This article first appeared in TagCyber in 2019. It has been since updated.
I received my first security questionnaire in 2011, while I was working as the general counsel to a tech startup. Not being familiar with this document, I punted it to our VP of Engineering. After email exchanges over a few weeks, we met to review the technical questions. I am so glad I stayed involved in responding, because some of the questions had legal implications and required careful drafting. However, I did not set up a process for future questionnaires. I wish I had.
If you get one, you will probably get many, which is why companies really need a process to respond to security questionnaires.
Back in 2011, buyers of services — that is, companies procuring services from vendors — did not regularly send their vendors security questionnaires. When they did, vendors could reasonably respond on a case-by-case basis without incurring significant costs.
Today, security questionnaires, also referred to as vendor security assessments, are quite common. They’re frequently used to satisfy due diligence requirements that have been put in place by data privacy regulations.
If your company receives a security questionnaire, here are some tips to minimize the risks, increase efficiency and reduce costs.
The Response Team
It’s hard and time-consuming to respond to security questionnaires, because the information needed is stored in many different places around the organization. I recommend that you set up a response team to manage the coordination and collaboration required. The response team members should include the stakeholders who know the answers to a majority of the questions. You’ll probably need representatives from information security, information technology, HR, compliance and procurement, privacy and maybe finance or operations, depending on your organizational structure. If you don’t have all of those departments, find the people responsible for those areas.
I left out one area: legal. You should include a lawyer on the team. The last thing you want is to go through the arduous process of filling out the questionnaire only to then bring it to your lawyer, who will undoubtedly have a long list of questions and concerns.
Here's the thing. If your company is subject to a data breach resulting in customer data loss, the security questionnaire will be subject to litigation discovery.
Some lawyers may be concerned that they do not have enough knowledge about data privacy regulation or cybersecurity to properly oversee this process. This concern is baseless. Any lawyer can spot risk and liability, regardless of the content.
The Central Response Database
I like to say, "If there are several standard templates, then there is no standard." This statement is because of how many "standard" security questionnaires there are available, such as SIG, CAIQ, HECVAT, VSAQ, etc.
The good news is that, unlike customized questionnaires, the standardized templates can guide the response team’s process. Because of their depth and length, one can be used to create a response database.
Some questions from the standardized templates will not be applicable to your business. Others will be stale or make no sense. Still, it’s a great starting point for the response team to get ahead of security questionnaires, and it may enable the leader to plug in lots of answers without involving other team members, thereby lowering the “cost” of responding.
The Process
Overall, the process can be accomplished in literally a day or two, and setting up a system in advance can greatly speed up the response time. Here is a step by step recommendation:
1. Quick review/assessment by the team leader of the questionnaire (usually received from sales).
2. Team leader answers as many questions as possible using the answer database.
3. Leader assigns unanswered questions to other team members, calls a meeting if necessary.
4. Team members update the leader so that he/she always knows the status of all assignments.
5. After all team members have responded, the leader and lawyers conduct final review.
6. Completed questionnaire is returned to sales.
Communication and collaboration are the keys to success. Sending an email and hoping the person on the other side is working on it is not the answer. That is why there are several software tools new to the market that have emerged over the last year or so.
If your company has gone through the rigorous (and expensive) SOC 2 or ISO 27001 audits, then the buyer might accept these reports in lieu of the security questionnaire. Unfortunately, most of the enterprise have once again shifted and will not solely rely on a security audit for vendor due diligence, but it is still worth a try.
Security questionnaires can range from just a few questions to 350 or more. It can be tempting to try to find shortcuts to speed up the process. One that we commonly hear complaints about from buyers is that a member of the sales or marketing team crafted the response. Don’t do that. The sales and marketing teams are not responsible for implementing the procedures you have in place to secure customer data. It may speed up the response time, but you will lose credibility and trust.
The Bottom Line
There is no doubt that security questionnaires are painful. They are very long and over broad, but they’re required.
Many questions are asked with an obvious bias toward a certain answer, pressuring you to respond in the “right way.” Some even provide you with immediate feedback on your answer, identifying a “no” as a red flag, or highlighting a “yes” in green.
With a potential sale on the line that may have taken months to cultivate, the salesperson wants every answer to be green. However, your response team will undoubtedly answer some questions in the red. And that’s OK. There may even be questions that you can’t answer. That’s OK, too. Just let the sales team know, so that they are prepared to explain. Collaboration is the key to efficiency and transparency is the key to trust.
I am a lawyer, which makes me an advocate. Now, I am an advocate for individual privacy rights. In today’s business culture, the burden of any data breach is borne by the individual, even though the fault is not theirs to bear. I aim to change that by improving the system from within.
ClearOPS offers knowledge management for privacy and security operations data. ClearOPS is on a mission to end third party risk. These posts are just my opinion. Nothing contained herein is legal advice or constitutes legal representation in any way. I do my research but it doesn’t mean I’m perfect.
You’re the best, Caroline
