One of the most charged topics in the cybersecurity world is having to complete questionnaires as part of the security assessment process. A now-ubiquitous part of the third party risk assessment, leaders across security, GRC, privacy, legal, and go-to-market agree that security questionnaires seem to be a necessary evil — emphasis on the “evil.”
While the objective of a questionnaire to facilitate a security assessment is a noble one, in practice, questionnaires can be productivity-killers for all parties involved. This reality has led a growing number of organizations to make lasting shifts in their security risk management processes specifically aimed at reducing the time and resources spent responding to questionnaires in security assessments. Here, we explore the value of these shifts and the changes you can make now to save your time team and resources in the future.
The role of questionnaires in security assessments
In the third party risk assessment process, security questionnaires are leveraged by buyers to understand the level of risk a vendor poses via a series of dozens to hundreds of questions. Responses to these questions will dictate whether the vendor is deemed “acceptable” by the buying company’s security team, as well as to guide the team on how to monitor those risks and mitigate their impact in the future.
Questions in a security assessment questionnaire are typically related, but not limited to:
- Cybersecurity documentation and compliance certifications, like SOC 2 reports and ISO 27001, among others
- Data, product, and app security, including backups, data erasure policies, integrations, credential management, and more
- Legal policies, including cyber insurance and data processing agreements
- Access control, like data access and password security
- Infrastructure, such as status monitoring and disaster recovery plans
- Endpoint and network security, including disk encryption and firewalls, among others
- Corporate security and policies, including staff training, code of conduct policies, and more
The security assessment process for sellers
For sellers, the route to providing the required responses to questionnaires looks different for each buyer. The resources and effort involved depend on the buyer’s preferred questionnaire content, length, format, technology, and working style.
Multiple teams involved in security assessments
In the typical buying process, the buyer is working directly with a salesperson, who facilitates the buyer’s experience with the company, including the gathering and presentation of relevant information. This salesperson has a game plan – and significant motivation – to get the deal done as quickly as possible.
As such, the salesperson is responsible for the completion of the security assessment, although they may not be the one ultimately responding to the questions.
In most cases, he or she will send the questionnaire to the security team for completion – often paired with a short timeline and little to no visibility into the questionnaire’s progress. Other teams may be tagged in, depending on the questionnaire’s content, including GRC, privacy, and legal teams.
Once the subject matter experts have completed their designated responses, the questionnaire is routed back to the salesperson to finalize the document and pass it back to the buyer.
Security assessment answers are sourced from various repositories
Regardless of who does the answering, the responses to the buyer’s questions will likely come from a host of sources, owned by various teams that impact security risk management. These include security white papers, policy documentation, third party reports and certifications, and previously-answered questionnaires, among others. The various sources reflect a variety of formats, content types, repositories, and content owners, all contributing to the questionnaire’s completion.
A variety of security assessment formats and bespoke buyer needs
While the most common format for a security assessment questionnaire is an Excel- or Word-style document, the selling team may be asked to complete the questionnaire within the buyer’s preferred third party risk management portal.
With dozens of possible formats and security risk management platforms available, the questionnaire answering process may look very different from buyer to buyer, requiring selling teams to continuously adapt.
The problem with questionnaires in security assessments
While the outcome of this exercise is critical for building trust between two organizations, the security review process itself has a number of drawbacks that make questionnaires a suboptimal experience for both the buyer and the seller.
Challenges for the buyer
Time-consuming
The primary drawback of the questionnaire as part of the security assessment is its time-consuming nature. Buying teams spend an inordinate amount of time developing, sending, following up on, answering seller questions about, and reviewing responses to their questionnaires. They also spend a fair amount of time (typically a week or more) waiting for responses to their questionnaires, during which deal momentum may be lost and attention shifted elsewhere.
Cumbersome touch points
The typical security assessment process incorporates multiple teams on the selling side, including security, GRC, privacy, risk, and/or legal representatives, in addition to the salesperson. Each new touchpoint comes with its own working style, communication methods, SLAs, and understanding of the importance of the security assessment, adding a layer of complexity and weight to the buying process.
Opportunities for miscommunication
With several touch points and the handling of highly technical and nuanced information, the possibility of miscommunication is high. Various parties may interpret questions differently and accountability may be dropped, resulting in confusion for the buyer.
Challenges for the seller
Acting reactively
With the typical security questionnaire, selling teams often find themselves on the back foot, waiting to share information about their security posture until they’re explicitly asked for it. Operating reactively diminishes the ability for sales and security to implement long-term plans, to predict and parse needed resources, and to take full control of the messages they send to buyers and customers.
High resource needs
This exercise, while often highly repetitive, requires significant resources on the part of the selling team. Salespeople must facilitate the process, checking in on and communicating with each stakeholder on a regular basis. Meanwhile, security, GRC, privacy, risk, and legal teams must shift attention from strategic initiatives in order to spend time interpreting questions, sourcing or generating responses, and communicating with the salespeople managing the process.
Opportunities for inconsistent and/or inaccurate responses
As with any process involving a lot of stakeholders and complex information, the process of responding to questionnaires is ripe for inconsistencies and inaccuracies. Responders may misinterpret the meaning of a question, fail to find a meaningful response, or may miss answers altogether as they make their way through potentially hundreds of questions.
In the cases where sales team members provide answers on their own for the sake of efficiency, they may misunderstand the meaning of particular questions or their responses fail to accurately represent the company’s security posture to their buyer.
All of these challenges come together to send a less-than-optimal message about the company’s security posture to the buyer. At best, this cumbersome security assessment process fails to differentiate the company from its competitors. At worst, this process casts doubt on the company’s ability to take care of its customers.
How to reduce questionnaires in security assessments
A world without questionnaires in security assessments can exist. In this world, security teams are more strategic, spending less time regurgitating repetitive answers and more time on strategic initiatives, including building budgets, programs, and fortifying the company’s security posture. Security leaders can focus efforts on consulting with internal cross-functional partners, helping strengthen their defenses and reinforcing their commitment to customer trust.
In order to reduce the number of questionnaires in your buyers’ security assessments, it requires focus and investments in several key areas.
Aggregate all necessary information
Start by gaining an understanding of the most commonly-requested information across your buyers’ security risk management efforts. Pull all necessary documentation and content – including documented responses to previous questionnaires – into one central location. Include information from all teams, including privacy and legal. This simple step will improve your company’s ability to engage buyers with transparency.
Engage in proactive communications
Rather than wait for buyers to send you a questionnaire, get in the habit of passing along information pertinent to your security posture early in the sales process. Anticipating buyer needs and proactively sharing security information will send a strong message about your company’s commitment to security.
Allow buyers to self-serve the information they need
Hand-in-hand with transparency and proactivity is investing in tools and technology that allow buyers to find and review the information they need on their own time. This will dramatically reduce the time both sides spend in the security assessment process and create a feeling of control on both sides. For a seamless experience, many organizations utilize a Trust Center, which facilitates self-serve security assessments while providing visibility and control to the selling organization.
Curious about how a Trust Center can help reduce questionnaires at your company? Learn more at our comprehensive resource here: What is a Trust Center?
Empower sellers to champion the company’s security posture
Provide the sales team with all the resources, content, and directives they need to speak confidently to your company’s security posture. Create standardized touchpoints for providing security information (e.g., offering a particular document or link at a certain buying stage), so sellers feel less overwhelmed – and tell a more consistent, accurate story about security.
Automate repetitive security assessment steps
Most of the steps leading up to, and included in, a questionnaire occur in every security assessment. By automating these steps, like NDA signing, you’ll reduce the manual effort involved for salespeople, security teams, and buyers alike, while smoothing the path to buyers getting the information they need.
Understand impact and regularly improve the process
One of the biggest challenges with questionnaires is the analog nature of understanding how they went and making improvements. By developing mechanisms to get insights into how many questionnaires are received, what buyers are typically interested in exploring, and the impact security questionnaires have on sales deals, your team can implement the right steps to mitigate the need to respond to security questionnaires.
A world without security questionnaires is possible
Questionnaires play a valuable role in the security assessment process, but they are not a requirement. Today’s top organizations are finding better ways to provide buyers with the security information they need without responding to an onslaught of questionnaires. By investing in the right habits, workflows, and technology, your organization can dramatically reduce the time spent on questionnaires, while also improving the buyer security risk management experience.
SafeBase is the scalable Trust Center that automates the security review process between buyers and sellers. With a SafeBase Trust Center, companies can seamlessly share sensitive security documentation with buyers and customers, including streamlining the NDA signing process by integrating with your CRM and your data warehouse.
If you’re ready to take back the time your team spends on security questionnaires, create a better buying experience, and position security as the revenue-driver it is, get in touch with us.
