… and using RFP software to respond to security questionnaires brings on additional challenges for security teams.
We recently released The 2021 Customer Trust Benchmark Report and the report shows that for companies who use third party tools to help them respond to security questionnaires, there are 3 big challenges they still have:
- Reviewing answers is a painful, manual process
- Difficulty coordinating with various teams for answers
- Import/export functionality is clunky
The most common vendors in this space were Loopio, RFPio, and RFP360 - software designed to help sales people respond to RFP requests. Why are security teams using RFP software to respond to security questionnaires? Because, until now, there haven’t been solutions built specifically for responding to security reviews. RFP software has been a workaround, a square peg maneuvered and mangled into a round hole. They weren’t built with security in mind, and so now security teams are looking for a better answer.
A Senior Sales Engineer at one our SaaS customers laid out the current state of security questionnaire response tools: “I’ve talked to many of my peers, and no one loves these RFP products. Everyone talks about how they are able to ‘make them work’ but the most glowing review I’ve heard is ‘they help us be a little more efficient’.”
The main difference between Conveyor & RFP software
While RFP tools claim to be good at both RFPs and security questionnaires, the reality is they are not. Conveyor doesn’t claim to be good at RFPs; it is purpose-built to respond to security questionnaires. While Conveyor and RFP solutions have some things in common, they are fundamentally different - down to the philosophy of how to handle security reviews.
While some basic functionality is similar, such as storing and maintaining a knowledge base, because Conveyor is purpose-built for security reviews there’s one big differentiator: who is answering the questions.
RFP tools want to make it easier for you to respond to questionnaires.
Conveyor wants to make it easier for your customers to get information on your security posture, so you don’t have to go through a security review for every sales opportunity.
Top 3 challenges and how Conveyor helps alleviate these pains
Let’s get into the 3 big challenges companies still have when using third party tools to help with security reviews and why most RFP softwares don’t alleviate these problems.
1. Reviewing answers is a painful, manual process
The painful manual process of reviewing answers for security reviews was cited as the top pain for respondents using RFP tools. AI answer matching isn’t precise and brings with it additional challenges such as the need to maintain a clean, updated knowledge base (or searchable answer bank). This becomes an unwieldy and difficult task as teams scale and your company grows and matures its security processes.
Here are a few ways Conveyor helps alleviate this pain:
- Easily keep your knowledge base up to date: If a knowledge base is your source of truth, Conveyor’s #1 goal is to help you keep answers updated so both customers and internal teams can self-serve with confidence. The platform allows you to assign curators to specific questions, so the subject matter expert is responsible for keeping it accurate. These curators are automatically notified through email to approve, re-approve, or update an answer so it never “expires” or seems outdated.
- Ability to “contest” answers that seem inaccurate: When internal teams are using the smart search knowledge base to find questions and the answer doesn’t look quite right, they can click to request verification from the curator (“owner”) of the question and the curator is automatically notified and emailed a link to the question that they can click to approve or modify.
- Scheduled, automated re-verification of questions: Set it and don’t forget it - your security and compliance team can set a reminder to be emailed when a question or set of questions should be updated - kind of like an annual health exam.
- Reduce questions from prospects by instilling confidence in provided answers: When you search for an answer to a question on Google, do you click on the article dated 2016 or the one dated 2021? Prospects or customers who self-serve your FAQ on Conveyor probably feel the same way when they see that a question was updated one month ago vs. a year ago. Even if the answer hasn’t changed, using automated re-verification of questions and answers can ensure that your Knowledge Base never seems neglected.
2. Difficulty coordinating with various teams for answers
No security review is managed in a vacuum. Security, legal, product, and sales are all subject matter experts who need to be “called in” to respond to certain questions. Conveyor is built to allow security teams to coordinate and own the integrity of the Knowledge Base, but leverage the internal subject matter experts to maintain their individual areas of expertise.
Here are a few ways Conveyor helps alleviate this pain:
- No limit to the number of internal users: Assign various individuals as curators of individual questions, as mentioned above. Ensure the answers are being kept up-to-date through scheduled notifications, as well as manual “quality checks” from internal users.
- Permissions are set by the security team: Curators can be assigned edit-only rights to their questions, so you don’t have to worry about someone from one department updating or changing information for a question outside of their purview.
- Grant customers access to commonly asked questions: Allowing prospects easy access to a FAQ section of most commonly asked questions and answers empowers users to self-serve their answers before involving your internal teams - saving everyone time
- Give sales team first pass at the review: By making Knowledge Base available to the sales team, many Conveyor customers ask the sales team to take the first pass at the questionnaires, especially for smaller customers. This reduces the level of effort on the security team while still ensuring the right answers are given to the prospect.
3. Import/export functionality is clunky
In the survey, 38% of respondents who use a third party tool said that “import/export functionality is clunky” as a painful part of their security review process; the third highest pain cited.
More often than not, no two security questionnaires look the same or are sent in the same format; in fact, companies today still use dozens of formats using different portals, emails, spreadsheets, word documents, PDFs(?!), and more. Naturally, an RFP solution isn’t going to be perfect when importing and exporting into different formats and the struggle to ensure proper formatting can take hours of your team’s time.
Here’s how Conveyor helps alleviate this pain:
Conveyor does not have import/export functionality for questionnaires, but by helping you avoid questionnaires through self-serve Knowledge Base and Rooms document sharing, our customers don’t typically cite this as a challenge.
In the event you do still need to respond to a security questionnaire, our Knowledge Base is built using natural language processing, unlike RFP solutions.
Many companies use the same RFP platform across multiple departments for all different types of RFP requests so those platforms become cluttered with results from other types of RFPs; finding the right answers is difficult.
Because our customers load only security-focused questions into Conveyor, the system becomes better at predicting the answers that the user is searching on. This results in more accurate answers, and faster responses. So importing the questionnaire itself isn’t really necessary, so long as copy/paste is in your wheelhouse.
So, how is Conveyor different from start to finish?
Imagine your next deal is entering the sales pipeline; at some point they will ask to do a security review. This is pretty common, 80% of our survey respondents said that completing security questionnaires are either “critical” or “important” to closing sales deals and many customers won’t move forward without them.
When the prospect does a security review, they are typically requesting 2 things, (1) access to security documents such as compliance certifications, penetration test results, and security diagrams and (2) completion of their security questionnaire.
Here’s what the security review process looks like when using a third party RFP software:
From start to finish, this process could take weeks:
- The prospect requests a security review
- Sales requests documentation through Salesforce.
- The request kicks off an email that notifies the legal team
- The legal team loads the info into DocuSign and sends it to sales
- Sales sends Docusign link back to customer with NDA
- Customer signs NDA and sends to Sales who then sends to Legal
- A Jira ticket is opened to have the document watermarked
- The watermarked document is sent to Sales
- Sales sends the document to the prospect
- The prospect sends over a security questionnaire
- The questionnaire is uploaded to an RFP solution
- Sales team or part of security team takes a first pass at questionnaire
- Questions that need more information are sent to SME or security team for review
- Security team (or other team) completes the security questionnaire
- Someone must review the entire security questionnaire and sign off
- The questionnaire is exported out of the RFP tool
- Sales sends completed questionnaire to prospect
- The prospect reviews the documents and questionnaire and reaches out to Sales team with any additional questions
- Sales team coordinates with both security team and prospect for any follow up questions
Or you can use Conveyor to reduce the headaches and cut time spent on the process:
- The prospect requests security review
- Sales sends prospect link to Conveyor portal
- After clicking link, prospect prompted to sign an NDA as a part of an automated workflow before they can access info
- Prospect can access auto-watermarked documents in the Conveyor room, based on folder access set by security team
- Prospects can find answers to their questions via a searchable knowledge base
- Security team also uses knowledge base to complete any additional questions or custom questionnaires
Conveyor simplifies the process significantly and can cut time spent on reviews from weeks down to hours. Setting up a free room and sharing your first security document only takes only minutes.
Security questionnaires aren't RFPs - so why are you still using an RFP solution to manage them?
You can spend hours every day answering security questions, or you can get that time back so you can actually do what you want to do: secure the business. Conveyor exists to get security teams back to the job of securing.
If you’re struggling with manually reviewing security information, collaborating with colleagues, and file/format compatibility issues, it’s time to consider an entirely different approach.
Let your sales team use RFP tools for RFPs, and you can use a security platform to transform how you build trust with customers from the start.
Check out how Conveyor works by signing up for free here.