856-282-4100
1 Executive Drive Suite 100 Marlton, NJ 08053
+1 856-282-4100
Facebook-f X-twitter Instagram Linkedin-in Youtube
Let’s Talk
Let’s Talk

Incident Response Plan: The One Question That Tells You If Your IT Firm Is Ready

Incident Response Plan: The One Question That Tells You If Your IT Firm Is Ready

Before you sign a contract with any IT firm, ask them one question: “Walk me through what happens the night one of your clients gets hit with ransomware.” The answer – or the absence of a real one – will tell you more about that firm than any sales deck, reference list, or glossy proposal ever could. A credible incident response plan is not a document that lives in a drawer. It is a practiced, lived set of decisions that every senior person on the team can explain without hesitating. If they cannot explain their incident response plan, you are about to hand your business to someone who has not thought through the worst night of your professional life.

  1. Why This Question Cuts Through Everything Else
  2. What a Real Incident Response Plan Actually Looks Like
  3. Escalation Paths: Who Gets Called and When
  4. Communication Protocols: What You Hear and How Fast
  5. Red Flags That Separate a Real Plan from a Sales Talking Point
  6. How to Evaluate What You Hear
  7. What Good Looks Like in Practice
  8. Making Your Decision

Why This Question Cuts Through Everything Else

Most vendor evaluations focus on the wrong things. You compare ticket response times, scan client counts, and ask about certifications. Those details matter at the margins. What actually determines whether your business survives a serious attack is the quality of the thinking and preparation your IT firm brought to the table before anything went wrong.

Ransomware does not arrive during business hours. It surfaces at 11 PM on a Thursday before a holiday weekend. The people working your incident that night are not in the room with you during the sales process. That is exactly why you need to pressure-test the incident response plan before you are in the middle of a crisis – not after.

The ransomware question is a forcing function. It requires the person across the table to stop reciting features and start describing actual operational behavior. Sales talking points collapse immediately under that kind of specificity. Real preparation does not.

What a Real Incident Response Plan Actually Looks Like

incident response plan - Wide shot of a server room or data center at night with minimal lighting and monitoring screens glowing, capturing the after-hours reality of when ransomware attacks actually occur.

A legitimate incident response plan covers five phases, and a competent IT firm should be able to walk you through all of them in plain language. The NIST Cybersecurity Framework organizes these around Identify, Protect, Detect, Respond, and Recover. What you are listening for is whether your vendor has translated that framework into specific, human decisions – not just whether they can cite the framework by name.

The five phases of a solid incident response plan, in plain language:

  • Detection: How does the firm know an attack is underway? What monitoring is in place, and who gets the alert first?
  • Containment: What are the first actions taken to stop the spread? Can systems be isolated remotely and immediately?
  • Eradication: How is the threat removed? What is the process for confirming the environment is clean before anything is restored?
  • Recovery: How are systems brought back up? What is the sequence, and how long does it actually take?
  • Post-incident review: What changes after the event to close the gap that was exploited?

A firm that can describe all five phases concretely – with real timelines and named roles – has an incident response plan. A firm that describes two of them and pivots to marketing language has a brochure.

Escalation Paths: Who Gets Called and When

Escalation is one of the most telling details in any incident response conversation. Ask directly: “If the on-call technician hits something they cannot handle alone at 2 AM, who do they call? What is that person’s role? How quickly does a senior person get involved?”

What you are looking for is a named, human chain – not a vague reference to “our team.” Smaller IT firms often have one or two senior people, and those people need to be reachable. Larger firms may have dedicated overnight coverage. Either model can work, but you need to understand which one you are buying.

You should also ask about third-party relationships. Serious incidents often require outside expertise – forensic investigators, cyber insurance contacts, legal counsel who specializes in breach notification. Does the firm have those relationships already in place, or will they be making calls to people they have never worked with before while your business is on fire?

The CISA guidance on cyber incident response is clear that pre-established relationships with response partners are a mark of organizational readiness – not a luxury reserved for enterprise companies. Your IT firm should already know who they call when things exceed internal capacity.

Communication Protocols: What You Hear and How Fast

One of the most underappreciated failure points in any incident is communication – specifically, the communication between the IT firm and you. In a real event, you need to know what happened, what is being done, and what decisions require your input. You should not be chasing your IT firm for updates while your systems are down.

Ask the firm: “How do you communicate with us during an active incident? How often, through what channel, and who on your side is responsible for keeping us informed?”

Strong firms have a designated client communication contact who is separate from the technical team actively working the incident. If the same person is both fighting the fire and briefing you, one of those jobs is not getting done well.

Also ask about the communication channel itself. If your email is compromised – which it may well be in a ransomware event – how does the firm reach you? A prepared firm has a backup communication method agreed upon before any incident occurs. An unprepared firm has not thought about this at all.

Red Flags That Separate a Real Incident Response Plan from a Sales Talking Point

Here is what to listen for when the conversation is not going well:

  • Vague reassurance without specifics: “We handle incidents all the time” or “we have tools for that” are non-answers. Push for the actual sequence of events.
  • Technology-first answers: If the entire answer is about software rather than human decisions and escalation paths, they are describing products, not a plan.
  • No mention of your role: You have obligations during an incident too – to your employees, to regulators if you operate under HIPAA or similar requirements, and potentially to your customers. A firm that does not mention your role is not thinking about the full picture.
  • No reference to testing: A plan that has never been tested is a theory. Ask when they last ran a tabletop exercise or simulated a failure scenario. Silence tells you something.
  • Hesitation or deflection: A senior person at a prepared firm should answer the ransomware question without looking anything up. If they need to “circle back” on basic operational questions, their team has not internalized the plan.
  • Overconfidence about outcomes: No legitimate firm can promise a specific recovery time without knowing your environment. Exact recovery windows promised during a sales call are a warning sign, not a selling point.

How to Evaluate What You Hear

You do not need a technical background to evaluate the quality of an incident response plan explanation. Listen for three things: specificity, ownership, and honesty about limitations.

Specificity means named roles, actual timelines, and real decision trees – not general statements about capabilities. “Our team monitors 24/7” is a feature claim. “When our monitoring flags an anomaly at 2 AM, it pages the on-call engineer, who has a 15-minute response target – and if they cannot contain it within the first 30 minutes, they escalate to our senior infrastructure lead” is a plan.

Ownership means the firm drives the response, not just executes tasks when told. You want a firm that leads – one that is already calling your cyber insurance carrier and legal counsel before you think to ask.

Honesty about limitations is a green flag, not a weakness. A firm that says “we handle containment well, but for full forensic investigation we bring in a specialist we have worked with for years” is being truthful about where their expertise ends. A firm that claims to handle every possible scenario entirely in-house is either very large or overselling.

What Good Looks Like in Practice

At Xact IT Solutions, our cybersecurity practice is built around a simple premise: a quiet environment is the goal, and quiet requires a serious, tested incident response plan. We have maintained a zero client breach record across every client we have served since 2004. That is not a marketing claim. It is a provable operational outcome of how we build and monitor client environments.

When asked the ransomware question, we can walk through our escalation chain, our client communication protocol, our containment sequence, and our recovery hierarchy without pausing. We have rehearsed these scenarios until the decisions are instinctive – not because they are written in a document, but because we have practiced them.

We are also audited annually against CIS Critical Security Controls by Versprite, a CREST-accredited assessor – the basis for our GTIA Cybersecurity Trustmark. That external accountability means our preparation is not just internal opinion. Someone outside our organization has verified that our controls are real. Learn more about our managed IT services and how we build environments designed to resist attack from the start.

The five phases of a structured incident response plan, as aligned to the NIST Cybersecurity Framework.

We are not a firm that shows up after the fire starts. We build the kind of environment where fires do not start. The goal is no drama, no breaches, no board-level surprises – and we have the 20-year track record to back it.

Making Your Decision

Vendor selection is a decision you will live with for years. Most IT relationships last far longer than most business leaders expect – which means the firm you choose today will be the firm at your side during the worst possible scenario at some future date you cannot predict.

The incident response plan question is not a trick. It is a genuine test of operational maturity. A firm that has done the work will answer it clearly, specifically, and without defensiveness. A firm that has not done the work will stumble through a vague answer or redirect to safer ground.

Ask the question early – before the proposal, before the pricing conversation, before either side has invested time. The answer should be the filter through which everything else gets evaluated. If they cannot explain their incident response plan confidently and in detail, every other capability they claim becomes a question mark.

The IT firm worth hiring is the one that has already thought through the worst night of your business life – and can tell you exactly what they will do when it arrives.

Want to hear how we answer the ransomware question? Book a Free Cybersecurity Strategy Call – 20 minutes, no pressure, no obligation. Ask us anything.

Get a Second Opinion

Sometimes the best thing you can do for your business is have someone outside your current vendor relationship take a fresh look. That’s what a strategy call gives you — 20 focused minutes with our team and a no-strings-attached read on what we’d recommend.

Talk to an IT Strategist