Although many believe that completing security questionnaires is just a compliance theater to win new sales, we at FeHa International Consulting argue that there are still good things that can be derived from asking and answering these questions for a secure and compliant relationship between buyers and sellers.
Unfortunately not all Third Party Risk Management (TPRM) professionals are treating or using security questionnaires effectively and efficiently. And it’s becoming an increasingly painful process for many companies on the selling side, especially small and medium businesses to win their big enterprise customers.
Here are our top four tips that can be used, especially by small and medium businesses in managing these security questionnaires without stressing all the sales or engineering members involved.
Cliché but it’s true. Getting stressed because of these security questionnaires won’t help anyone within your company because a security questionnaire is just one of many other checks or due diligence that your potential customers will perform before giving you that business deal. Know that they have their own obligations to do this because of either regulatory requirements or internal policies. The same regulatory requirements that may impact you to do the same to your own suppliers.
Place internal documentation nearby and easily accessible
After reviewing and answering many of these security questionnaires ourselves, we are confident to say that they were created based on the various security frameworks and standards which you as company may also already follow internally. For example: ITIL, COBIT, ISO 27001, NIST, CSA CCM, etc. Thus, most (if not all), will be easy to answer by referring to your own documents. No need to find answers that do not exist within your own company.
Answer the questions clearly, truthful but concise
The common format of these security questions would be Yes/No/N/A options to choose with additional information or documentation. Although it's very tempting to only give the Yes/No/N/A answer, we always recommend our clients to also write down the rationale to each selected option. But do it concisely.
Writing the rationale in your own words, 1-2 sentences, is enough to show your potential buyers that you take the security questionnaire seriously. And always remember that there are humans behind to review all your answers. If you try to make up the answers and they are found out, it will not just cost you a potential customer but it can also ruin your company’s reputation.
Prepare a database of answers
Many of the big enterprise companies we have worked with use standard security questionnaires available in the market like SIG and CSA CAIQ. Some will use them as they are, some will tweak the questions according to their own needs. But eventually you can see patterns or similarities amongst these various questionnaires you have to complete.
We always recommend these 2 tips for our clients who are of the selling side:
- If time is at hand, be proactive by answering these standard questionnaires yourselves without waiting for any potential customers to ask you to answer one. Although not all will accept it, as they believe that their questionnaires are unique, but most would be happy to just review the already complete questionnaire. This way it will speed up the (sales) process.
- From a legal perspective, you have to keep all your answers to your potential customers. In some cases these answers can be used by them as liability when things go south. However, on top of that, keeping a database of past answers can help you to quickly answer new questions. But please remember that you cannot just copy-paste the past answers to new similar questions without reviewing them first before submitting it back to the customers.
Being a small and medium business does not mean you cannot effectively work on the third party risk management related activities. As more and more businesses, small or large, relying heavily on their suppliers or partners, third party risk management will just stay and increasing their importance in the coming years.
If you have questions on security questionnaires, you can check the F.A.Q here.