I shall start with a disclaimer that I’m writing this solely based on my short experience working first hand with security questionnaires. In the past, as auditor and then second line security officer and risk manager, I was just at the receiving end of the assessment completed by the first line officers.
Although I cannot call myself an expert in this area, I think I can contribute some thoughts to make it less painful and being perceived less negatively, by both suppliers and customers. But to make it more fun, let’s do it in a Q&A format.
Q: Why do we (suppliers) have to deal with security questionnaires (from customers) all the time?
A: From the customer point of view, I could say that answering security questionnaires is the first touch point for understanding the security postures (and maturity) of the suppliers. Is it the only measure I will use when performing third party risk assessment? Definitely not. For me, I would couple my review with assessment on other assurances, like SOC 2 or ISO 27001, penetration testing and vulnerabilities scanning. Is it bullet proof? Nothing is bullet proof in this digital age, as it's an ongoing battle and improvement every day. But at least I can learn (remotely) how serious my suppliers are taking security in their hands. With the right automation on vulnerabilities scanning, I would cover the other aspects supporting security questionnaires.
Q: But Ferry, have you heard about statistics that says only a small percentage of security officers actually read or even review the security questionnaire?
A: How would you like to be known to your (potential) customers? I hope as a trustworthy partner. Thus, whatever the statistics might say, just keep doing the right thing by answering those questions in the right manner. Even if there’s only 1 out of 100 security officers who actually thoroughly review the answers, it’s always good to close your eyes and know that you have done the right thing. Because security is not boxed, it is a chain. Would you like to be the weak link in that chain?
Q: Other than securing a sales prospect and “entertaining” the corporate customers due diligence, why should we (suppliers) care about security questionnaires? What is the added value of such a static list of questions?
A: I’ll answer that question with recommendation how suppliers can better handle security questionnaires. At least Cloud-based suppliers, like SaaS vendors, because that is my focus area at the moment. From there, I hope you can make your own conclusion on how to answer that question…
Choose a baseline questionnaire
In my own experience, despite there are so many variants of security questionnaires available in the market, even so each customer organisation will try to tailor their own sets of questions, they are similar in nature. Thus, by having a baseline questionnaire that you answer in full and truthfully, it will help you to tackle any other questionnaires coming to your way in the future.
If you ask me, right now I would recommend that you start with CAIQ, the questionnaire developed by Cloud Security Alliance. Why? Simply because it’s open and has a nice mapping to all sorts of security frameworks and standards. I will come back to this point later…
A self-assessment for improvement
When completing the baseline questionnaire for the first time, make sure you have a positive mindset that you are also going to use it to improve your security posture. Although it is only a set of questions, they can teach you a lot about how to secure your product and organisation, and from there you also can learn what needs to be done to be a better and more secure supplier. This is especially true for CAIQ where each question is based on the CSA Cloud Controls Matrix, which you can use as your internal control framework to manage your security and privacy measures.
If you are interested in getting certified, either with ISO 27001 or SOC 2, then answering the questionnaire is a good exercise to prepare yourself, self-assess your current situation and close the gap before the certification audit starts. When using CAIQ, each question is also mapped to controls in various security frameworks and standards including ISO 27001, NIST, COBIT, FedRamp, etc.
And this is the part where I humbly believe that security questionnaires have a positive impact on suppliers too; not just for the customers.
Once you have completed the baseline questionnaire and are satisfied with the outcomes, think about how you can automate other questionnaires that will come to you by referencing that baseline set of answers. If you are an AI/ML expert, I’m sure you can develop one solution, but if not, please engage a trusted service to help you with it.
I hope by now you can see security questionnaires from a different perspective. If you need help in managing security questionnaires to help your security and also sales teams; let’s have a chat!