Don’t Hire a Full-time Employee to Answer Security Questionnaires

Scaling an organization is challenging, whether you’re a growth-stage company developing partnerships with Fortune 500 companies or a thriving enterprise. There’s no easy way around it: CFOs are constantly balancing budget and value as they seek to fulfill functional and financial needs in an organization. Especially in organizations that are still building foundational pieces, demands often mount faster than they can be fulfilled. This is never more true than when it comes to building a customer acquisition team to build trust with prospects and customers.

Few tasks to close a deal are as time-consuming as the last mile of documentation: things like DDQs, RFPs and the dreaded Security Questionnaire. Many organizations are hiring for full-time positions just to handle this single task, especially with the ever-evolving cloud landscape. However, looking at the cost-to-value ratio of these roles, it quickly becomes obvious that a full-time employee is not the best solution. If organizations want to speed up deals and find a solution that won’t be outstripped by demand, they will find the best value is outsourcing Security Questionnaires.

It’s Not Scalable

If a Security Questionnaire solution is not scalable, it will not only hold up deals but also company growth. For every new product release, capacity increase, and deal signing, the volume of Security Questionnaires surges. The volume and complexity of questionnaires quickly outgrow the bandwidth of internal teams, especially when coupled with regular business cycles, such as fiscal closings and annual audits.

Chuck Kesler, CISO at Pendo, shared that his team struggled not only with the sheer volume of questionnaires but also with the constant learning curve going upmarket. “We are growing our business and dealing with more and more large enterprise customers that have complex Security Questionnaires,” says Kesler. “The amount of effort that goes into doing the questionnaires was growing as well.” 

The complexity of maintaining a strong security posture becomes more time-consuming as organizations take on larger clients. The largest clients demand company-specific questionnaires. In fact, SecurityPal customer data shows 40% of questionnaires are not even in a standard format. The more nuanced a questionnaire is, the greater the learning curve. Because of this, internal teams — that are already at capacity — simply can’t guarantee turnaround time or the accuracy of the questionnaires. And when questionnaires are delayed, incomplete, or inaccurate, deals are abandoned and opportunities are lost company-wide.

It’s Expensive 

Of course, you could always simply hire more people; then, bandwidth won't be an issue. However, hiring enough people and building an internal architecture to scale as you grow gets very expensive very quickly.

The median annual salary for a compliance analyst is $82K, according to Glassdoor. Now, multiply that by a full team of analysts, including a few senior analysts making closer to $91K annually (or better yet, cyber security analysts making $113k per year x 20% overhead!), and it’s easy to see how it quickly spirals out of control. 

It's not just the base salary of employees you have to consider when trying to scale your Security Questionnaire team. You also have to consider the costs of training, office space, work-from-home stipends, insurance benefits, bonuses, vacation days, commissions, stock options, technology, and even more.

One organization we spoke with tried building an international team to save on overhead costs. But, ultimately, the language barrier made it difficult to disseminate information in a timely and effective way. “It boiled down to ‘you get what you pay for,’” a CISO shared. “A monumental waste of time, energy, and money.”

To further compound the issue, the cost of hiring an internal team starts even before you’re shelling out large annual salaries. According to the Society for Human Resource Management (SHRM), the average cost per hire is $4,425, with the average cost per hire for executives reaching $14,936. Not only is it costing your organization money, it’s costing them time. SHRM found it takes an average of 36 days to fill a position, with some positions taking up to 45 days.

It’s Preventing You from Hiring Top Talent

If the cost of hiring wasn't enough of an issue, requiring your team to complete Security Questionnaires also prevents you from hiring top talent for more important things. Because, frankly, no one wants to fill out Security Questionnaires. Listing questionnaires as a required function in your job description can be a big drawback in a highly competitive job market.

Team morale improves and turnover is reduced when employees can apply their skill set to more vital and engaging security functions. Arthur Viegers, global solutions engineer at Twilio Segment, sells candidates on the fact that their team outsources their Security Questionnaires. “It’s pretty simple,” says Viegers. “I [just] tell new hires and potential candidates about SecurityPal as a plus point of working at Twilio Segment as a solutions engineer.”

It’s Distracting Your Team from What’s Important

When your teams are overwhelmed just trying to keep up with Security Questionnaires, they don’t have the time or energy to invest in what actually matters: your organization’s internal initiatives. 

Security Questionnaires often have an unpredictable volume that rises and falls based on company growth and each ‌customer’s specific security requirements. This makes planning efficiently for questionnaires nearly impossible. During high-volume seasons, the dedicated Security Questionnaire team rarely has enough bandwidth to meet demand. As a result, other team members are constantly pulled off internal projects just to fill out Security Questionnaires so deals can move forward. This means compliance teams aren’t managing risk, infosec teams aren’t combating threats, sales teams aren’t closing deals, and product development teams aren’t pushing the organization forward.

Your teams find themselves in an impossible situation when they are made responsible for Security Questionnaires. They have to choose between the thing that keeps deals moving forward and the things that protect your company’s growth long-term. Essentially, it asks them to put your customer’s superficial security priorities before your organization’s actual needs.

Adam Surak, VP of infrastructure and security at Algolia, said before his team outsourced their questionnaires, they were spending too much valuable time answering them, and team morale plummeted. “Before discovering SecurityPal, our security team spent 40% of their time with questionnaires and not improving the security of our company,” said Surak. “The bandwidth and team morale impact makes the ROI of SecurityPal a no-brainer for any quickly growing business.”

Close Deals Faster 

There’s not much about closing a deal that can be effectively outsourced - except Security Questionnaires. Security Questionnaires are one of the few jobs you can outsource without exposure. There’s nothing confidential in a Security Questionnaire since it’s all metadata (i.e. information about data structure and source, rather than original data). And, when you outsource it to actual experts, you’ll not only get your questionnaires faster but also more complete and more accurate. 

Here at SecurityPal, we know a thing or two about Security Questionnaires. We’re obsessed with the latest in information security, security posture, compliance, and everything else about Security Questionnaires. We’ve processed 80% of Fortune 500 questionnaires, so we’ve seen it all and know what’s coming next.  

Our security experts’ sole focus is making sure your questionnaires are accurate, complete, and timely. “Before SecurityPal I would dedicate entire days to filling out Security Questionnaires,” says Erica Tom, risk and compliance manager at Loom. “With SecurityPal I no longer have to do that and I can reinvest the time on higher leverage risk and compliance projects. SecurityPal's turn-around time and ability to handle questionnaires of different formats (portals, documents, forms) are real strategic advantages for us.”

We believe your team has better things to do than trying to keep up with questionnaires. Let them do what they do best and let us take the busy work. Get in touch today so you can focus on what really matters: your organization’s long-term growth.