When answering a customer security questionnaire (vendor risk assessment, or IT due diligence assessment), there’s an art to providing just enough information in an answer to satisfy the customer’s vendor risk team balanced with a “sales-ready” response (one that will help move the deal along smoothly without much follow up). 

Intentionally being too vague can mean follow up emails and calls from the customer’s security team and giving far too much information can also lead to additional follow up.

Keeping an infosec, legal, and sales “approved” answer in your knowledge base is key to automating answering questionnaires and providing consistent and transparent answers across different customers.

In this blog post, we're going to dive into five tricky topics that may come up in a customer security questionnaire. Topics that might have you asking  yourself (and other teams), “What’s the best way to answer this?”

Whether you're a seasoned pro or a newbie to security questionnaire answering,  it's good to be prepared for these 5 questions. 

We'll discuss:

  • Handling sensitive risk information
  • Ensuring HR data privacy
  • Managing financial matters
  • Addressing environmental and social responsibilities
  • Questions that require evidence

Our goal is to simplify the complexity and provide you with practical tips to confidently navigate these challenging questions.

Topic #1: Sensitive Risk Information

Question(s) you might get asked:

  • What are the top risks your company faces?
  • What are the highest rated unpatched vulnerabilities from internal vulnerability scanning?

Why do they ask?

  • Risk registers filled with “Hacker steals data” and unpatched legacy systems run rampant. This is one way for a vendor risk manager to try to cut to the chase and ask you what the top risks are.

Ways to answer:

  • All businesses face risks and have opportunities to improve. It’s important to demonstrate that you are able to identify and respond to threats and vulnerabilities.
  • A penetration test summary or executive summary of a recent vulnerability scan can be a great way to build trust in this domain.
  • Ultimately, the contents of a risk register or unredacted vulnerability scan getting into the wrong hands could have significant impact, so outlining that specific risk as a reason why you don’t share these types of artifacts externally is perfectly reasonable.

🔥 Pro tip:

  • Define a list of documentation you are willing to share and reach consensus between sales and security on the level of detail that can be shared. 

Topic #2: Restricted HR Information

Question(s) you might get asked:

  • Please provide the full name of all employees who will have access to our data.
  • Have any employees had negative results on background checks?
  • Are you willing to share copies of employee background checks with us?
  • Have you ever done anything bad?

Why do they ask?

  • Because they are scared of you having access to their data.

Ways to answer:

  • RESTRICTED

🔥 Pro tip:

  • Sharing sensitive HR data to satisfy a security question is cutting off the nose to spite the face.

Topic #3: Confidential Company Financials

Question you might get asked:

  • What is your current revenue?
  • How many years of operating cash do you have?
  • Who is your top customer by dollar value?
  • What % of revenue comes from your top 5 customers?

Why do they ask?

  • Business Continuity risk at it’s finest! If you run out of money, the customer is likely to lose support or access to a system they will rely on. Some just cut to the chase and ask how they get access to the source code if you go bankrupt.

Ways to answer:

  • If you are getting this question and are unsure the best way to answer, chances are you are a private company. Public companies can easily point to external approved sources of financial information. For a private company, questions about financials that answer may be just that: We are a private company and do not disclose financial information. Letters of good standing or other summary financial information is also commonly shared.

🔥 Pro tip:

  • If your organization has recently raised funding, been awarded industry recognition, or has other notable public relations information point to those as an indication of how your business is thriving.

Topic #4: Environmental, Social, and Governance (ESG) Related Topics

Question you might get asked:

  • Do you have an ESG program?
  • Do you use green energy?
  • What are your current carbon emissions?
  • What are you doing to protect the Ivory-billed Woodpecker?

Why do they ask?

  • Globally relevant topic with national and regional motivations. 

Ways to answer:

  • The truth will set you free.

🔥 Pro tip:

  • Most software companies are not running their own data center, so many of these topics could be pointed back to the program(s) your hosting provider has in place. There may also be options to track and report on this natively within certain hosting platforms. This topic will come up, so it’s important to have some information readily available so that questionnaires can be answered efficiently - even if the answer is “Not presently”.

Topic #5: Primary Source Evidence

Question you might get asked:

  • Provide screenshot of current operating system versions
  • Provide screenshots of the password policy in AWS
  • Please provide screenshots of your logging system

Why do they ask?

  • For better or for worse (for worse!) there are some audit reports that are not worth a damn.
  • Certain control frameworks allow flexible implementation of controls.
  • Many security questionnaires just get filled with “Yes” answers with no description, comments, or supporting evidence.
  • The auditors favorite technique: Trust but verify

Ways to answer:

  • How you answer these types of questions typically varies based on the strategic importance of the customer as well what contractual arrangements are in place. Whenever possible, point to already published sources of independent assurance.

🔥 Pro tip:

  • Audit rights can be included in a Data Processing Agreements and other types of subscription agreements. Define what you are willing to have as your standard, and then allow for exceptions as needed and appropriate. (THIS IS NOT LEGAL ADVICE)

Conclusion

From handling sensitive risk information to addressing environmental and social responsibilities, these questions can be tricky to navigate on customer security questionnaires. Whether you're a seasoned pro or new to security questionnaire responses, preparation is key.

The importance of maintaining a knowledge base with approved answers, finding a balance between transparency and confidentiality, and understanding the nuances of each question ahead of time will help you craft the best sales-ready and infosec and legal approved response to help accurately convey your security posture.

Want AI to take a first pass at those tricky topics? Just upload a few documents and a pared down knowledge base and put ConveyorAI get to work! Learn more about security questionnaire automation and try a free proof of concept at any time.