Sometimes you’re in a relationship. It’s casual. You’re getting to know each other. When out of the blue, they want to have the DTR (Define The Relationship) talk. If you’re ready for it, a DTR talk can be a good thing — it creates openness and establishes compatibility. But that doesn’t make it any less jarring.
Something similar happens in enterprise relationships. One minute you’re metaphorically sharing casual cocktails, and the next minute they slap a 700-question-long Security Questionnaire on the table before they’ll close a deal with you. And just like that, if you’re not ready for it, the whole deal is in jeopardy.
Security Questionnaires are hard to prepare for because they can come in so many forms. When your organization isn’t anticipating a questionnaire, you likely will struggle to complete it in time, give the most accurate answers, or even have answers at all. This is how deals are lost and revenue becomes increasingly unpredictable. It’s important to have a general awareness, at a minimum, of what documents you may encounter while trying to close an enterprise deal so you’re not caught off guard in this way.
The Standardized Information Gathering (SIG) questionnaire is the most common questionnaire a vendor trying to seal an enterprise deal will receive. It’s one of the most recognized third-party risk questionnaires, developed by Shared Assessments, a collaborative group with over 350 members who work to standardize third-party risk management. There are two versions of the SIG questionnaire that address different levels of security: SIG Lite and SIG Core.
The SIG Lite questionnaire’s name is indicative of its content. This questionnaire is typically used as a precursor to the SIG Core or for third-party vendors that won’t have access to sensitive data. Your prospect will introduce it just as you're first meeting — before you ever make a deal — as a way to gauge whether the relationship is worth pursuing.
SIG Lite only asks questions about general information security (infosec) compliance and structure within a potential vendor but doesn’t dig into details. This questionnaire is a (mere) 150 or so questions about the organization’s basic frameworks and controls.
For some partnerships, that initial handshake is just the beginning. If an organization plans on a long-term engagement with a vendor where intimate information is exchanged, they’ll want to get to know them more first.
The SIG Core is like that second handshake that either seals a deal or makes it clear the organization is parting ways permanently.
If you thought 150 SIG Lite questions seemed excessive, buckle up for SIG Core. The SIG Core questionnaire is much more extensive than the SIG Lite, delving into areas of your business you may not even have defined yet. It consists of roughly 675 questions and covers 18 areas of risk control, including the following:
One minute you’re metaphorically sharing casual cocktails, and the next minute they slap a 700-question-long Security Questionnaire on the table before they’ll close a deal with you. And just like that, if you’re not ready for it, the whole deal is in jeopardy.
The Vendor Security Alliance (VSA) questionnaire was developed by another group of collaborative organizations seeking to standardize internet security, much like the SIG questionnaire. Their founding organizations make for an impressive roster: Adobe, Coinbase, and Dropbox, to name a few. The VSA is updated annually to stay current with new technologies and threats. If you’re beginning to build a relationship with one of the founding organizations, you can bet this is the questionnaire you will receive.
There are three major differentiating factors of the VSA compared to SIG. The first is that it’s a non-profit organization, so the questionnaires are free to download and use by both sending organizations and receiving vendors. The SIG, on the other hand, is a members-only paid service. It’s worth noting that VSA does offer an optional paid membership, which gives member organizations access to a network of auditors and a portal for vendors to complete questionnaires. Secondly, the VSA addresses global (rather than just national) security compliance, including regulations in the EU. Thirdly, VSA assessments are product-based versus vendor-based, which means they approach security from the perspective of how the individual product or service was developed rather than the organization as a whole.
Similar to the SIG, VSA offers two versions of the questionnaire — a comprehensive version and a more abbreviated version — the VSA-Full and VSA-Core, respectively (Hey, no one ever said cybersecurity professionals were creative with naming things).
The VSA-Full is the comprehensive, in-depth security assessment offered by VSA and focuses on eight areas of security and compliance:
The VSA-Full is most often employed by companies that are primarily concerned with security over compliance.
The VSA-CORE only covers the most-critical security controls from the eight areas listed above and includes an additional section covering privacy compliance that the VSA-Full does not. Companies that are most concerned with compliance will typically employ this assessment versus the VSA-Full.
The Cloud Controls Matrix (CCM) and the Consensus Assessment Initiative Questionnaire (CAIQ) used to be two separate security frameworks published by the Cloud Security Alliance (CSA). However, in 2021 the CSA combined the two frameworks into one comprehensive assessment for cloud security. If you’re a cloud service provider, this will likely be one of the first things you see when an enterprise is seriously considering a partnership with you.
The combined assessment includes 197 control objectives and 17 domains, covering governance, risk, and compliance (GRC) across IaaS, PaaS, and SaaS services. The goal is to provide transparency into the security posture of an organization to form the basis for service level agreements.
One unique advantage of this framework is organizations can complete a self-assessment and submit it to the CSA Security, Trust, Assurance, and Risk (STAR) Registry to get certified proactively. It’s like having your dating profile available before you even begin a relationship — it lets other companies get a quick assessment of your security measures and compatibility.
It’s worth noting that the CSA recently developed an abbreviated version of the CCM/CAIQ called the CCM Lite, as well as one tailored to SaaS companies called the CCM SaaS (Again, with the creativity). These questionnaires were just published in Q1 of 2022, so time will tell if they become established security questionnaires.
A Request For Information (RFI) is typically the first step in defining a potential relationship between two organizations. An RFI is like the initial meet-and-greet and a speed dating event. The prospect is feeling out their options and seeing if the vendor is compatible on a fundamental level.
The RFI helps organizations easily compare vendors by asking a series of questions about the services, methodology, and price point a vendor offers that could meet the prospect’s needs. This prevents both parties from wasting time exploring a partnership that’s fundamentally incompatible.
If the response to an RFI is satisfactory, the organization will then send a more specific Request For Proposal (RFP) that digs a little deeper into how the vendor would specifically address the needs and wants of the requesting organization. It asks the vendor to describe things like project timeline, budget, and scope, as well as more general things like company structure, values, and sustainability.
Like any DTR statement, often until the expectations are in writing, teams don’t even realize how far apart they are from reaching an agreement. For example, an organization may expect the vendor to accommodate unplanned requests or some form of a non-compete agreement that infringes on prior contracts.
Some prospects may be willing to negotiate on certain points of the RFP. As a vendor, it’s important to only compromise to the extent that you can realistically accommodate or feel comfortable with. Starting a relationship feeling at odds is never good; protect your interests and be clear from the beginning about what you’re comfortable with.
An RFQ is much more technical than an RFI but is similar in that it asks questions that seek to understand if the vendor can meet the requirements of the relationship. Instead of asking questions like “how do you approach this aspect of the requested service,” it might ask what your competency is in approaching the project within a specific framework.
If an RFI is to understand a vendor’s existing approach to the service, a Request For Quotation (RFQ) is to understand if the vendor can complete the service request in the way the sending organization wants it done. Essentially, the former is more of a collaborative request, and the latter is more of a unilateral request for a bid.
SecurityPal delivery service specialists are here to take the stress and out of trying to anticipate every document that could upset your deal. All you have to do is email that document to SecurityPal. Our specialists will complete it for you, and it will be back in your inbox within 24 hours.
Due Diligence Questionnaires are most often used in the investment world by hedge fund managers. Fund managers use DDQs to assess organizations they are interested in investing in and service providers they may use in managing the fund.
While most security questionnaires focus on cybersecurity, DDQs are more comprehensive. DDQs cover cybersecurity risk as well as general risk and compliance, business strategy, structure, environmental governance, and more.
Essentially, if there are any business aspects that could impact the sustainability or efficacy of an investment partnership, that’s what a DDQ attempts to uncover.
You’re probably wondering at this point what could possibly NOT be covered in one of these documents — like how many documents do you need to prepare to get a deal signed? Well, there’s not a simple number since many organizations will create their own version of a questionnaire, completely custom to their needs. And, if you thought maybe you could just skip over these high maintenance prospects, you’ll likely be skipping out on deals with some of the largest, most coveted logos. At the end of the day, you can do your best to plan ahead, but you won’t be able to anticipate every kind of document or questionnaire type.
This list isn’t to make you feel overwhelmed and then dump you with no hope. Have no fear, the yeti is here! SecurityPal delivery service specialists are here to take the stress and out of trying to anticipate every document that could upset your deal. All you have to do is email that document to SecurityPal. Our specialists will complete it for you, and it will be back in your inbox within 24 hours.
No longer will deals be delayed over a single document. No longer will you have to postpone yet another internal initiative to work on someone else’s priorities. With SecurityPal, it doesn’t matter what document gets sent your way, it’s handled. It’s not automation, it’s real people just getting sh*t done. We’ve answered over 80% of Fortune 500 questionnaires (so, like, a lot). There’s not much we haven’t seen and certainly no questionnaire we can’t handle. Get in touch to learn what SecurityPal can do for you.