If you’re in a sales or security role at a B2B company, chances are you have touched the process of responding to a customer security questionnaire. The majority of deals today require some sort of security review or due diligence. Sometimes it is as simple as showing a copy of your SOC 2 report. Other times, there are further requirements like pen test reports, or sharing your subprocessor list. And more and more, some security departments are getting requests to fill out custom questionnaires that can be hundreds of questions, and take several hours (and multiple departments) to respond and complete.
So before we go into some best practices for responding to security questionnaires (also called Third-Party Assessment Questionnaire, Vendor Cybersecurity Assessment, or even a more generic title like IT Security Questionnaire), it’s worth taking a look at why these have become such a critical part of the sales process and why most deals won’t close without some form of security review.
Why do my customers need to do a security review?
The frequency and intensity of cyber attacks over the past decade have increased significantly. Some research indicates as many as 80% of companies have experienced a data security breach that originated from vulnerabilities with third party vendors. As companies rely more and more on third party vendors and SaaS tools to help them achieve their business goals, the need for vetting those companies’ security postures becomes a standard part of the vendor evaluation process. If you’re selling into midmarket or Enterprise companies you’ll see this more and more. The more companies grow and acquire customers, the more compliance requirements they may have (ISO 27001 and PCI, for instance, carry distinct requirements for vendor due diligence). In general, the more a customer is trusting you with sensitive data, the more likely they are to require a security review.
Although security reviews are increasing in both frequency and importance, they are not always the most pleasant experience. Asking these 4 questions as you go through the security review process could help you get ahead of the conversation and save your team valuable time.
1. What existing documentation can I share?
If you’ve gone through a compliance certification or audit (SOC 2, ISO 27001, HIPAA, etc) it’s likely because it was requested by customers or your industry requires it. These compliance certifications take a lot of time and resources to achieve. Often, other questions in the customer security questionnaire will actually be covered in the audit report itself, so sharing these documents up front can cut down on the number of questions you receive later. Some of the most common certifications that we see requested during vendor security reviews are SOC 2, ISO 27001, HITRUST, FedRAMP, and privacy attestations for regulations such as GDPR and CCPA..
Because these certifications are usually updated every year, you want to ensure your customer does not receive an outdated copy. Businesses can change a lot year over year (especially as new products and processes are rolled out), and so regulators want to ensure that an annual check in or surveillance audit will be part of your ongoing compliance maintenance. Members of the team (for instance, the sales teams who are the first line of defense in the customer security review) often save local copies of the SOC 2 or other compliance cert to their desktops, which can result in outdated / incorrect information being shared with prospects. Make sure you’re leveraging a content library that is managed by the security team and frequently updates documents as changes or new versions come up.
In addition to compliance certificates, penetration tests, information security policy summaries, and data handling policies are commonly requested. Be sure to include those in any trust packet you share with your customers and potential customers during the due diligence process. If you want to really go above and beyond, check out this infographic with additional materials you can share to build trust with your customers.
2. Have I answered this question before?
If you’re selling into Mid-market or Enterprise companies, it’s likely this is not your first questionnaire. Questions about your ISMS, your incident response program, and your vendor management policies are very common across most industries. Think about whether you have responded to others in a similar industry, and what questions you were asked during the security review. Consider keeping an up to date answer bank (sometimes called a knowledge base) that is easily accessible to all members of the security team who are involved in answering customer security questionnaires. Regularly review the information in your security question bank to make sure it’s up to date — few things are worse than sharing out-of-date security information with current or potential customers.
3. Is this question relevant to the relationship?
Security reviews happen because your customer wants to know about the risk to them when doing business with you. It's important to think about the context of the business relationship when reviewing & responding to the security questionnaire. Will you be hosting valuable data? What about access to their customer data, or financials? Are you processing their data in the US vs in the EU/UK (in which case you will be subject to GDPR?)
Often, customers have fairly standard questionnaires that they send out. But not all of the questions will be relevant to your business relationship. Consider the questions in the context of that relationship, and if you say no to a certain question, give context for why you are saying no.
4. Should I say no?
Although it seems counterintuitive to say no (especially when your sales team may be putting the pressure on, or because you were brought up with the mentality of the customer always being right), sometimes responding to a customer questionnaire can be a situation where the value of the resources spent will not match the value of the reward being gained.
The average company spends xxx hours to complete a security questionnaire. If the contract value is ten thousand dollars, consider whether it's worthwhile for your security analyst to spend ten hours completing that review. Also consider that most security professionals did not enter into their field to answer security questionnaires, so keeping monotony low and retention high is a pleasant byproduct of simplifying the security review process.
It’s hard to say no to customers, but consider setting a minimum threshold for which point at which you will say no to the custom questionnaire and will require that compliance certifications like a SOC 2 will be the extent of the exchange of information.
Hopefully these 4 tips are helpful for you whether you’re completing your first or your fiftieth customer security review. If you have any questions about how Conveyor helps high growth companies reduce the burden of security reviews, feel free to get in touch with us.