One of the biggest challenges facing InfoSec teams when it comes to responding to a vendor assessment request is the sheer volume of standard questionnaires and frameworks there are. And that’s before we get to custom questionnaires, which makes up 71% of assessment requests according to industry research, many of which have hundreds of questions.
Because every business and every industry has different security requirements, there will likely never be one standard questionnaire to rule them all — even if there exists a strong set of common controls across many of the top frameworks. But what is fast becoming the standard is the expectation that buyers and sellers alike should take a proactive approach to vendor security. Whether it’s customers researching or requesting security documentation at the beginning of the relationship or vendors sharing their security profile even before the initial discovery call, building the relationship on the foundation of trust and transparency is key.
With that in mind, companies should be more concerned with the security controls outlined in whatever questionnaires, certifications, or audits provided rather than checking the box that your vendor filled out your questionnaire. As long as your security requirements are being met, it shouldn’t matter where that information came from.
Flexibility is key. Don’t demand vendors respond to your questionnaire just because that’s the way it’s always done. Accepting a pre-completed standardized questionnaire will save your team time in the long run because you won’t have to chase down answers, you’ll already have them. They’ll just be in a different format.
To further build on that point, we recommend vendors build out a robust security profile ahead of time that includes all of the relevant security documentation customers might need to complete an assessment.
Building the perfect profile
At first glance, it might seem like a fool’s errand to proactively build and share a security profile with your customers because so many of assessment requests include custom questionnaires, but trust us when we say it’s not. According to the 2021 State of Vendor Security report, 82% of respondents said they would be willing to begin the assessment process with an on-demand questionnaire.
When building out a security profile, you need to put a lot of thought into it and make sure you are providing all of the relevant information a customer might need to assess the risk of your company. Putting in the effort in the beginning will save your team countless hours down the road because you’ll no longer have to respond to questionnaire requests as they come in. To help you get started, we’ve outlined the key elements every security profile should have.
Read Our New eBook: 4 Vendor Security Trends Whistic is Watching in 2022
In this ebook,we’ll dig deeper into each of these topics and provide actionable ways you can incorporate them into your vendor security strategy going forward.
Find the right tool
One of the most frustrating parts of the vendor assessment process in the past was how clunky and poorly organized security documentation was. Most solutions consisted of documents in Google Drive or some other repository, spreadsheet questionnaires, and emails. It was a nightmare to keep track of the status of each assessment, especially with the sheer number of vendors a typical company assesses in a given year.
Luckily, significant advancements have been made in recent years and tools, like Whistic Profile, have been developed to consolidate all of your security documentation in one place, making it easy for vendors to share and customers to assess.
Put an NDA in place
Proactively sharing and publishing security documentation might seem scary, that’s why it’s recommended to protect yourself with an NDA. In addition, you should have controls in place that limit who has access to your information and for how long.
Provide a brief introduction
Once you’ve got all your t’s crossed and i’s dotted and have an NDA in place, provide customers with an introduction to the security practices at your organization, your stance in security, risk, and compliance, contact information, along with information on when the Profile was last updated.
Upload audits and certifications
You’ve put in the work getting your SOC 2, ISO 27001, FEDRAMP or any number of certifications, now it’s time to show them off. Upload all of your relevant security certifications and audits so they can easily be accessed and viewed by customers and prospects while assessing your company.
Complete relevant standard questionnaires
InfoSec teams should target the top three to five security questionnaires requested by their customers and self-assess against them. Completing that many questionnaires in advance might seem like overkill, but in the long run it will save you time and ensure your security posture has been thoroughly vetted, covering all of the control areas a potential customer will want to dig into.
Share over and over again
Once you’ve built a profile, the hard work is done. Now you just need to share it proactively with customers to build trust early in the sales process. This can be accomplished by enabling customer facing teams, including your sales reps, to share your profile with their prospects when they first engage them rather than waiting for the prospect to request it.
To learn more about 2022 vendor security trends according to Whistic, download our latest ebook and be on the lookout for our next blog post that will dig into the importance of standardizing how security information is shared.