If you want to win an RFP, if your organization is part of the digital supply chain, or if your company stores data online in any way (as most companies do), then you’ve probably received one of the most dreaded documents in business from a prospect: a cybersecurity questionnaire.
They’re disliked for good reason: Some are hundreds of questions long. Some questions may not apply to your company, or may be repetitive. Questionnaires come in varying formats, meaning that every individual questionnaire requires close attention. And of course, they take up your team’s time. According to research from the Ponemon Institute, more than 15,000 hours are spent completing questionnaires every year at an average cost of $1.9 million to their organizations. There is also plenty of anecdotal evidence (just search Twitter) that many people spend a lot of time and effort filling them out.
“I regularly see 25-75% of security teams’ effort focused on sending and answering these questionnaires. It’s a full-time job, often for multiple people,” wrote cybersecurity professional and writer Daniel Miessler on his blog.
It might not be so bad if teams only had to fill out a few a year, but that’s not the case. Depending on the business, some organizations fill out hundreds of security questionnaires every year, and this can mean questionnaires aren’t being filled out in an ideal way — like interns being tasked with answering questions, or answers to questions copied and pasted from the text of cybersecurity standards or policies.
Despite all of these complaints, questionnaires are a necessary part of the due diligence process, and if you want the deal, they have to be filled out.
Why are security questionnaires important?
Although security questionnaires are most often needed for compliance with cybersecurity standards like NIST or ISO, they also serve to set your customers’ minds at ease. Most companies are understandably wary of third party data breaches; research shows that when a third party is involved in a breach, the average cost of the data breach rises by 14%.
That concern translates into sometimes overzealous due diligence; Gartner predicts that by 2025, 60% of organizations will be using cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements — and unless something about the due diligence process changes, that’s likely to mean more and longer questionnaires. There are complaints online of questionnaires with 274, sometimes even 600 questions, or even 100+ questions with up to 5 parts to each! They often have to be filled out quickly so that your company’s sales team can prove compliance to a prospect and close the deal.
It can be a cumbersome and labor-intensive task, and the sales team may be applying pressure during the process. So is there a way to manage security questionnaires more easily?
5 tips to simplify the security questionnaire process
1. Designate a champion
It’s probably not the best use of your CTO or CSO’s time to be filling out questionnaires. Choose one specific person to own the process. (Preferably someone who is not an intern.) While this is not a fun responsibility for an employee to have, having one person in charge of the process means C-levels aren’t being tied up with questionnaires, and interns aren’t just copying and pasting from whatever documents they can find. Also, don’t worry, the following tips will make questionnaires simpler for that one employee.
2. Create a central source of truth
Not all copying and pasting is bad. While some questionnaires will have unique questions that need special attention, many questionnaires ask the same questions about your security posture. By storing answers to common questions in a knowledge base, you can cut down the time you’ll spend answering every question on each questionnaire and focus your attention on the questions that need it most.
3. Be proactive
If you know a prospect may be sending you a questionnaire, be prepared. You might also consider making your knowledge base into a security document that can be shared with prospects before they send a questionnaire. This won’t deter all prospects from sending a questionnaire, but some may not.
4. Don’t make promises unless you can keep them
If you don’t have a specific security measure in place, be very careful about making promises on your questionnaire. This can be difficult if the prospect won’t even consider you for the RFP if they don’t have a completed questionnaire at the start of the sales process, and you may be under pressure from the sales team, but that promise may become a liability down the road.
5. Automate the process
An automated security questionnaire process can drastically cut down on your response time and let your sales team close deals more quickly. Ombud’s solution, for example, lets your team search for and choose approved answers for questionnaires, is compliant with standards worldwide, and exports questionnaires into their original formats when your team has finished answering all questions. Learn more today by requesting a demo here.