5 Strategies to Keep You From Wasting Time on Security Questionnaires

by Sarah Harvey / January 15th, 2019

If you’re a start-up trying to win new clients, the dreaded security questionnaires are coming your way. Or, let’s say you’re a midsize business who’s been in business for years that’s bidding on an enterprise-level prospect – a security questionnaire request is in your future. Even we, as an information security auditing firm, are frequently asked about the security of our Online Audit Manager.

The questions may seem irrelevant, repetitive, and unreasonable. Or – maybe you know that you don’t have good answers. For start-ups, a security questionnaire may prompt the first time they’ve truly evaluated their security practices. For a midsize business, it may be a frustrating process to constantly fill out similar, but slightly custom questionnaires for every prospect. The intention behind security questionnaires, though, is a good one. Because so much responsibility lies in the hands of vendors and business partners, an organization has to complete its due diligence to protect its reputation, operability, and financial health.

Compliance from the Start

A client recently told us, “Compliance cannot be an afterthought. If you’re starting a business, please think about information security first.” We completely agree with this sentiment. A business that is driven by security and integrity will create a quality service or product.

One of our auditors, Shannon Lane, says it best. “A compliance program is usually viewed as a cost center, an impediment to business practices, and a headache that seems to get worse year after year. And yet as auditors, we know that a system built with compliance in mind isn’t usually more expensive than a faster, easier solution. A business process or IT solution is hard to change, especially once it becomes core to the enterprise and its operations. Every shortcut taken in the design process, technology solution, or internal system haunts the company forever. It’s always lurking there, waiting to interrupt just when you think you’re prepared. That’s why creating a culture of compliance throughout your organization is so important. A compliance program must be made a priority from the beginning.”

Security questionnaires are tedious, but they’re trying to determine whether you’re an organization that values security, availability, confidentiality, integrity, and privacy. Are you going to bring more risks into a prospect’s environment? Are you going to provide them with a secure service? Will you hinder their business objectives or facilitate more opportunities?

Saving Time on Security Questionnaires

It’s difficult to know whether the company sending you a security questionnaire will take stock in the answers and how much they will impact the outcome of the deal. Or – what if you refuse to answer the security questionnaire, and they still choose to work with your organization?

Many organizations adopt the approach of refusing to release any information about their security practices, even during an audit. They tend to think, “By not sharing information, we’ll be more secure. Just trust us.” It’s the ultimate security paradox. The truth is, the more you isolate yourself, the less secure you are. You never have the internal blinders removed to get a new perspective. You never get to hear new strategies based on your practices. Even AWS provides information on their compliance programs, penetration testing practices, cloud security, and data privacy practices. AWS isn’t saying, “Just trust us.” They’re giving evidence of how they serve their customers best.

Alternative approaches to satisfy a security questionnaire request may include:

SOC 1 and SOC 2 reports contain an independent service auditor’s report, which states the auditor’s opinion regarding the description of a service organization’s systems, whether the systems were presented fairly, and whether the controls were suitably designed. As a result of the additional risks that vendors bring to their business partners, more and more organizations are asking for SOC 1 or SOC 2 attestations.
An FAQ on your organization’s internal security practices, summarizing your commitment to security and the actions you take to implement controls at your organization, could go a long way in demonstrating your “compliance from the start” attitude.
Allowing a potential business partner to review your breach notification policy, incident response plan, disaster recovery plan, or internal information security policy may be enough evidence to satisfy their request.
Formal risk assessments allow organizations to identify, assess, and prioritize organizational risk. By proactively undergoing a risk assessment, you may prove that you’ve evaluated the likelihood and impact of threats and have an effective defense mechanism against a malicious attack.
If your organization knows it’ll be filling out a lot of security questionnaires in the future, try filling out one of the many security questionnaire templates available online to formulate your answers and potentially see where your gaps are.

If you’d like more information on how to tackle security questionnaires, contact us today. We can provide many ways for your organization to demonstrate your commitment to secure practices.