Teams that submit Security Questionnaires to vendors are hearing a common response: actually, we don’t do those.
The conversation doesn’t usually end there. Instead of receiving organization-specific responses to their security reviews, companies are diverted to trust centers or trust platforms that claim to fulfill the exact purpose of a completed questionnaire, but without any extra work for the vendor. It sounds ideal for everyone involved.
So are trust centers upending the dreaded Security Questionnaire for good? Let’s take a closer look.
Trust centers are public-facing repositories of security posture information that attempt to answer frequently asked questions. Organizations use them in the hope of deflecting complex Questionnaires by demonstrating at least a degree of their security posture to would-be customers. They’re designed to assuage security concerns without going into extreme detail. Whether it’s a trust center or a trust platform, there are a few hazards to be aware of.
One of if not the primary pitfall of trust centers is their lack of comprehensive security posture information. This is especially true for larger, enterprise customers for whom the presentation of something like a SOC II certification will only increase their level of scrutiny, not reduce it. Enterprises simply aren’t interested in generic responses to security posture questions; they demand responses specific to their technology stack and industry best practices. A summary security FAQs document will only satisfy a fraction of your entry-level customers (and not for long). Take it from this CISO who came to SecurityPal after working with a trust platform for over a year:
If ten salespeople share our trust center profile through Salesforce, maybe only half of those people actually go into our vault and look at it. Out of those, you know, maybe even half of those who went in and looked at it, still have a security review or security assessment they want us to complete. So 75 percent of the time we're still having to complete a security assessment regardless of the fact that we have a trust center we’re sharing.
– Enterprise CISO, Leading sales enablement platform
Security Questionnaires demonstrate your company’s brand and customer commitment early in the relationship. Consider a personal example: Would you spend your hard-earned cash at a store that only answered your questions with “Yes,” “No,” or vague gestures? Questionnaires work the same way; companies want detailed, contextual information instead of a checkmark in a box. Organizations want to offload their questions instead of being forced to comb through a trust center for the right information. A high-quality Security Questionnaire could easily become the difference between being the vendor of choice or being a last resort option.
Trust centers and platforms all rely on a shared assumption: that all Security Questionnaires are, fundamentally, asking the same questions and can rely on a shared set of answers. Let’s put aside the fact that security postures are dynamic, constantly evolving protocols that need to be continuously updated; why would Questionnaires exist at all if trust centers automatically solved every requesting team’s asks? There is no cookie-cutter Security Questionnaire. In fact, here are nearly a dozen Questionnaire types you’re likely to encounter.
If Security Questionnaires are destined to be wiped out, it won’t be because of trust centers. SecurityPal approaches the challenge of Questionnaires from a First Principles perspective: we want the Questionnaires completely off your plate so you can focus on the strategy and development inherent to InfoSec and fast-growing organizations. Our scaled team of analysts has seen hundreds of thousands of security questions and doesn’t need to draw from or repurpose a static FAQ.
Enterprises can tell the difference between an expertly answered Questionnaire and one that’s been deflected by a trust center that lacks the breadth and answer quality they need to make a buying decision. With that in mind, leaving your deals in the hands of a trust center may not be as bulletproof as the name would have you believe.
Curious what SecurityPal can do for you? Book a meeting with us today.
