Whistic’s Security Profile: A Forward-Thinking Approach to the Security Questionnaire Knowledge Base

July 26, 2018

InfoSec and IT teams have a lot on their plates: not only are they responsible for the overall protection of the organization as it relates to cybersecurity and risk management issues, they also have the tedious (yet incredibly monotonous) job of responding to security questionnaires from prospects and customers. You know from experience how much additional work this creates: personalized questionnaires and vendor responses add up fast, especially in this day and age where the average company’s network is accessed by 89 different vendors every week. Just imagine — every single one of those vendors (both cloud-based and otherwise) need to go through the vendor assessment process on a regular basis. Talk about a lot of security questions!

Some companies are turning to a knowledge base to help streamline security questionnaire responses. While this approach can add efficiency to your process, you should be aware of some of the potential downfalls of relying solely on a knowledge base for security questionnaire responses. Let’s look at a few of the key things to keep in mind when evaluating a tool that can help you automate responses to security questionnaires.

It Takes Significant Resources to Keep a Knowledge Base Up-to-Date

It takes an enormous amount of time and resources to keep a knowledge base up to date with the latest responses to all of the nuanced versions of the self-assessment questions that can be asked and/or answered. In the world of security, context is king, and the same question may be answered multiple different ways depending on which security control the questionnaire it is referring to. While a knowledge base may be a helpful place to store information, it can not only lead your team to use an out-of-context (and thereby invalid) answer, but it can also grow to an unwieldy size as you collect dozens of versions of the same question(s) asked in a slightly different manner. One CISO we spoke with recently referred to his security questionnaire knowledge base as a “Rat’s Nest” — meaning, that the more he relies on the knowledge base, the more time he has to spend untangling the labyrinth of questions he’s feeding into it. In a world of competing priorities, security leaders don’t have the time to deal with this type of challenge.

While a knowledge base may be a home run for standardized and straightforward RFP responses (i.e. How long have you been in business? What is your annual revenue? How many customers do you have?), the world of security questionnaires can be a different story. You might decide that a knowledge base is necessary, but it certainly won’t be sufficient if you’re looking to scale your team in the most headcount-efficient manner.

Do You Want to Be Reactive or Proactive?

After hundreds of conversations with teams grappling with this challenge, we see over and over that the companies that are reactively responding to questionnaires can never get ahead of the wave of security reviews. They simply do their best to try to handle the steady stream of security and compliance audits in an efficient manner, but they ultimately default to a headcount-heavy approach. On the flip side, we see other companies proactively addressing the challenge by investing resources in preempting security questionnaires with standardized security and compliance documentation. In essence, they are doing their best to remove the headcount from the equation. These companies take a more strategic approach to security questionnaires, developing processes around which prospects and customers receive what information and resources.

Adopting a knowledge base solidifies your position as a reactive responder, answering the questions asked of you in every circumstance. But what if those questions could be avoided altogether? What if those questions are asked by a prospect whose contract value doesn’t justify a response at all?

Whistic is Much More Than a Knowledge Base

While Whistic’s vendor assessment platform can certainly be categorized as a knowledge base of your key security and compliance questionnaires and documentation, the story doesn’t stop there — and it shouldn’t for your organization either. Yes, you can store pre-responded to questionnaires, compliance docs, and the keep the latest version of your information up-to-date using Whistic’s intuitive interface, but the real power comes in proactively responding to questionnaires using Whistic’s security profile. In other words, there are questions your team shouldn’t waste time answering over and over again. There are customer security questionnaires you shouldn’t dedicate hours responding to. Forward-thinking companies are adopting a more proactive approach that goes beyond the knowledge base for responding to custom questions more quickly, and these companies are finding ways to gain more leverage during their security reviews.

How Whistic’s Security Profile Gets to the Root of the Issue: Trust

InfoSec teams can now build a robust security profile on Whistic and take a more strategic approach to owning and sharing their security posture. But it all comes down to this: does your prospect or customer trust you as a vendor? Certainly they want their questions answered, but does a knowledge base do anything to help enhance trust during the security review? Many companies believe that building trust is about having your ducks in a row, transparently sharing your security profile (even if it wasn’t yet requested), projecting a mature program, having ready the documentation you know your customers want from you before they ask for it, and aligning yourself with industry standards.

What are some of the keys to building an effective and up-to-date security profile?

  • Know what to include
  • Keep your profile alive (update it consistently!)
  • Be sure the message is on-brand and accurately reflects the company’s current state

At Whistic, we’re fortunate to be able to have hundreds of conversations with InfoSec and IT executives that spend their days responding to security questionnaires. Is your team ready to adopt a more mature vendor assessment response program that will not only save your team resources, but also bring about peace of mind to you, your partners, and generate trust with your customers from the first impression? Whistic is ready to help.

Ready to Learn More?

Check out our resources below for more third party vendor best practices and insights on how your organization can effectively approach security assessments.

Request a Live Demo with a Whistic Product Specialist


Why Third Party Security is Critically Important

information security vendor risk management whistic security questionnaires third party risk

About the author


The latest insights and updates on information security and third party risk management.