What over 8.3K security reviews conducted using Conveyor reveal about the state of customer trust
Customer trust is the belief and confidence that a customer has in a company to keep their data and information secure.
This trust is built through consistent and transparent communication about the company's security posture, including risks, incident response plans and compliance with industry standards.
The way most security teams are conducting vendor security reviews today remains unchanged from a decade ago. They're still sending the same questionnaires.
For vendors having to complete these, their processes have been typically reactive and a challenge to scale, but we're now seeing the rise of...
Now that security reviews have become a standard practice when closing deals, these teams are becoming increasingly common and are tasked with speeding and automating the security review process and reporting on performance.
said in 2021* that completing security questionnaires were important or critical to closing deals.
*data from Conveyor's 2021 Customer Trust Benchmark Survey
Information security and customer trust teams now play an important role in growing the business.
The following report helps set benchmarks for expectations around speed of reviews, questionnaires, and what security artifacts you need to keep updated.
2022 was the year of market unpredictability, cuts to spending, and general uncertainty - yet security reviews remained pretty constant.
We saw an uptick in March, consistent with normal end-of-quarter deals closing, then a drop in April. The stock market hit bear market (20%) losses in June, and then again in September. There was no big pullback in security reviews, which is consistent with public information about earnings reports in Q3/Q4.
90th percentile = what the top 10% of companies achieve 🥇
Many vendors make it possible to request access from their public profiles, so they may get some unwanted requests, but overall the vast majority of incoming requests are appropriate and approved.
Coming from back-and-forth ticketing workflows, this is a big improvement in the speed that customers get access to security artifacts. For the top 1% of companies, the approval time is instant using automation with integrations like Salesforce.
Vendors can routinely get customers to accept a scoped-down NDA to access security artifacts.
Effective dropoff is where a prospect is authorized to access content, but doesn’t conduct a review (and no one else from their domain does). This could represent a buyer that got cold feet or changed their mind, and is a signal for the sales team.
Most (77%) of customers get what they need and are done. 23% come back over the course of the year for more information
Ah, the security questionnaire. The subject of hundreds of LinkedIn posts. As one of our customers put it: “I hate them with the fury of a thousand suns.”
Work smarter, not harder: a SOC 2, pen test, policies, and baseline Q&As automates answers to 85% of questions, on average.
Customers sent 93% custom questionnaires vs. 7% standardized.
The SIG and CAIQ are nice to have, but don’t reduce the need to answer custom questions.
Our 2021 report asked security teams to estimate how often customers accept SIG/CAIQ or other standardized questionnaires as sufficient: the average estimate was 35%.
However, data from this year suggests that custom questionnaires are significantly more prevalent than reviews where standardized questionnaires are accepted.
If you’re feeling like custom questionnaires are coming across your desk more often than not, you’re not alone.
"Every business has different needs, so there will always be product or technology specific questions that make it impossible to standardize questionnaires. Also, standards can be slow to catch up to the current situation with delays in standard setting procedures. We will be lucky if this number someday decreases to 20 percent."
SOC 2, pen tests, and ISO certs - oh my! We looked at a sample of over 50,000 downloads of vendor security artifacts in 2022 and here’s what we found.
"SOC 2 makes sense, but I'm surprised the Information Security Policy is higher than pen test. Frankly, who cares about policy? What matters are the results of whether or not their policy was implemented correctly and works."
ISMS policies, whitepapers, pen tests also get solid engagement.
Downloads of SIG, CAIQ, and other framework reports are lower than we’d have expected at 1.9% and 2.4% respectively. This may be consistent with the dominance of custom questionnaires.
Before spending time keeping dozens of documents updated in order to satisfy your customers, carefully curate and update based on your customer activity.
Whitepapers, pen test materials and ISMS policies are all relatively more popular than ISO 27001
Though trust portals can help reduce the number of incoming questionnaires, the data shows that answering custom questions is far from over.
GPT/LLM breakthroughs will make it easier to use prepackaged security artifacts to answer those custom questionnaires and more.
“I want AI to provide more confident suggestions and learn based on specific domains, such as pre-answering questions specific to our product's integrations and linking custom answers to industry standard questionnaires.”