December 15, 2023 6:45 pm

David Wadler

Introduction

The dreaded security questionnaire. We have yet to meet anyone who got excited at the idea of issuing/evaluating them or at responding to them. But they are necessary and increasingly common in a world where IT, particularly SaaS applications, is so widely adopted. We've looked at some of the guides online and most seem to focus on the security questionnaire as a theoretical model. As a consequence, we thought that there was space to write a practical guide to security questionnaires.

And here's something else we're doing.... We are looking at security questionnaires from the perspective of both the buyer and vendor. Depending on where you find yourself, you might want to just read half the guide. But we (in our biased opinion) think that reading the whole guide is a worthwhile endeavor. Better understanding the counterparty in this document exchange can only improve the process. And given the critical nature of IT security, that is certainly a good thing.

The Buyer Perspective

Understanding Security Questionnaires

If your organization buys IT – and really, in this century, what organization doesn’t? – then you should consider incorporating security questionnaires into your purchase process. Security questionnaires are comprehensive documents that are used to assess the information security policies, practices, and controls implemented by third-party vendors who handle sensitive data. They play a critical role in cybersecurity due diligence and vendor risk management. And unless the vendor posts these policies and postures publicly somewhere, you might be flying blind when it comes to understanding the risk of an engagement.

Why Are Security Questionnaires Used in IT Vendor Assessments?

Buyers use security questionnaires to properly evaluate a vendor's security posture and cyber risk prior to doing business with them. (Ideally, they revisit this periodically during the engagement, but we’ll get to that later.) This “cyber due diligence” is crucial in determining if vendors meet baseline security standards for handling sensitive data. Sometimes that will be addressed at high level in an RFP.

Organizations use security questionnaires to:

  • Gain visibility into a vendor’s security posture: Questionnaires provide detailed insights into the vendor's security practices and controls that protect sensitive data like intellectual property, customer information, financial data etc.
  • Evaluate vendor cyber risk: Responses are evaluated relative to the organization's security standards to identify gaps, weaknesses, vulnerabilities and understand the overall risk profile of partnering with the vendor.
  • Aid decision-making on vendor selection and contracting: The findings help organizations determine if the vendor meets minimum security requirements and influences the decision to hire them or do business with them.
  • Maintain compliance: Regulations and standards like HIPAA, PCI DSS, etc. require due diligence assessment of vendor security. Security questionnaires helps satisfy compliance mandates.

Benefits of Using Security Questionnaires

Clearly the number one benefit is to improve your understanding of the risks involved in engaging with the vendor. But that’s not really what we’re looking at here. We want to understand the benefit of using a security questionnaire as the primary component in the cyber risk assessment, which means we must consider what the alternatives are – ad-hoc methods and audits comes to mind – and how a questionnaire stacks up.

Here is where security questionnaires shine:

  • Cost-effectiveness: Questionnaires are comparatively more affordable than manual assessments or audits.
  • Efficiency: They enable assessing multiple vendors in a consistent and structured way through automated distribution.
  • Foundation for risk analysis: Responses provide the baseline data needed to analyze risks associated with the vendor.
  • Aid benchmarking and comparisons: Standardized data allows comparisons across vendors and simplifies decision making.

Common Challenges and Pitfalls

While security questionnaires are often considered the most efficient way to assess cyber risk, they are not without their limitations. Here are some potential pitfalls to consider for when relying solely on questionnaires:

  • Incomplete or inaccurate responses
  • Over-dependence on self-reported data
  • Not clarifying ambiguous responses
  • Failing to validate responses through follow-up
  • Not continuously updating security questionnaires

Security questionnaires are a tool, and the efficacy of that tool will depend in large part of the person, or organization, wielding it. Using security questionnaires as one component of a comprehensive vendor risk assessment, in conjunction with further verification, helps mitigate these challenges. Before we move on to the next section, I want to draw your attention to the last bullet point in the list above.

It is folly to assume that an evaluation at a point in time is set in stone forever. Technology companies make changes all the time. Increasingly, they use an “agile” methodology, which involves constant small changes. Over time, lots of small changes add up to a big change. This can certainly impact the potential risk involved with engaging IT vendors. How can this be addressed? By making sure that security questionnaires are issued on some cadence, after the engagement has started. There might be different cadences for different types of vendors, but revisiting potential risks is absolutely the best practice.

Different Types of Security Questionnaires

Most security questionnaires issued by companies are custom, each consisting of its own questions. In an informal survey of issuers, we learned that most companies were focused on the risks that they felt were most pertinent to them. Indeed, there is no single, universally accepted security questionnaire. This is largely because there are specific needs tied to industry depending on their unique security risks and regulations, requiring tailored questionnaires to address specific challenges.

Furthermore, the cybersecurity landscape constantly evolves, demanding regular updates and adaptations in questionnaire formats and content. Therefore, relying solely on a single standard might not provide a nuanced and accurate picture of a vendor's security posture. Instead, organizations generally leverage a combination of established standards, industry best practices, and their own specific requirements to create effective security questionnaires for vendor assessments.

Some organizations, however, elect not to write a bespoke questionnaire, but rather to leverage a 3rd-party “standard” questionnaire. Here are some of the most common ones:

  • Vendor Security Alliance Questionnaire (VSAQ): Widely used in the tech industry, VSAQ covers data protection, security policies, and security measures. Its standardized format simplifies comparison between vendors.
  • Center for Internet Security (CIS) Critical Security Controls: Focused on specific controls deemed essential for cyber defense, CIS provides a structured framework for assessing security posture.
  • Standardized Information Gathering (SIG) Questionnaire: Developed by financial institutions, SIG emphasizes controls relevant to financial data security and regulatory compliance.
  • Consensus Assessments Initiative Questionnaire (CAIQ): Geared towards large enterprises, CAIQ offers a comprehensive assessment covering various security domains and industry regulations.
  • National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF): NIST CSF provides a flexible framework with customizable controls, allowing organizations to tailor security questionnaires to their specific needs.
Competing Standards for Security Questionnaires

Competing Standards for Security Questionnaires (source: https://xkcd.com/927)

Developing Effective Security Questionnaires

Creating an effective security questionnaire that provides comprehensive visibility into a vendor’s policies and posture requires thoughtful planning and a structured approach. And you’ll want to do this without creating too much of a burden on you or the vendor. Let’s review some key guidelines for developing efficient and actionable security questionnaires.

Defining Your Security Requirements and Risk Tolerance

The first critical step is outlining the scope of security controls you expect vendors to have implemented based on your risk impact thresholds. You'll want to:

  • Identify types of sensitive assets and data that vendors will handle to understand associated risks
  • Map out applicable legal, regulatory and contractual requirements regarding data security (HIPAA, GDPR etc.)
  • Catalog your organization's current security architecture maturity level and strengths/gaps
  • Detail minimum security capabilities vendors must satisfy aligned to program maturity
  • This clarifies the baseline standards vendors should meet before further evaluation of their security frameworks.

Aligning Questions with Relevant Regulations and Frameworks

Rather than drafting questions in a vacuum, leverage existing information security regulations and industry frameworks that provide a ready template of relevant controls to assess. For instance, if vendors handle payment data, incorporate applicable PCI DSS control standards into your questions. If healthcare data is involved, utilizing HIPAA Security Rule control areas provides assurance of compliance.

Other frameworks like SOC 2, ISO 27001, and NIST offer comprehensive catalogs of IT security domains to selectively pull organizationally-relevant questions from based on your risk analysis. This presents an opportunity to benchmark vendors against established security models.

Structuring the Questionnaire for Clarity and Efficiency

With standards-aligned questions compiled, you can now effectively structure related questions into easy-to-follow topic sections and indicate the precise response format expected, such as Yes/No, written paragraphs or supporting policy attachments. Yes/No and multiple-choice questions are particularly valuable in that they allow for objective scoring and benchmarking. Organize the security questionnaire into logical domains like Data Security, Identity & Access Management, Communications Security, etc. to provide coherence for both respondents and your internal teams evaluating the responses.

Be selective about strictly necessary questions to avoid overburdening vendors – keep it focused on core risks and compliance coverage. Extremely long security questionnaires lead to survey fatigue or boilerplate responses. Avoid extraneous “nice to know” questions.

Balancing Depth and Conciseness

Finding the optimal balance between high-level questions and specific technical queries involves prioritizing issue probability and impact. The highest risks with most adverse consequences warrant greater interrogation.

For example, thoroughly assess vendors’ data encryption mechanisms as loss of sensitive assets can carry outsized potential impact. More niche threats like business continuity plans for extreme scenarios may only need a brief treatment.

Utilizing Scoring Mechanisms and Weighted Questions

Implement weighted scoring pinned to your pre-defined security standards so vendor responses can be systematically rated on maturity levels and quickly compared.

Assign weights to questions based on their risk criticality. For instance, multifactor authentication may warrant higher weights than generalized security awareness training. Tabulating weighted scores then allows you to analytically gauge overall vendor security postures against benchmarks and influence engagement decisions accordingly.

You might also consider indicating certain questions as potential deal-breakers. For example, if your company can only work with HIPAA-compliant vendors and the vendor in question is not HIPAA compliant, then it really doesn’t matter if this vendor runs the tightest ship in the world – you simply can’t do business together. To be clear, these should not be “gotcha questions.” Rather, they should be clearly identified as potential deal-breakers and be listed towards the front of all security questionnaires, so the vendors don’t invest time completing a document for an unwinnable deal.

Evaluating Vendor Security Questionnaire Responses

Evaluating vendor security questionnaires is not simply a check-the-box exercise. It's a critical step in safeguarding your organization and/or its data from potential cyber threats, demanding a meticulous and insightful approach. Let's delve deeper into each crucial aspect of this process:

Assessing Completeness and Accuracy

Imagine a vendor's response as a meticulously crafted map, guiding you through their security landscape. Incomplete sections are like missing roads, obscuring your path and raising red flags. Inconsistent information, like a river suddenly changing course, can muddy the waters and cast doubt on the entire map's reliability. Therefore, ensure the vendor has filled the security questionnaire comprehensively and consistently, leaving no room for ambiguity.

It's important to remember that, as described earlier, IT companies often practice agile methodologies, which could change the results of a questionnaire. Inconsistencies often result not from bad actors, but rather from challenges in keeping data up to date. As security questionnaires are often lengthy and completed by multiple people, things can accidentally slip through the cracks. That doesn’t mean you should simply walk away from the deal, but you should see if you can get the vendor to reconcile inconsistencies or omissions.

Identifying Red Flags and Inconsistencies

A sharp eye for material discrepancies is your superpower in your analysis. While it’s true, they might be simply clerical errors, that’s not always the case. Certain contradictions in a vendor's response are like flashing neon signs, screaming, "Something's not right!" For instance, making representations about advanced encryption while allowing unencrypted file transfers is a glaring inconsistency that should trigger alarm bells. Be wary of platitudes and generic statements that lack concrete evidence.

Uncovering Potential Risks and Mitigation Strategies

Evaluating a security questionnaire response can be an exercise in creative thinking. Your job is to identify its vulnerabilities, the weaknesses that cyber attackers could exploit. Look for areas where their controls are weak or outdated and think about how you could – if you were a malicious hacker which you are not! – compromise their security. Don't just identify the risks; propose potential mitigation strategies to strengthen the defenses. After all, the game plan is to move forward with the vendor if possible.

Conducting Follow-up Inquiries and Clarifications

If the response is okay, but not actually good, don’t wave away your concerns. It is your right…. Actually, it is your responsibility to follow up on any unclear or ambiguous responses, seeking detailed explanations and concrete evidence. Remember, the more information you have, the better you can assess the vendor's true security posture. And don’t feel bad about doing this. It’s quite likely that the vendor will have many more security questionnaires to complete after yours. Your feedback can help them be better prepared for their future customers.

By following these steps and approaching vendor security questionnaires with seriousness and meticulousness, you can make informed decisions and choose partners who share your commitment to robust cybersecurity. Remember, it's not just about ticking boxes; it's about building trust and safeguarding your organization's valuable assets.

Beyond Questionnaires: Building a Secure Vendor Ecosystem

While security questionnaires provide valuable insights, they're just the first step in building a robust and resilient vendor ecosystem. True security requires a multifaceted approach, one that goes beyond one-off assessments and fosters continuous collaboration and improvement. Here are three key pillars to build upon:

1. Implementing Ongoing Vendor Monitoring and Risk Management

Think of your vendor ecosystem as a thriving garden. Just like plants need constant nurturing and pest control, your vendors require ongoing monitoring and risk management. (And remember, these cyber pests can be really nasty.) This involves:

  • Regularly assessing vendor security controls: Don't let initial security questionnaires gather dust. Schedule periodic evaluations to ensure their security posture remains strong.
  • Utilizing automated tools: Leverage technology to automate tasks like vulnerability scanning, configuration management, and suspicious activity detection. This frees up your team to focus on deeper analysis and strategic decision-making.
  • Proactively identifying and mitigating risks: Don't wait for a breach to act. Implement proactive risk management strategies, such as penetration testing and incident response simulations, to identify and address vulnerabilities before they're exploited.
Cultivate vendor security as you would a garden.

2. Fostering Open Communication and Collaboration with Vendors

Security is not a solo act. It requires open communication and collaboration between you and your vendors. This means:

  • Establishing clear expectations and responsibilities: Define security roles and responsibilities in contracts and service level agreements. This ensures everyone is on the same page regarding data protection, incident reporting, and response protocols.
  • Sharing threat intelligence: Don't keep security insights under wraps. Communicate emerging threats and attack vectors to your vendors so they can proactively update their defenses.
  • Holding regular security meetings: Schedule dedicated discussions to share best practices, address concerns, and foster a collaborative security culture within your ecosystem.

3. Building Trust and Long-Term Partnerships Based on Shared Security Goals

Remember, your vendors are not just service providers; they're partners in your security journey. Building trust and long-term relationships based on shared security goals is key:

  • Invest in vendor training and development: Equip your vendors with the knowledge and resources they need to maintain robust security practices. This demonstrates your commitment to shared success.
  • Recognize and reward security excellence: Acknowledge and reward vendors who consistently demonstrate strong security practices. This incentivizes continuous improvement and fosters a culture of security within the ecosystem.
  • Treat security breaches as opportunities to learn and adapt: Don't point fingers in the wake of an incident. Instead, collaborate with your vendors to analyze the root cause and implement improvements to prevent future breaches.

By implementing these pillars, you can move beyond the limitations of security questionnaires and cultivate a secure vendor ecosystem where trust, collaboration, and shared security goals flourish. Remember, a secure ecosystem is not built overnight; it's a continuous journey of shared learning, improvement, and proactive risk management. By investing in this journey, you can build a foundation of trust and resilience that protects your organization and your vendors from the ever-evolving landscape of cyber threats.

The Vendor Perspective

Preparing for Security Questionnaires

Security questionnaires allow potential customers to thoroughly evaluate a vendor’s data protection standards before engaging in a business relationship. Proper preparation is key for vendors to accurately demonstrate their security and compliance posture. You are warned – in the interest of providing information that is both practical and actionable, we’ve included a number of bulleted lists. Here are the best practices:

Conducting Internal Security Assessments

Before addressing external security questionnaires, vendors should critically inspect their own policies and frameworks to surface any gaps compared to industry best practices. Useful steps include:

  • Assemble a project team spanning leadership, IT, security, compliance, and legal
  • Catalog current security policies, procedures, and controls in place
  • Identify potential deficiencies or enhancements across all control domains:
  • Data governance
  • Infrastructure safeguards
  • Identity and access management
  • Communications security
  • Ongoing assessments and monitoring
  • Incident response
  • Business continuity
  • Define roadmap to address concerns through strengthened controls
  • Standardize documentation maintenance for all protocols

If you’re involved in a startup company, we strongly recommend that you adopt a “security first” posture. It is much easier than retroactively applying controls. And while rigid adherence to them might be overkill for your young company, established frameworks like NIST CSF or ISO 27001 can provide helpful guideposts in structuring your processes.

Implementing Robust Security Policies and Procedures

Address any uncovered gaps by instilling comprehensive policies, procedures and protections that become the bedrock of security questionnaire responses on security measures.

  • Outline formal protocols for security operations and responsibilities
  • Institute controls limiting data access, securing systems, logging events
  • Require security and privacy awareness training for personnel
  • Implement mechanisms like firewalls, intrusion prevention/detection
  • Execute data protection via encryption, tokenization etc.
  • Formalize incident response and contingency protocols

Maintaining Accurate and Up-to-Date Documentation

Centralize security documentation by control area for reference and auditing:

  • Governance/Policies: Data classifications, retention policies, standards, risk registers
  • Infrastructure Documentation: Network diagrams, configuration standards
  • Access Control: Identity management, authentication methods
  • Awareness & Training: Security education materials
  • Controls Documentation: Encryption mechanisms, firewall configs, security tools
  • Agreements with sub-processors

If you can, embed practices to continually update documentation whenever modifications occur.

Designated Security Liaison

Appoint a qualified security professional as the customer point of contact for all information requests and ensure consistent, technically sound responses. It is often a good idea to have a secondary liaison so the primary person can take vacations and lead a normal life! Beyond that, it’s helpful to make sure that all this information doesn’t reside in the brain of just one person. Document where possible and make sure that there is a flow of information from your designated liaison to at least one other person.

Responding to Security Questionnaires Effectively

Providing Complete and Accurate Information in a Timely Manner

Strive for comprehensiveness and accuracy in all submitted responses, even when acknowledging control gaps. Incomplete or misleading portraits undermine credibility. Provide full details on mechanisms like data lifecycle management, infrastructure security, access restrictions and ongoing monitoring.

Bear in mind that the review process can be slow and painstaking. It is quite likely that you are not the only vendor being evaluated by the security team. You can help yourself – and the buyer – by. meeting all requested turnaround deadlines for security questionnaires barring extenuating circumstances. Be responsive in a timely manner just as with any potential business opportunity. Remember, the faster you get the deal across the finish line, the sooner you will see revenue.

Clarifying Any Ambiguities or Misunderstandings

If any security questionnaire aspects seem unclear or application to your environment seems ambiguous, directly contact the customer to understand the exact intent behind their lines of inquiry before finalizing your responses. Even simple confirmations build rapport. This approach is certainly better than simply leaving a question unanswered or trying, and failing, to figure out what a question means.

Demonstrating Your Commitment to Security Best Practices

Your security questionnaire responses offer a window into your security priorities and standards. Be forthright about existing protocols per industry frameworks, but also highlight additional safeguards you offer above and beyond baseline requirements that differentiate your business. For example, detail innovations like AI-powered monitoring systems, automated policy enforcement checks, or automated surprise penetration tests. Sometimes you might not quite meet an expectation placed on you by the buyer’s security team. In those situations, the fact that you’ve gone above and beyond in other scenarios reinforces the ideas that you take security seriously and can create trust that you will address the identified shortcoming.

Leveraging Cross-Functional Expertise

Given the comprehensive nature of most security questionnaires spanning technical, compliance, governance and other domains – tap subject matter experts across departments to provide authoritative responses. The bullets below speak to the approach a larger company might take, but even smaller companies have employees who have subject matter expertise in specific areas.

Assemble a working group with representation from:

  • IT and security engineers to accurately document technical controls
  • Legal and compliance teams to confirm regulatory alignments
  • Data and privacy leads to detail policies
  • Risk management to weigh in on tolerance thresholds
  • Business continuity planning for resilience capabilities
  • Relevant operations leads on day-to-day practices

With expertise covering the spectrum, responses will reflect the full suite of organizational security and compliance capabilities.

Maintaining a Database of Security Questionnaire Responses

Track and catalog all previously completed security questionnaires and your submitted responses in a central database or repository. While the majority of enterprises issue custom security questionnaires, there is almost always substantial overlap between them. Generally, if you have seen one or two handfuls of questionnaires, you can generate almost any security questionnaire you will see in the future by drawing from the pool of collected questions. You can use this to your advantage.

Keeping historical responses on file allows responding teams to easily:

  • Reference accurate past answers for context
  • Check for inconsistencies or outdated information
  • Identify duplicate questions across customers
  • Monitor questionnaire complexity and volume over time

Over time, your response archive becomes a readily searchable body of evidence reinforcing security claims as well as an invaluable accelerator in completing future security questionnaires. If you’re using a spreadsheet or database, you’ll want to integrate into your documentation maintenance practices for continuous updates. (You might also consider using a product like Vendorful’s AI Assistant for Security Questionnaires, which can automate most of this process.)

Navigating Different Questionnaire Formats

Customers utilize a variety of questionnaire structures and formats ranging from proprietary forms to standardized templates. Effectively adapting across models while retaining response rigor remains key.

Adapting Responses to Various Types

Recognize security questionnaires may differ extensively in scope, topics and level of technical detail sought. Expect formats like:

  • Shortlisting questionnaires with pass/fail qualification questions
  • Broad risk-based questionnaires scoped to regulatory controls
  • In-depth technical questionnaires delving into system configurations

Modify response types, depth and evidence furnished to accurately match the security questionnaire intent. Provide more generalized responses for risk-based formats while giving highly specific system and protocol details for technical control assessments.

Utilizing Standardization and Templates

In addition to having a question database, it can be helpful to maintain a library of templated responses covering industry standards like ISO 27001, NIST CSF or CSA CCM and tailor as applicable per security questionnaire. It’s not necessary to proactively complete these so you have a reference, but if you are given one, put it in a safe place and you’ll be able to take on the next one with a running start. Standardized structures with pre-validated responses accelerate completion while allowing customization to the customer context like industry, geographic location and use cases.

Avoiding Relying on Boilerplate Responses

Resist recycling generic verbatim responses across all security questionnaires, even when questions seem familiar. Subtleties matter – consider slight rephrasing or restructuring to maintain relevance. Case in point, “Do you do XYZ?” is a very different question than “How do you do XYZ?” Relying on keyword matching without a semantic understanding of the question is a recipe for disaster.

When you really read the questions, you can provide examples and specifics illustrating control implementations in your infrastructure and environments rather than detached theoretical capabilities. When questions are open-ended or specialized to a niche industry, craft individualized responses addressing the customer’s unique requirements, challenges and priorities. Demonstrate you understand their specific business demands, data assets, regulations and risks.

Don’t worry, you can leverage “canned responses” for a good number of questions in most cases. But always make sure that you double check as customers seek credible assurances when evaluating a vendor’s security posture.

Leveraging Security Questionnaires as a Competitive Advantage

Security questionnaires are a valuable opportunity for vendors to demonstrate superior cybersecurity versus alternatives and build enduring trust with customers.

Highlight Your Security Maturity and Compliance Achievements

Thoroughly showcase any credentials definitively certifying your security posture through respected industry attestations and compliance audits. For example, you can:

  • Share SOC 2 Type 2 reports proving effective controls governing data security, availability, processing integrity and confidentiality
  • Tout certification to international information security standard ISO 27001 demonstrating comprehensive management processes around assets, access and risks
  • Complete Cloud Security Alliance STAR Level 2 assessment confirming strong cloud controls per industry benchmarks
  • Furnish documentation around PCI DSS compliance audits for secure payment card transaction processing

These validations offer external confirmation to customers of investment in best-in-class security controls and protocols surpassing typical vendor environments.

Differentiating Advanced Security Capabilities

Compare your security questionnaire responses against average vendor offerings to spotlight advanced protections and response capabilities exceeding industry norms that competitors lack.

For example, showcase innovative features like:

  • AI-powered threat detection models that identify anomalies and emerging attack patterns missed by rules-based systems
  • Automated policy enforcement analysis that continuously validates environment configurations match intended security postures
  • Custom portal transparency tools that provide near real-time visibility to customers around security KPIs, control status and activities
  • Leading third party security integrations like firewalls, web application scanners, IDS/IPS leveraging top technologies

Quantify risk reductions over competitor environments – perhaps you detect threats 30% faster, mitigate incidents twice as quickly as average, or prevent 10x more intrusions.

Building trust and confidence with potential buyers

Proactively offer customers reassurance through regular reporting around key security KPIs in summary scorecards – like attempted intrusions, mean time to mitigate, uptime/availability etc.

Invite customers to conduct coordinated planning around contingency protocols and preparedness, showcasing leading practices. Maintain an open door for further inquiries.

Driving Continuous Improvement

By noting existing plan-of-action roadmaps already actively addressing any current control gaps, you can demonstrate your commitment to sustaining security advancement. You can further reinforce maturity by welcoming recurring future customer security questionnaires at set intervals to repeatedly validate your evolving capabilities as new threats emerge.

Partnering with Buyers for Mutual Security

The ideal customer relationships around security are rooted in transparency, collaboration and trust in each other’s data stewardship.

Fostering Open Communication and Collaboration

One thing that is really effective is establishing open lines of communication, encouraging joint security planning and education between customer and vendor teams to exchange insights around policies, controls, risk patterns, use cases and more. This cross-pollination (don’t worry, we’ll spare you a second garden photo) of ideas lays the groundwork for cooperation advancing mutual data protection interests beyond formal security questionnaires. And by getting actionable feedback from a customer, you can improve your security posture for future customers.

Proactively Addressing Buyer Concerns and Questions

It is a good idea to encourage customers to directly voice any security concerns or outstanding questions around your capabilities so they can be tackled in a documented, trackable fashion by your teams. Concerns raised today avoid compounding doubts tomorrow. To this end, it is advisable to log and establish timelines for resolving items.

Providing Ongoing Updates and Transparency

If you have the infrastructure to do so – and we realize that many startups simply will not – you can furnish regular summary reports and scorecards around key security KPIs like attempted intrusions detected, response times, availability metrics and top vulnerabilities without customers needing to formally request them. A step beyond this could entail grant access to portal transparency tools that display real-time control status, configurations, and activities. This is an excellent way to built a lasting trust.

In fact, combined reliance on each other’s data safeguards forms the bonds where customer relationships evolve beyond one-time transactions into mutually beneficial long-term security partnerships. Who knows? You may end up jointly attending security conferences, share threat intelligence and conduct informal architecture reviews to continually advance collective data protection capabilities.

About the Author

David Wadler is a co-founder and Chief Revenue Officer at Vendorful. Prior to Vendorful, he was the General Manager for Rich Media & Cloud at Lexmark Enterprise Software, where he was responsible for strategic direction of Lexmark’s initiatives as they related to rich media and cloud products. He came to Lexmark in 2013 with the acquisition of Twistage, where he was a co-founder and CEO. Prior to Twistage, he worked in a variety of industries and roles while trying to figure out what he was supposed to do with himself. David is a holder of a degree in economics from Brown University and is a resident of New York City.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}