Security questionnaires are not RFPs and using RFP software to respond to security questionnaires brings on additional challenges for security teams.

A few years ago, we conducted a survey of infosec professionals who had to complete security reviews and security questionnaires. The 2021 Customer Trust Benchmark Report showed that for companies who use third party tools to help them respond to security questionnaires, there are 3 big challenges they still have and from what we hear from our customers and prospects, the same challenges still exist today.

  1. Reviewing answers is a painful, manual process
  2. Difficulty coordinating with various teams for answers
  3. Import/export functionality is clunky

When it comes to tools to respond to questionnaires, many teams still use Request for Proposal (RFP) software such as Loopio, Responsive.io, and RFP360 - software designed to help sales and proposal teams respond to RFP requests. Why are security teams using RFP software to respond to security questionnaires? Because, until now, there haven’t been solutions built specifically for responding to security reviews. RFP software has been a workaround, a square peg maneuvered and mangled into a round hole. They weren’t built with security in mind, and so now security teams are looking for a better answer.

A Senior Sales Engineer at one our SaaS customers laid out the current state of security questionnaire response tools: “I’ve talked to many of my peers, and no one loves these RFP products. Everyone talks about how they are able to ‘make them work’ but the most glowing review I’ve heard is ‘they help us be a little more efficient’.”

The main differences between Conveyor & RFP software

While RFP tools claim to be good at both RFPs and security questionnaires, the reality is they are not. Conveyor was purpose-built to respond to security questionnaires and automate security reviews. While Conveyor and RFP solutions have some things in common such as generating responses to questionnaires, they are fundamentally different - down to the philosophy of how to handle security reviews.

Difference #1: RFP solutions were purpose built for responding to RFPs with no possibility of deflecting questionnaires

With RFP software, customers have no way of accessing security documents typically required for a security review that go along with the security questionnaire and teams have to manually send any files related to the request. Conveyor, on the other hand, helps companies deflect questionnaires through easily sharing your security posture and security documents using a trust center.

The reality is that organizations, as they grow, will continue to receive security questionnaires no matter how much they proactively share ahead of time so Conveyor offers a solution for both sharing documents and answering questionnaires-- powered by generative AI. Generative AI means better answers to any question asked with less maintenance of the underlying sources as AI gets smarter with every question answered. Conveyor is a seamless platform to ingest all of your company's security information and get customers what they need however they'd like to be served.

Difference #2: The technology behind answer generation and knowledge base maintenance

Customers using RFP tools have reported having to manage more than 1,000 question and answer pairs on the low end. The challenge with RFP software is that even with thousands of knowledge base question and pairs, the answers generated to security questionnaires are mediocre at best because RFP software wasn't built to understand the nuance and context of different security topic areas and much less handle the all of theuse cases they purport to cover such as RFPs, due diligence questionnaires (DDQs), vendor security questionnaires (VSQs) and more. Customers also report having to sift through ten different 'matches' since RFP software typically uses keyword searches to find and generate matched answers.

With Conveyor's generative AI security questionnaire answering software, teams get instant, AI responses to uploaded questionnaires that they don't have to re-write because of the way Conveyor's AI processing pipeline filters through the right source material, nuance, and context to generate precise answers. Conveyor's goal is to help companies get through security reviews and the manual work of answering customer question as fast as possible with as little maintenance of a knowledge graph as possible.

Top 3 challenges with answering security questionnaires and how Conveyor helps alleviate these pains

Let’s get into the 3 big challenges companies still have when using third party tools to help with security reviews and why most RFP softwares don’t alleviate these problems.

1. Reviewing answers is a painful, manual process (43% of respondents)

The painful manual process of reviewing answers for security reviews was cited as the top pain for respondents using RFP tools. AI answer matching when using RFP tools isn’t precise and brings with it additional challenges such as the need to maintain a clean, updated knowledge base. Some teams have an entire full time employee just managing content in a knowledge base. This becomes an unwieldy, difficult and costly task as teams scale and your company grows and matures its security processes.

Even when thousands of questions are maintained well, teams still cite the fact that the RFP software can't generate the right answer to security questionnaire questions and instead, it brings in ten different "nearest matches" which means the team either has to sift through the matches to find the right answer or re-write the answer

Here are a few ways Conveyor helps alleviate this pain:

  • Conveyor's genAI answering gets 95% accurate answers on the first pass so reviewing is fast and easy: ConveyorAI is smart enough to understand the nuance and context of questions asked -- even understanding the context of questions that come before or after the current question to formulate the most precise answer possible so re-writing answers is less frequent. Our R&D team regularly benchmarks the output of the AI against our target for peak performance and has built rigorous quality checks into the feedback loop to ensure customers get answers on the first pass that they don't have to re-write. This ensures consistent performance.
  • ConveyorAI reads from any source - including external sites and documents - so there's less maintenance for you: Point ConveyorAI to the latest source material that other teams are keeping up to date such as support sites, security documents and whitepapers, and more, so you don't have to maintain as many question and answer pairs. With generative AI power for security questionnaire answering and RFP answering, Conveyor can get 95% accuracy with a handful of external sources and documents, plus around 200-400 question and answer pairs. Review is less of a burden when you can have confidence that your answers are up to date.
  • ConveyorAI remembers past answers from security questionnaires: Have you tried to pull up a security questionnaire you completed a week before to see what you used in an answer? Instead of having to do this manual exercise, ConveyorAI not only uses any source material mentioned above, it also keeps a separate knowledge bank of past answers used in completed security questionnaires and puts bias on recency when it considers these past results in answer generation.

2. Difficulty coordinating with various teams for answers (38% of respondents)

No security review is managed in a vacuum. Security, legal, product, and sales are all subject matter experts who need to be “called in” to respond to certain questions. Conveyor allows teams to leverage the internal subject matter experts to maintain their individual areas of expertise. 

Here are a few ways Conveyor helps alleviate this pain:

  • No limit to the number of internal users: Assign various individuals as curators of individual questions, as mentioned above. Ensure the answers are being kept up-to-date through scheduled notifications, as well as manual “quality checks” from internal users.
  • ConveyorAI remembers past answers so you need to call on curators less often: Conveyor keeps a separate knowledge bank of past answers used in completed security questionnaires. You might have called on an SME to answer a question already and this way, they won't have to answer it again. Conveyor's goal is to ensure that teams never have to answer the same question twice and can rely on the AI-generated answers with confidence.
  • Grant customers access to commonly asked questions: Allowing prospects easy access to a FAQ section of most commonly asked questions and answers empowers users to self-serve their answers before involving your internal teams - saving everyone time. With Conveyor's AI-powered trust center, customers can even upload their questions for instant AI answers.
  • Give sales team first pass at the security review: By making one-off searches of your content available to the sales team through the in-app experience, Slack, or a browser extension, many Conveyor customers ask the sales team to take the first pass at the security questionnaires, especially for smaller customers. This reduces the level of effort on the security team while still ensuring the right answers are given to the prospect. 

3. Import/export functionality is clunky (36% of respondents)

In the survey, 36% of respondents who use a third party tool said that “import/export functionality is clunky” as a painful part of their security review process; the third highest pain cited. 

More often than not, no two security questionnaires look the same or are sent in the same format; in fact, companies today still use dozens of formats using different portals, emails, spreadsheets, word documents, PDFs(?!), and more. Naturally, an RFP solution isn’t going to be perfect when importing and exporting into different formats and the struggle to ensure proper formatting can take hours of your team’s time. 

Customers we've talked to have also mentioned that they often have to manipulate the customer's security questionnaire file before they are able to upload it into the RFP software, especially when there are complicated drop-downs and other excel formatting. It also doesn't upload word documents or PDFs.

Then there are the portal-based questionnaires that have increased in volume over the years, now accounting for about 35% or more of questionnaires received by organizations. RFP software comes with browser extension to answer these portal questionnaires, but we often hear that they don't work and just bring in matches that you have to again, sift through, or copy and paste answers from. Often times, RFP software reps will recommend that teams export the security questionnaire from the portal and upload it into the RFP software. This just means extra steps for the team and having to copy and paste answers back in in the end.

Here’s how Conveyor helps alleviate this pain:

  • Import any customer file in its original format: ConveyorAI can instantly import any type of security questionnaire in its original format (Excels, word docs, PDFs) without any manipulation neededfrom you before upload. Just simply drag and drop and ConveyorAI will map the questions, answers, comments, and even drop-downs(!) automatically for you.
  • For portal-based questionnaires, use a browser extension that auto-scrolls and completes the security questionnaire for you: Conveyor's browser extension brings the same AI accuracy to portal-based questionnaires and is compatible with all portals. There is a deeper integration with a handful of portals (more to come every month) like OneTrust ServiceNow, Coupa, ProcessUnity that will auto-scroll and fill in the reviewed answers for you so you no longer have to copy and paste one by one. It also syncs all questions and answers back to the platform so you have a record of the questionnaire for reporting and for ConveyorAI's past answer knowledge bank.

Security questionnaires aren't RFPs - so why are you still using an RFP solution to manage them?

You can spend hours every day answering security questions, or you can get that time back so you can get back to your day job.

If you’re struggling with manually reviewing answers to security questionnaires, collaborating with colleagues, and file/format compatibility issues, it’s time to consider an entirely different approach.

Use Conveyor's security review automation platform to transform how you build trust with customers from the start. 

-----

Can I use Conveyor for RFPs?

Update July 2024: We've found Conveyor's answer accuracy is so high, we've optimized the software to use for RFPs as well. So yes, while Conveyor was built for security questionnaires, it can now handle both security questionnaires and RFPs because of the power of generative AI accuracy across multiple topic areas with limited knowledge base maintenance. Schedule a call with us to try it for free with your own data.