Imagine it’s a sunny Tuesday morning in Corporate Business Land. Servers are thrumming happily, systems are operating efficiently, and your teams are just about to dig into those product-development initiatives when all of their inbox’s ding simultaneously.
Sales forwarded a Security Questionnaire, and, just like that, all plans for internal initiatives are deferred. But for how long?
Some Security Questionnaires are hundreds of questions long and cover everything from mitigation tactics to security breach management. According to SecurityPal customer data, it typically takes up to 2 weeks to get a single Security Questionnaire completed across departments without extreme measures (i.e. blood, sweat, tears, and weekends). Even the smallest organizations receive 25+ of these questionnaires annually, and the world's top enterprises are seeing thousands of these each year. It doesn’t take a math genius to figure out that’s way too much for teams to handle without being pulled away from the strategic parts of their jobs.
On the other hand, it’s crucial that you complete questionnaires in a timely manner to keep sales cycles short, deal closures high, and revenue velocity increasing. Being able to respond quickly to questionnaires is one of the easiest ways to proactively protect your margins. How do you get ahead of these questionnaires so they don’t completely dominate the time of your internal initiatives and keep deals moving along?
Don’t leave questionnaires to chance. In an increasingly cloud-based environment, you can count on the fact that your organization will receive them, so plan how you’ll handle them. Write the process down and publish it in your company wiki — don’t assume responses will just fall into place. Defining the process will help your team handle questionnaires more effectively and efficiently, rather than scrambling each time to accommodate these massive undertakings.
Create an SOP that clearly defines workflows for questionnaires. Be sure to include project owners, internal subject matter experts (SMEs), advancement, communication, and resources. Without a clear SOP on how questionnaires will be handled by the organization, the project owner constantly changes, which prevents timely responses and continuity in the answers.
Do yourself a favor and follow a compliance framework before you even receive a questionnaire. If you already have core industry compliance frameworks in place, filling out a questionnaire should be as simple as cutting and pasting answers. It’ll take much less time to fill out a questionnaire if you have a strong structure in place rather than trying to run around plugging holes in your security that the questionnaire uncovers.
Some common industry frameworks are:
Want to learn more about security frameworks? Check out our Complete Guide to Security Questionnaires for Information Security Teams.
No organization is perfect, but if you’re taking care of the security protocols that are held industry-wide, a security questionnaire shouldn’t derail your deal or shake your entire infosec structure.
Create a space where teams can work simultaneously on their part of the questionnaire. This way, different teams aren’t stuck waiting on another department to complete their part and slowing down the entire process. A collaborative space also allows teams to gain full context for their portion of the questionnaire, creating more continuity across responses as they see how their part contributes to the whole.
The platform should also provide a way to share feedback and edit responses, as well as a way to track progress and move the project forward. Don’t play the waiting game. Too often, deals are lost because questionnaires are floating between teams, and no one really knows where it’s at, what’s next, or are slow to provide feedback.
You have enough on your plate without answering irrelevant questions. Most of these questionnaires are templated, with generic questions that are specific to the sending organization, not yours. Because of this, some of the questions won’t apply to your organization.
Take some time to determine which common questions don’t apply to your organization and have ready responses as to why they don’t apply. The responses should express your strengths and minimize weaknesses by offering a solution to address them or a reason why they’re not part of your security plan. Maintaining a list of these questions and corresponding responses will save you time developing a thoughtful response each time as to why it’s not applicable.
You can’t leave the timing to chance when deals are on the line. Once you’ve filtered out the questions that don’t apply to your organization, assess what’s left and create a hard deadline with clear milestones. This will give your contributing teams a clear understanding of how to prioritize and accelerate each questionnaire in relation to their other assignments.
Teams must be aligned on your timeline if you have any hope of achieving a quick turnaround. The easiest way to align teams on the timeline is to integrate it into your collaboration platform. Break down each task into key milestones. Then, assign a due date to each task and milestone so teams have a clear picture of what needs to be accomplished at each stage of the questionnaire in order to get it out within the timeframe.
Now that you have all of your procedural elements in place, it’s time to assign tasks to internal subject matter experts. There’s no sense in having your project manager wandering around the office (in person or virtual) with a questionnaire in hopes someone will help them. Rather than making whichever team it falls on to wander around like a bunch of lost puppies begging, have specific SMEs take ownership of their questionnaire responsibilities.
Assigning task leaders is essential for timely responses, but that’s not the only reason they’re needed. It’s also important to have task leaders so that if there are questions or concerns about the responses, there is a clear point person to address them. Without a point person, sales teams are left to hunt down the person who originally wrote the response, often with no idea of where to start within each department.
Once you’ve completed a few different questionnaires, you’ll find there’s overlap. You can often repurpose some answers by keeping a library of past responses. This will reduce the amount of time you have to spend formulating responses each time.
Make sure the database where you record past responses is searchable and data is categorized so you can quickly find relevant content to repurpose. For example, include categories that correspond to core elements of questionnaires, like data protection and privacy, incident response plans, or audit compliance.
Eventually, you’ll find questionnaires will take less time to complete as your response library grows, and a two-day turnaround time will be more easily achieved.
Even if you put these best practices in place to improve the timeliness of questionnaires, taking two or more days when deals are hanging in the balance. Cybersecurity expert Penny Wong (a.k.a. Just Ask Penny) describes the process as “a thousand paper cuts by 3rd party vendor privacy and security risk assessment questionnaires.” You have better things to do than fill out a questionnaire (like closing deals and working on internal initiatives), even if you do manage to build an effective internal process and complete questionnaires in just two days.
What if there was a way to get your questionnaires done in 24 hours without having to build your own internal process or making your team pull an all-nighter?
That’s what SecurityPal service delivery specialists are here for. Our team produces accurate, complete security questionnaires in 24 hours. No, it’s not magic, and it’s not automation — it’s just done.
With SecurityPal, your teams are free to focus on higher-leverage initiatives, and deals are closed faster than ever before because no one is held up on a security questionnaire. Curious what SecurityPal can do for you? Book a meeting with us today.