Dreaded Security Questionnaires. You’ve Got This.

Over 20 years in enterprise software sales and technology alliances has taught me that the organization looking to take on your product or service often has more to lose than you do in adopting your technology their organization. Remember that your champion will take on personal reputational risk when selecting your company because if your company or your product fail to meet expectations, he or she could be out of a job.

The part of the sales process that is almost always outside of your control is the legal and procurement diligence procedure. This is where the product selling stops and the company/reputational selling begins for your company. It is also where nearly one third of all deals are lost outright, downsized to a trial/evaluation license from a production license or lost to a competitor. I’ve seen all three scenarios run their course in a deal.

The legal and procurement process for most larger organizations, particularly regulated industries like financial services, involves the following steps:

  • Vendor documentation
  • License agreement (sometimes prescribed by the customer and not you!)
  • Compliance verification
  • Non-Disclosure Agreement
  • Corporate declarations (insurance, governance, anti-bribery, anti-money laundering, etc)
  • The “dreaded” Security and IT Compliance Questionnaire!
  • This document is often a spreadsheet with anywhere from 50 to 500 questions, and requests for documentation on your IT security program and certifications. Fear not – while the security and compliance questionnaire is meant to look intimidating, it serves largely as the only documented way your buyer and the acquiring company can obtain a written record of your commitments and thereby mitigate risk, and frankly, save their jobs if you or your company fail.

    Once you recognize that a client’s questionnaire is largely a risk mitigation document you should embrace this step in the sales process with honesty, competence and confidence. To begin, one of the best ways to approach this step is to come prepared yourself. Tugboat Logic’s RFP Response Management Solution provides you two different exportable reports that can help you head off a compliance or security questionnaire from the outset.

    Building one of the above reports is easy. To start, build your information security program and document it. You can use tools like the Tugboat Logic Turnkey InfoSec Program or have your CTO or Engineering lead document your security policies, procedures and controls in a concise, well written document.

    Another tip to lessen the stress of answering all those questions is to be thorough and accurate in your responses. You can’t just answer yes/no any longer, because most large organizations will either reject your responses if they are not complete or worse, will follow up with in person interviews or audits of your actual security controls with your IT staff. You need to respond with accuracy and completeness and Tugboat Logic’s RFP Response Management System makes this step easier and relevant because it auto-answers with content from your active InfoSec program.

    The final recommendation in responding to security questionnaires is to head off any difficult situations directly with the team that authored the RFP. While it may extend the sales cycle somewhat, it can be far more efficient and a more successful strategy to hold a conference call to discuss either the relevance of certain questions (i.e. questions that discuss hardware or tape storage when you are a SaaS solution provider) or if questions are too far reaching in their scope (i.e. a customer may demand end-end encryption of all PII data when your application only captures nominal amounts of PII in one subsystem). In the latter case, the client may be seeking an “compensating control” to anticipate all forms of data loss risk, but it may not be practical given the solution’s architecture or client use case. Have the conversation to discuss risk. Your customer will appreciate you did and will see it as a sign of competence and strength.

    Completing an RFP or security questionnaire should be a time for your company to shine and put its best foot forward. Learn more about how to automate security questionnaire response for faster and more consistent responses with our eBook.

    The more proactive you are in offering proof points about your security program, the more you instill confidence in your client, which makes it easier for them to purchase your solution.

    Related Articles

    Change Management Process: Time to Go Deeper

    Change Management Process: Time to Go Deeper

    Your formal Change Management Process will guide you through the planning and implementation of your changes. Documentation and approval need to cover all the changes in terms of software, enhancements, applications and any other systems or elements the changes will involve or touch.

    read more


    Pin It on Pinterest

    Share This