The Solution to Overwhelming Customer Security Questionnaires
By Angela Polania
It has become apparent to me that our clients and prospects are receiving more and more security questionnaires from their customers and sales prospects.
These questionnaires range from 100 to 300 questions! And, I find many of our clients are feeling overwhelmed with the amount of time it takes to answer these questionnaires and the diversity of questions that vary through the different formats and types of questionnaires. How can this all be streamlined?
What all of these questionnaires have in common is that they are asking for the same things, but some go through further detail in some sections. Most of these questionnaires leverage either ISO 27001 and/or SIGs shared assessments (self-invented groups that even provide a certification on how to do this). My recommendation is that you have your Vendor Questionnaire Tool Kit ready that will answer probably between 60-70% of your questions and the remainder to be answered individually based on the specific questions.
So what can help you with that 60-70% coverage?
If you develop your product, ensure you have documented your Secure-Software Development Methodology (S-SDLC).
Ensure you have performed a recent vulnerability assessment on the external network, internal network, and web applications.
Ensure you have a documented Disaster Recovery Plan, and a Business Continuity Plan.
Ensure you have an Information Security Incident Response plan documented, approved, and hopefully tested.
Have the explanation of what you do for your clients, what type of data you store, process, and/or transmit on behalf of your clients.
Ensure you have the narrative ready on how you protect data at rest and in transit.
Perform user awareness and training for your employees. There is inexpensive software in the market, such as KnowBe4 or the like, that provides this service.
Also, I have discussed with clients who would be the best person to answer these questionnaires when you don’t have a formal Information Security function. It obviously has to be someone that understands the product very well and your overall environment and someone that can speak with your prospects and clients. I have seen the role given to a pre-sales analyst and/or pre-sales engineer and only escalated to engineering when answers to the questions are not known. Keeping it within the sales function will shorten the timeline of response with your prospects. However, every organization is not the same but the increase in requests will continue to accrue if you sell products/ services online and/or have large companies or regulated industries (e.g. financial services, healthcare) as your clients.