How To Master The Security Questionnaire
Updated: Feb 12, 2021
Want to win a big exciting client?
Have they asked you to complete a lengthy, jargon heavy cyber security questionnaire?
Want to answer it well and impress them along the way?
You're in the right place.
I’ve been on both sides of the table. I’ve been the client who sends you the questionnaire. I’ve designed them and reviewed answers many times over.
More recently, as a freelance security consultant, I’ve been helping startups satisfy such processes so they can win big clients.
For one of my ongoing clients, I have to play two different roles as their trusted security advisor:
Being their security leader and doing the right thing. This means doing what I can to improve their security environment in the right way i.e. in a risk-based, cost effective manner. Sometimes this means telling the client things they may not enjoy hearing, and trying to influence them to buy into my recommendations in order to reduce the probability and impact of a breach.
Getting them through audits and security questionnaires. This is where my role changes slightly and instead of being a good, ethical security professional, my objective is to ensure that I help them get over the line with any security audits and completing security questionnaires to ensure they can win new business.
Here I’ll explain the role of the latter, what purpose the questionnaire process seeks to gain, and how to complete them well, or, master them.
Why a security questionnaire?
Sending a potential supplier a security questionnaire is known in the cyber security industry as the security due diligence process. It can be seen as the security alternative to the financial due diligence check. It basically means: “Want to do business with us? Give us confidence you can behave securely with our data.”
Imagine this. One year after signing a contract with your new client, you suffer a cyber security breach impacting that clients data and/or their reputation. The client can now effectively remove any blame on their part and say “we did our security due diligence, the supplier told us they had their house in order”.
It’s worth covering one last aspect to the process. The prospective client are only interested in their own data and reputation. The questionnaire will not cover areas such as protecting your employee data, looking after other customers or securing your intellectual property because it is not in their interests. I’m mentioning this because it’s important you don’t use the questionnaire as the only review/benchmark of your security environment. Sure, use it to supplement your own gap assessments, audits/reviews, risk assessments etc. but don’t use it alone because it doesn’t show the bigger picture in relation to your own security risks and processes.
So, now we understand the ‘why’, let’s look at the ‘how’.
How to master the questionnaire
The best way to do this is to think empathically. The person who will read your completed security questionnaire will very possibly send and review tens or hundreds of questionnaires throughout the year. Big companies, especially financial companies, have entire departments of third party security due diligence managers. They could be bored for following such a repetitive process. So, think “how do I make their lives easier?”, and, “how do I impress them by doing something that others probably aren’t?”.
Here are some ideas. I’ve categorised them into three tailored areas. Go straight to the one which fits your situation:
We have no security in place. Please help.
We have reasonable security in place but there is room for improvement
Our security environment is outstanding
Before we get into it, ensure you have a non-disclosure agreement in place before you send them the completed questionnaire and any supporting documentation. This will keep your legal people happy and demonstrate to the prospective client that healthy legal practices are in place.
1. We have no security in place
This isn’t an unusual scenario. I’ve helped a few clients in this situation and in some ways, it gives them a distinct advantage – they can design the security environment from scratch in the most risk-based, effective and efficient way. It’s slightly harder to manage them through the security questionnaire process, of course, but here’s how I navigate such situations:
Be ‘optimistically honest’ If the questionnaire asks a question about an area where you have nothing in place, but you plan on implementing it in the next months, say something along the lines of “we aim to have ‘x’ fully in place by ‘y'”. This is sneaky, but it’s a way of communicating the area is a priority and there is some kind of road-map in place, without giving anything else away.
State you’re on a road-map/improvement program Further to the above, just by communicating you’re on a journey, you are giving the prospective client confidence that you take cyber security seriously. Again, think about being in the shoes of the other person: seeing that they are on a journey to improve means they know the importance of good security hygiene. Obviously, don’t say this if you have no program or intention of building one 🙂
If you don’t have a security policy or any documentation, create one whilst filling in the questionnaire. Similar to the previous point, having a security policy shows you’ve got some governance in place and considered what security processes your company need to follow. If you don’t have one yet, use this opportunity to get a basic one in place and include it as supporting documentation along with the completed questionnaire.
Refer to the security policy Once you have a security policy – refer to it where relevant when answering each question, but also answer the question inline whenever possible. This makes life easy for the person on the other side, they will appreciate it.
Offer to speak with the person responsible for reviewing the questionnaire Again, this delivers confidence that you care about security and gives an opportunity to build some rapport with another representative of your prospective client. If you want expert security representation on the call, get in touch with a consultant (like me) and ask them to help you along.
Offer a progress catch up call six months from now This is a great tactic, especially if you don’t have much security in place. It shows your commitment to security improvements and says “I won’t forget about security after this questionnaire”.
2. We have reasonable security in place but there is room for improvement
This is where a lot of clients are. They have implemented some basic controls and processes, but haven't performed a cyber risk assessment and built a security roadmap based on the gaps.
Take the advice from 1: We have no security in place, and add the following:
Provide any evidence you have to back up your answers If you are certified to Cyber-Essentials, ISO or any other relevant standards, proactively send evidence along with the completed questionnaire. Also, provide copies of your related security documentation such as policies, procedures.
Send an executive summary of your latest penetration test This is relevant if you’ve performed a pen test against your web application, mobile app or similar in the last year, and it shows you any dealt with any high/critical findings. This proves you are not only implementing good security processes but you are actively testing them and using it as an opportunity for improvement.
Share high level summaries of your security roadmap If you are comfortable doing so, share a high level summary of the security goals and plans for the year. Obviously this demonstrates commitment to improvement, but, in itself is an exercise in commitment. If you share plans, you can be held account for any progress, which could be good or bad depending on how you act on such plans.
Send structural diagrams on the security setup If there are security folk employed at your company, let the prospective client know by sending a hierarchical diagram or other means. If you're working with a consultant, advise of this too - again it proves that cyber security is a focus area for your company.
3. Our security environment is outstanding
Not many companies are in this situation, if any at all.
If you are, however, the only advice here is to share everything. Make a sing and dance out of your security controls and share all the things - policies, penetration test/red team reports, previous audits, certifications, security structure and so on. You could even give the perspective client a green light to carry out their own security audit or penetration test.
I hope this article proved helpful in your bid to complete the security questionnaire and win over your potential client when it comes to cyber security.
Don’t forget although the process is ultimately there to cover backsides, it is an opportunity to impress the prospective client and an even better opportunity to benchmark your security environment against the expectations of a client. Just don't take it as the only source of benchmarking.
If you need an experienced consultant to help you along the way by providing some clarity or answering the questionnaire on your behalf, get in touch.