My Client Is Asking Me To Complete A Security Questionnaire: What Do I Do?
Year after year it’s becoming increasingly clear that cybersecurity and privacy are continuing to grow as priorities for businesses and stakeholders as we advance through the 2020’s. This development manifests itself in a number of ways, one of which being especially readily apparent by the name of “vendor management”. A company’s security posture does not end within their environment, but at the ends of the environments for the vendors they operate with. Thus larger companies have become more picky about the parties they will interrelate data with, and informing their decisions now are a variety of security/privacy questionnaires, where one company will inquire about multiple points of the security/privacy posture and scope of engagement with potential vendors/partners.
It’s not uncommon at all of a business receiving such a questionnaire to caught off-guard, and maybe even feel singled out – I’d suggest you don’t take it personally, it’s more or less become a constant part of doing business with many security-conscious companies, but I’d caution you also not to treat it as some “formality”. These questionnaires will often play a role in determining the means, speed, and even viability of a business relationship, so they’re worth taking seriously. We’ve filled out many questionnaires in our time as security consultants here at CyberData Pros, so we’d like to share a best-practice methodology for handling these questionnaires, along with a few alternative measures that might prove helpful should you receive such a questionnaire (possibly with a tight deadline!):
The Standard Approach:
- Initial Read-Through
- The first, and perhaps most obvious first step to take upon receiving a security questionnaire is to skim through it quickly. These questionnaires can range from a few questions on one topic to hundreds on multiple, so there’s no sense in scoping out the full task of completing the questionnaire until you know what it consists of. Note what types of questions are being asked (technical, contract-related, privacy, organizational, hr, etc.) as well as the level of detail being asked – this helps greatly in the next step.
- Team Assignment
- After you’ve identified what types of questions are asked and the level of detail required, the time comes to decide who at your company might best be equipped to provide accurate answers to said questions. If the team you can assemble at hand does not have all the answers, you’ll want to determine which people or systems you need to engage with to receive those answers.
- Answering Questions
- Once all the relevant staff and information has been gathered, it’s time to jump on the platform or questionnaire itself and begin filling out answers. We find it best to answer questions with exactly the amount of detail requested by the asker – too little can be unsatisfactory, too much can be unproductive or even open new doors of inquiry. We’d also suggest answering questions as honestly as possible – tough-to-believe answers can always be challenged, and failure to represent the security controls in practice that you claim on a questionnaire can bring trouble. When filling out answers, be sure to leave a little time at the end for the next step.
- Submission Run
- Before you submit the entire questionnaire, it’s worth taking one last run through the whole thing before full-submission (yes, even if you filled it all out yourself!). Beside the typical checks for spelling and grammar, you want to make sure that none of your answers contradict, and that documents and/or evidence are provided for any questions that suggest such. This last-minute check can go a long way in keeping the questionnaire submission process simple and avoid a dreaded back-and-forth inquiry situation that might draw additional scrutiny or complication into a proposal.
Alternative Approaches:
- Sometimes, be it gathering the time or understanding the questionnaire itself, properly addressing a questionnaire fully internally can be challenging. If the standard audit process above sounds difficult or becomes difficult at some point for you and your team, there are a few additional options to consider:
- Consulting
- If there’s a specific set of questions or topics you may be stuck with in filling out a questionnaire, you can consider finding a cybersecurity or privacy consultant to audit systems and advise on how you may best speak to them.
- Outsourcing
- If you’d like to avoid your team having to fill the questionnaire entirely, you could consider hiring a consultant or agency to fill out the questionnaire for you, so long as you can supply them with all necessary access and information required.
- Automate
- If you’re receiving a number of questionnaires over time and lack time to fill them out, some online platforms such as OneTrust or other GRC platforms can help by having functionality for template questionnaires, answers, and response assistance.
In the end, there are a number of approaches to filling out these questionnaires, and each has different costs in terms of time, effort, and funding – each should get you a decent questionnaire result, however. Keep in mind though, that even the most deftly filled-out questionnaire might get sent back with additional questions or contract terms, such is the nature of secure third-party handling. If you’re getting certain points highlighted, I would consider at that point speaking to that point with as much detail as possible, and suggesting ways you might be able to improve upon said point if you feel as though your answer might not meet expectations. This approach carried out will typically yield the best results possible for a given system, and past that can be a great experience for informing your team of your system’s status as well as future questionnaire efforts.
Could you use a hand with answering a questionnaire or figuring out the functionality of your systems? Contact us at https://cyberdatapros.com/contact/ and let us walk you through the process, and find a method that works best for you and your client.