You start to question if you really need to answer this questionnaire. Maybe there was a misunderstanding and you can just call your contact and talk about this. The anxiety starts to build as you open the questionnaire attachment. Your initial fear is realized, three hundred questions….
Have you had a situation like this? This happens all the time and they are becoming more and more prevalent. It seems like every vendor, Dick, and Sally, has their own unique security questionnaires they are providing.
No one reads your response to these questionnaires. The partner that gave you this questionnaire assigns the completed review to an entry level resource. They don’t afford a senior cybersecurity engineer to spend the time reading all the answers. That means that most of your effort will go unnoticed and underappreciated.
The award goes to those who respond. Just by giving it an initial run and filling in some of the answers you will get an award of being marked ‘completed’. It’s almost like you get an ‘A for effort’. See, most people get so overwhelmed by these questionnaires they don’t even respond at all. Sure, the reviewer might highlight some blanks, and note a short response, but you’ll have made it further than 80% did.
I recently helped a client recover almost a full FTE by implementing our vendor management program. This particular client was receiving about five questionnaires a week. The were also concerned that the skeletons in the closet were getting exposed by answering all of the questions. They were stuck between not answering the questions and loosing the partnership, or answering the questions and showing the partner that their pants were down.
Our program greatly reduced the number of questions they answered. It created a repeatable template to follow. It defined the scope of questions they answer (and reason to not answer questions out of scope).
How you respond to these questionnaires greatly depend on the criticality of the vendor, the types of classified data your trusted with, and the culture of your company. Here are some practical steps on how you can reduce, repeat, and respond to cybersecurity questionnaires so that you can satisfy vendors, reduce the burden to your staff, and recover time.
- Provide strategic answers, not tactical.
They don’t need to know if you run Tenable Nessus, or Rapid 7 vulnerability scans. Just state the you have a vulnerability management program that scans discovers asset vulnerabilities across the environment and escalates findings to responsible asset owners for remediation. Done.
Remember this is an elective questionnaire, not an audit being performed to attest to regulatory requirements. Except very few circumstances, the vendor will have to take your word for the response. They will not be able to come onsite and perform their own validation of your answer. With that said, always be honest – just address the answers strategically.
- Respond in ‘bucket’s or management programs, that once explained can be referred to in other overlapping areas.
If you boil down all the questions you find most of them fit into buckets, or pillars, of your information security program. I suggest identifying the security management program associated with the question and addressing it strategically (as stated above) with the security program that addresses the concern.
For example, if the questionnaire asks, ‘Provide an approved certificate cipher protocol standards list’. You can respond with, ‘All certificates are managed under our Certificate Management program. We have a formal process for certificate request and approval. All certificates are required to meet our security standards that are reviewed regularly. The standards include ciphers, protocols, and bit lengths.’ I mean really, … I can’t argue or challenge that response.
- Answer what you can – Even just a basic response puts you ahead of everyone else (no one answers all of these). Don’t feel like you need to answer every question. For questions you can’t, or don’t want to answer, list ‘not applicable’. If the vendor really needs that answer they will challenge your entry and come back again.
- Feel free to scope the questions. This is a cookie cutter questionnaire. No one thought of you specifically, and the services you provide. Good chance some (or most) of these questions don’t even apply to you. Feel free to call that out. Consider before answering a question about infrastructure servers, if this has relevance to the vendor and is in scope of the partnership you have with them. Feel free to write ‘not in scope’ to address areas that are not relevant.
- Create template response – Save this questionnaire to a folder you can refer to so that you can copy and reuse your answers. Many questionnaires will have the same types of question. And if you took our advice and answered these in ‘buckets’, then you’ll have an easily replicable set of answers. This probably won’t cover all the answers, but it covers at least 80%.
It’s possible to greatly reduce the time and energy it’s taking to response to security questionnaires. But building a process and filter that these questions go through can greatly reduce the number of questions you need to answer, and provide templated responses for others.
If you’d like to share your story about how painful it’s been addressing these questionnaires, please share below in the comments section.
If you’d like help building out a vendor management process for your cybersecurity program, click the ‘schedule meeting’ button to find a time we can meet and discuss more about how we can help.
Recent Comments