What do I have to lose?
A data breach or ransomware or any type of malicious hack onto your systems is very serious. 60% of businesses that suffer a cyber attack are out of business within six months*. So we're talking about your business. Your livelihood. Your reputation.
What if we already have IT handling that?
If by "handling that" you mean IT maintenance and help desk support, great. But if you mean managing your cyber risk and exposures and your legal responsibilities to your clients and government and state agencies, not good. You'd never let your accountant audit their own financials, but you're okay letting IT tell you everything is okay?
Are you trying to replace our IT?
No way. We want to work with your IT department or partner. We should work together to make your systems as secure and efficient as they should be. Not having outside eyes to your cyber risk and exposure is very bad idea (see above).
What should I do first?
Your first step should be to have a conversation with your IT department or contractor and say that you are subscribing to a "separation of concerns" for IT and cyber security. You should tell them that because of what you have to lose (see "What do I have to lose" above), you need to implement some checks and balances and that you are going to have a third party perform audits and assessments from time to time - we recommend at least once per quarter.