?
  • What do you offer that your competitors don’t?
  • How would you fare if we conducted a background check on your organization?
  • How do you envisage your company changing in the next three years?
  • Are you independent or tied with specific vendors? If yes, which ones?
  • How many people are currently staff? How many contractors?
  • How many clients do you currently provide IT security services for?
  • Do you outsource any services you provide to third-party companies? If yes, to whom?
  • Have you won any awards or commendations in the last three years?
  • Do you support any charities, or have a corporate social responsibility policy in place?
  • Have you ever worked with an organization like ours?
  • May we speak to one of your existing clients?
  • Have you any case studies?


Much like a Venn diagram, expertise and reputation do overlap when it comes to outsourcing your cybersecurity needs. Understanding what expertise resides in house and how you will access it ought to be key to your decision.

Your IT security partner needs to have strategic advisors to provide IT security recommendations (and demonstrate the added value of this approach). They also need tacticians to implement and manage the services, not to mention alert you if something is awry.

Here are our recommended questions to identify expertise levels:

  • What are your top three services in terms of number of clients?
  • Can you describe the areas of IT security you specialize in?
  • What IT security credentials have been earned by staff?
  • What specialist security skills do you have on staff?
  • Will we be assigned an IT security expert?
  • Have you ever taken down a customer’s network accidentally?
  • Do you perform penetration tests and how are they managed?
  • Do you provide IT security training?
  • Do you provide ISO 2700 guidance and expertise?
  • Describe how you will monitor network activities?
  • Have you experience in red teaming a network?
  • Can you walk us through a sample incidence response plan that you’ve created?
  • Can you demonstrate that you are up to date with the IT security regulations in our industry?
  • What don’t you know?
  • Can you describe an emergency situation where you were called by a client to sort an IT security problem?


Often overlooked but vital to a strong, collaborative relationship is how a potential IT security candidate provides its service to you. We all want to avoid the situation where you are dazzled at the proposal stage, only to be disappointed after you’ve signed the agreement.

Consider asking these questions to get a clear understanding of how your companies will work together before you commit to an ongoing relationship with a firm specialising in cybersecurity:

  • Who will manage the account? What is his/her background?
  • Who will be performing the day-to-day activities?
  • How will you communicate with us?
  • Can you describe daily, weekly, monthly and quarterly activities/interactions?
  • How are your services priced?
  • What will you need from us so we can get the best return on investment?
  • How do you measure your successes and failures?
  • What are your guarantees?
  • What will each of our companies be accountable for?
  • What are your contractual obligations for this service?
  • How much lead time do you need to engage?
  • What will you need from us to give us the best return on investment?

Getting answers to these questions will put you in a much better position to make a judgement on whether you should outsource your cybersecurity requirements to an IT security expert.

Ultimately, you need to find a IT security partner whom you trust, whose services and expertise match your needs, and whom you like.

After all, this is a company that will be helping you secure the integrity and confidentiality of your systems – a vital organ in your business. It’s simple really, a firm that demonstrates flexibility, dedication and quick response times will be much easier to like than one which can’t tick these boxes.

About TBG Security Inc.

TBG Security is a leading provider of information security and risk management solutions for Fortune 100 and Fortune 500 companies. TBG designs and delivers cyber security solutions to work in harmony with existing operations. Companies depend on TBG services in areas including risk management, penetration testingsecurity policy development, security strategies for compliance, business continuitynetwork security, managed servicessoftware and service integration and incident response.

For more information on how TBG Security can help your organization with your information security initiatives please visit https://tbgsecurity.com.

Previous ArticleIs outsourcing your IT security right for your organization? Next ArticleRansomware: expert prevention and mitigation advice