The 2023
Customer Trust Benchmark Report

What over 8.3K security reviews conducted using Conveyor reveal about the state of customer trust

Before we dive in,
let’s first set the stage

What is customer trust?

Customer trust is the belief and confidence that a customer has in a company to keep their data and information secure.

This trust is built through consistent and transparent communication about the company's security posture, including risks, incident response plans and compliance with industry standards.

If you’re a vendor, building trust with a prospect will typically require a security review

...so, helping prospects complete their security reviews is critical to closing a sales deal

Across tech specifically, we’re seeing

01
Security questionnaires haven’t evolved

The way most security teams are conducting vendor security reviews today remains unchanged from a decade ago. They're still sending the same questionnaires.

For vendors having to complete these, their processes have been typically reactive and a challenge to scale, but we're now seeing the rise of...

02
The rise of customer trust specific teams

Now that security reviews have become a standard practice when closing deals, these teams are becoming increasingly common and are tasked with speeding and automating the security review process and reporting on performance.

80%

Of survey respondents

said in 2021* that completing security questionnaires were important or critical to closing deals.

*data from Conveyor's 2021 Customer Trust Benchmark Survey

So we wanted to figure out... what does good look like?

Information security and customer trust teams now play an important role in growing the business.

The following report helps set benchmarks for expectations around speed of reviews, questionnaires, and what security artifacts you need to keep updated.

Ok, Let's Get Into It

We analyzed the data of over 8,300 security reviews on our platform in 2022 and here’s what we found.

Analysis included over 50,000 document downloads and 17,700 questionnaire questions answered. The data includes self-service reviews, automated questionnaire responses, and buyer-side reviews using our vendor trust product. The data is anonymized and normalized when relevant.
The Year In Reviews
The Year In Questionnaires
The Year In Security Artifacts
2023 Trends & Expectations

The Year in
Security Reviews

2022 was the year of market unpredictability, cuts to spending, and general uncertainty - yet security reviews remained pretty constant.

Average reviews
per vendor

Key Takeaway

Security reviews don’t go on summer vacation

We saw an uptick in March, consistent with normal end-of-quarter deals closing, then a drop in April. The stock market hit bear market (20%) losses in June, and then again in September. There was no big pullback in security reviews, which is consistent with public information about earnings reports in Q3/Q4.

Time kills deals so the faster you get your customer the security info they need, the better.

The following metrics are baseline for companies that use a portal with an NDA to share their sensitive security documents.

Benchmark metrics to use when evaluating the security review process

90th percentile = what the top 10% of companies achieve 🥇

Key
Takeaways

Average request approval rate was healthy.

Many vendors make it possible to request access from their public profiles, so they may get some unwanted requests, but overall the vast majority of incoming requests are appropriate and approved.

01

The top companies are able to get prospects and customers access to their security information within a few hours.

Coming from back-and-forth ticketing workflows, this is a big improvement in the speed that customers get access to security artifacts. For the top 1% of companies, the approval time is instant using automation with integrations like Salesforce.

02

Clickwrapping NDAs is surprisingly effective.

Vendors can routinely get customers to accept a scoped-down NDA to access security artifacts.

03

What about those approved prospects that never come back? 

9% to 15% dropoff rates seem normal, higher than that might be cause for concern

Effective dropoff is where a prospect is authorized to access content, but doesn’t conduct a review (and no one else from their domain does). This could represent a buyer that got cold feet or changed their mind, and is a signal for the sales team.

04

Customers inviting 2+ team members to a portal to conduct a security review

Key Takeaway

Enterprise companies are most likely to have multiple users engaging with your content

Average number of times a customer visits your portal within one year

Key Takeaway

Security reviews are mostly one and done, but don’t be surprised when customers need to re-review information

Most (77%) of customers get what they need and are done. 23% come back over the course of the year for more information

The Year in
Security Questionnaires

Ah, the security questionnaire. The subject of hundreds of LinkedIn posts. As one of our customers put it: “I hate them with the fury of a thousand suns.”

William Dougherty
CISO of the best company in digital healthcare.

Can we please, finally kill the security questionnaire???

Kyle Weckman
VP, Chief Information Security Officer (CISO) at Kestra...

This is the most outdated worthless process in all of cybersecurity.

Enmanuel Cruz
Senior Sales Engineer - Helping future SEs...

Every SE I know love to fill out RFIs, RFPs, and security questionnaires 👀 Just kidding 🤣...

Hesom Parhizkar
Co-founder & CTO at PlanPro & AdvizorPro

Blocked off some time this morning to knock out a #data task I’m pretty excited about... but then, we receive a security questionnaire from a prospect to fill out. The sale is dependent on it. 🫠

William Dougherty
CISO of the best company in digital healthcare.

Can we please, finally kill the security questionnaire???

Kyle Weckman
VP, Chief Information Security Officer (CISO) at Kestra...

This is the most outdated worthless process in all of cybersecurity.

Enmanuel Cruz
Senior Sales Engineer - Helping future SEs...

Every SE I know love to fill out RFIs, RFPs, and security questionnaires 👀 Just kidding 🤣...

Hesom Parhizkar
Co-founder & CTO at PlanPro & AdvizorPro

Blocked off some time this morning to knock out a #data task I’m pretty excited about... but then, we receive a security questionnaire from a prospect to fill out. The sale is dependent on it. 🫠

Damian Tommasino
Shaping the Future of Cybersecurity Sales

When you receive a twenty page security questionnaire from a customer... On Halloween... It’s definitely not a treat!

Anonymous
Governance, Risk & Compliance Professional

Some of the vendor security questionnaires I have seen recently make me want to pull my hair out.

Mitchell Omer
Founders: Trust Keith with your Data Protect..

I dressed up as the GDPR for Halloween because it's so damn scary and intimidating for tech scale-ups. Next year, I think I'll dress up as a Data Security Questionnaire...

Mike H
Sprinklr Alum | Salesforce Alum | Scalable process...

Security questionnaires be like “please list everything you’ve ever eaten for the last 45 years”

Sales leadership: “It’s a simple ask why can’t you answer this? We want to close this deal! Get it to us in the next 15 mins please.”

Kristopher Francis
Building IT Reporting Programs

We have clients all the time who attain a SOC 2 to avoid these questionnaires. They are required to fill out the questionnaire as a formality... insane and what a waste of time.

Damian Tommasino
Shaping the Future of Cybersecurity Sales

When you receive a twenty page security questionnaire from a customer... On Halloween... It’s definitely not a treat!

Anonymous
Governance, Risk & Compliance Professional

Some of the vendor security questionnaires I have seen recently make me want to pull my hair out.

Mitchell Omer
Founders: Trust Keith with your Data Protect..

I dressed up as the GDPR for Halloween because it's so damn scary and intimidating for tech scale-ups. Next year, I think I'll dress up as a Data Security Questionnaire...

Mike H
Sprinklr Alum | Salesforce Alum | Scalable process...

Security questionnaires be like “please list everything you’ve ever eaten for the last 45 year”

Sales leadership: “It’s a simple ask why can’t you answer this? We want to close this deal! Get it to us in the next 15 mins please.”

Kristopher Francis
Building IT Reporting Programs

We have clients all the time who attain a SOC 2 to avoid these questionnaires. They are required to fill out the questionnaire as a formality... insane and what a waste of time.

Data analyzed from over 17,700 questions in 375+ security reviews where we automated the questionnaire completion for either party.

Average questionnaire size & coverage

The average questionnare is
102 questions

Key Takeaway

Having key documents and baseline Knowledge Base questions will automate answers to 85% of questions, on average.

Work smarter, not harder: a SOC 2, pen test, policies, and baseline Q&As automates answers to 85% of questions, on average.

85%

of questions are the same across all questionnaires

Questionnaires by format

Key Takeaway

Custom questionnaires absolutely dominate

Customers sent 93% custom questionnaires vs. 7% standardized.

The SIG and CAIQ are nice to have, but don’t reduce the need to answer custom questions.

Our 2021 report asked security teams to estimate how often customers accept SIG/CAIQ or other standardized questionnaires as sufficient: the average estimate was 35%.

However, data from this year suggests that custom questionnaires are significantly more prevalent than reviews where standardized questionnaires are accepted.

If you’re feeling like custom questionnaires are coming across your desk more often than not, you’re not alone.

✅ Expert insight

"Every business has different needs, so there will always be product or technology specific questions that make it impossible to standardize questionnaires. Also, standards can be slow to catch up to the current situation with delays in standard setting procedures. We will be lucky if this number someday decreases to 20 percent."

David D.
Director of Security @ ProductBoard

The Year in
Security Artifacts

SOC 2, pen tests, and ISO certs - oh my! We looked at a sample of over 50,000 downloads of vendor security artifacts in 2022 and here’s what we found.

Most downloaded security artifacts

✅ Expert insight

"SOC 2 makes sense, but I'm surprised the Information Security Policy is higher than pen test. Frankly, who cares about policy? What matters are the results of whether or not their policy was implemented correctly and works."

Reed L.
VP of Security @ Teleport

To no ones surprise, the SOC 2 Type II leads the pack, but you might not need as many security artifacts as you think

ISMS policies, whitepapers, pen tests also get solid engagement.

Downloads of SIG, CAIQ, and other framework reports are lower than we’d have expected at 1.9% and 2.4% respectively. This may be consistent with the dominance of custom questionnaires.

Before spending time keeping dozens of documents updated in order to satisfy your customers, carefully curate and update based on your customer activity.

Key
Takeaway

Most downloaded content relative to the SOC 2 Type II

Key Takeaway

When a SOC 2 is present, it tends to be the most popular doc by far.

Whitepapers, pen test materials and ISMS policies are all relatively more popular than ISO 27001

no more security review headaches

Reduce questionnaires and report on security ROI with Conveyor's trust platform

Learn More