The What, Why, and How on Answering Security Questionnaires

You have many options for solutions to help you issue a security questionnaire. 

When it comes to answering a security questionnaire, there are fewer options, but you’ll be happy to know that solutions exist to help you with what some consider to be a painstakingly manual, repetitive process. 

Security questionnaires exist so organizations can verify that their data will be secure in transit, in use, and at rest with third-party vendors. Consumers demand that their private, financial, medical, and other data be secured at all times. In most industries, compliance regulations exist to ensure minimum protection standards are met.

To prove compliance, vendors must complete security questionnaires as part of a risk assessment.

Traditionally, security questionnaires arrive in the form of a spreadsheet or other downloadable document. Technology solutions that automate the response process to these questionnaires can be indispensable if you want to save time and ensure consistency when answering questionnaires. 

There is a growing trend of online security questionnaire portals that make automation tricky and require vendors to answer more questions one by one. While there are some technologies and techniques that will help speed up answering security questionnaires in online portals, strategies for automation rely heavily on proprietary third-party integrations that can be costly and may only apply to one “flavor” of security.

As a vendor who will be facing more security questionnaires of increasing sophistication, you have a challenge to answer them efficiently and comprehensively. 

What is a security questionnaire? 

A security questionnaire is used when an organization needs to assess whether their data will be safe when it’s beyond their control, typically in the hands of a vendor.

Consumers and clients trust organizations with their business and private data with the assumption that it will be safe while under that organization’s control. Organizations must ensure that any person or entity outside of the organization maintains a minimum level of security equal to that of the organization. 

In other words, if you have a bodyguard with a black belt in karate who goes with you everywhere to make sure your wallet is safe, you cannot let anyone borrow your wallet unless their bodyguard also has at least a black belt in karate. And both bodyguards need to be there when you hand over your wallet, even though the place where the handoff takes place is supposed to be completely secure, too.

Security questionnaires generally come from one of the following three places:

1. Build your own, usually in a spreadsheet, that includes an assessment of all minimum security requirements needed to access your data (i.e. “Fill out this form to prove that your bodyguard is as good as my bodyguard.”).
2. Buy your own. You can swing for the fences and evaluate everything with something like a SIG (Standardized Information Gathering) Questionnaire. Or you can assess a specific risk with, say, Nessus, which is a network security assessment tool.* 
3. Borrow a security questionnaire that is publicly available. Some non-profit organizations provide questionnaires that encompass standards as agreed upon by a membership of like-minded professionals. One such example is the Consensus Assessment Initiative Questionnaire (CAIQ), which is published by the Cloud Security Alliance (CSA).

One thing a security questionnaire is not is a due diligence questionnaire (DDQ). There are two major differences. One, DDQs are not as detailed and focus more on process. You may receive a DDQ when an organization wants to know how you will comply with their standards and meet their needs. It’s in the security questionnaire where you’ll have to provide the proof.

Two, DDQs usually arrive earlier in the sales process compared to a security questionnaire. Think of the DDQ as the first filter. Organizations figure that if you don’t know how to comply at the DDQ stage, then it’s not worth spending time on the details further along in the sales process. 

That doesn’t necessarily mean that security questionnaires should be viewed as key milestones in the sales process. They can appear early on like DDQs, but they can also appear at the demo stage further along in the sales process or even post close when onboarding plans begin to take shape. Receiving a security questionnaire is not an indication of your eventual success.  But not responding on time and accurately could certainly kill a deal. 

Why are security questionnaires needed? 

In the olden days, software applications were hosted in house, or on premise, which meant that the owner of the data was in possession of it at all times. There were still security questionnaires, but they were much less involved.

With the SaaS shift, data and business critical applications are trusted to a third party. Before an organization onboards a SaaS solution, it has to be confident in two things, from a security perspective. One, all of its data will be safe with the vendor of that SaaS solution.

Two, the application will be available when it’s needed and compliant with agreed-upon uptime benchmarks (e.g. you don’t want the HR system going down just before processing payroll). Security questionnaires have proliferated as a result of the onslaught of SaaS solutions. 

Nevertheless, security questionnaires assess more than just aspects specific to data security, such as encryption or storage. Questions may cover network security, auditing and compliance processes, and even the physical security of your locations just to name a few. The fact is that questionnaires are becoming more common, longer, and more complex for two primary reasons.

First, SaaS solutions are growing in complexity and interconnectivity. Rarely is there a business application that is entirely standalone. They often need to talk to each other to help organizations achieve a larger goal.

The more applications that need to talk to each other, the greater the greater risk exposure, which results in more stringent security assessments.

Second, threats are constantly evolving. There’s no such thing as a 100% secure system, primarily because no matter how secure and intelligent systems get, there will always be a human fingerprint somewhere. 

From voting systems to fuel distribution networks to large retailers, bad actors can pivot quickly to direct cyber attacks wherever they find a weakness.  

What do security questionnaire reviewers expect?

An honest, direct, and complete response. And to respect their time. Pay attention to the instructions. Some questions require brief, direct answers. Others require detailed explanations about the types of controls in place.

Even with automation support, you’ll have to think through every response to make sure it’s properly answered. If a two-part response is required, always provide a brief description of your answer. This is especially important when you have to answer “no” or “not applicable”.

Your response doesn’t always have to be in the affirmative. Don’t say yes because you have plans to implement something. Those plans become obligations that you may not be able to fulfill. Never answer in the affirmative if you cannot deliver. Always expect the client to ask for proof.  

Be direct. Use an active voice. Concision matters. Sometimes questions are asked in different ways multiple times. Avoid copy and pasting and possibly sounding evasive. Don’t waste time trying to guess reviewers’ priorities. They rarely reveal what’s mandatory. Assume compliance and risk teams will be reviewing all responses with a fine-toothed comb. 

Your goal should be to have as complete a response as possible. The more complete the response, the less likely you are to have follow-ups – the sooner the risk assessment is complete, the sooner the deal can close. You don’t want the security questionnaire response to hold up the deal. They come later in the sales process and multiple rounds of follow-ups or clarifications will slow down the process, which will frustrate your sales team to no end.

Key components of a security questionnaire 

In most cases, security questionnaires assess a wide spectrum of security controls. Expect questions across multiple types of security. 

Many questions and content requirements will fall under one of the following four components.

1. Security compliance certificates

Proof of security compliance certifications is the most commonly requested piece of information in a security questionnaire. Examples of security compliance certificates include Service Organization Control 2 (SOC 2), International Organization for Standardization (ISO), and National Institute of Standards and Framework's Cybersecurity Framework (NIST CSF).

2. Cybersecurity policies and policy documents

These will likely be your most time consuming. They cover a lot of areas, including information, physical, application, infrastructure, and network security. These questions assess your IT security, data privacy, and business resiliency policies. Sometimes you’ll be asked to provide the full policy document. Other times you’ll be asked to pull out specific sections.

3. Security procedures

This component is where organizations want to assess your procedures to safeguard customer information, data, and systems. 

Questions and requests may focus on:

• Procedures for employee security awareness training 
• Procedures for patching, upgrading, and mitigating vulnerabilities on servers or desktops
• Incident management procedures in case of a security breach or other incident
• Disaster recovery and business continuity plan in case of prolonged downtime
• Monitoring and tracking for malicious activity

4. IT risks and mitigation controls 

If an organization is going to accept your risk by adding you as a vendor, then they need to know what they’re getting into. Even more important, they want to know what you’re already doing to mitigate risk. 

You’ll see inquiries such as:

• Submit a risk management plan
• Identify the list of risks that could directly impact our data and information systems
• Describe your risk assessment methodology
• List security controls in place to mitigate risks
• List personnel/roles responsible for risk management

Note that you probably already have many of the answers to these questions. The question is where are they located? That’s the key to answering security questionnaires faster.

5 tips for responding to security questionnaires faster

With more security questionnaires coming as a result of the proliferation of SaaS (and infrastructure as a service [IaaS] and platform as a service [PaaS]), accuracy, efficiency, and repeatability will be essential to seamlessly responding to multiple questionnaires every year. These five tips will help.

Implement AI and machine learning to automate responses 

Automation solutions already exist. Ironically, they’re SaaS, too. What’s important, whether you build your own or seek out a vendor, is that the solution has AI/ML capabilities to do more than just copy and paste. There’s more to a response than finding any answer; you have to be able to find the best answer, fast. 

Develop a content management solution to streamline searching for and updating answers 

You likely already have most of the answers to security questionnaires. Usually, the problem is that the documents where these answers lie are siloed, duplicated, outdated, may only allow limited access, and are not searchable. Centralizing your content will solve this problem.

Follow best practices for reducing turnaround time while improving accuracy 

Your internal and external collaboration mechanisms will drive improvement here. In addition to AI/ML-enabled automation, cueing up assignments for subject matter experts to answer and review can also be automated. Getting your team in lockstep is essential to avoiding those frustrating follow-up questions that can result from an incomplete or inaccurate response.

Identify a SaaS solution that supports technology to interact directly with third-party online portals 

AI/ML automation works best on downloadable forms, such as spreadsheets, documents, or PDFs. Online portals are more troublesome and, as of this writing, can only be automated through backend partnerships between security questionnaire issuer and responder solution providers.

One technology that can help is a browser extension portal that links to your content library. They help you work through an online portal faster because you don’t have to switch between applications to access answers.

Complete security questionnaires ahead of the client’s deadline 

This portrays proficiency and good will. It also gives your client greater peace of mind that you take security seriously while respecting their valuable time.

Don’t let security questionnaires put a chokehold on revenue

Answering security questionnaires in one form or another will be part of the vendor onboarding process for the foreseeable future. Based on the current landscape, you can expect security questionnaires to continue to grow in size and sophistication.

Cybersecurity spending is slated to exceed $1 trillion, and third-party vendors account for 63% of data breaches. Organizations will want more assurances that their data will be safe and that their applications will be available. 

By implementing business processes that take a security questionnaire from intake to submission, automating as much of the response process as possible, and improving collaboration to keep subject matter experts on task, you can speed up and simplify how you answer questionnaires. Your goal is to never let security questionnaires be a bottleneck to the sales process.