Lucky you. A security questionnaire with 467 questions just landed in your inbox and it’s due in two weeks.
But you don’t use RFP software, so you’re looking at about a week and a half of completion time. Since responding to security questionnaires isn’t your primary job responsibility, you will have to make time in between other high priority tasks. You stay after hours or work weekends to meet the looming deadline.
You meet the deadline, just barely—but you don’t feel confident that you answered the questions as effectively as you could have with more time. You wonder: Are we going to lose this deal now?
If you had RFP software to support your process? Hate to be the one to break it to you, friend, but that menacing security questionnaire probably would have taken you a few hours instead.
Understandably, many brave responders take a negative mental turn with security questionnaires—and even dread them. We won’t make outlandish claims, like comparing responding to vendor assessments to a leisurely stroll on a summer day. What we can do is steer you in the right direction, so you gain the upperhand and take control.
By the time you’ve finished reading this post, you’ll understand that:
- RFP Security Questionnaires Are Complex, But Manageable
- Various Security Questionnaires Benefit From an RFP Response Solution
- Each Completed Security Questionnaire Will Throw the Deal or Land It
- RFP Software Alleviates Time and Team Friction
- The Majority of a Security Questionnaire Can Be Completed For You
- A Specific RFP Response Solution Feature Set Will Help You Take Control
- Time is On Your Side with RFP Software
It starts now, with understanding how technology like RFP software can help you navigate the nuances of security questionnaires. And, rest assured…the next time you’re responding to hundreds or thousands of questions will be better.
The Nuances of RFP Security Questionnaires
As complex as security questionnaires can be, there is a bright side too. Yes, there are gigantic spreadsheets involved. But, it’s a pretty standard set of questions you’re working with.
Sure, you might see variations of the questions or see subsets of a question. You might be facing a SIG questionnaire with what seems like a million questions. Still, the questions are pretty much the same old song and dance. Security questionnaires generally deal with privacy. Compliance, infrastructure security, and data protection fall under that privacy umbrella.
“Only a third of organizations believe they have adequate resources to manage security effectively.” – Ponemon Institute
A team of security subject matter experts (SMEs) sprinkled across multiple teams and departments is often required to respond to these security questionnaires. Answering the same questions repeatedly can become tedious for anyone, no matter how dedicated they are to the organization.
For example, if a proposal manager assigns the same hundred questions to a security architect ten times, friction will inevitably follow. Presumably, that security architect will stop answering them and choose to fulfill other high priorities on his or her plate. He or she may become unresponsive whenever their support is needed for security questionnaire ever after.
To top it all off, there is the compliance aspect of security questionnaires. Teams must answer accurately and honestly—and be able to backup their response should an issuer decide to audit. An RFP software solution is the kind of technology that can handle the nuances of security questionnaires. A great solution will help you solve inefficiencies within your process.
Various Security Questionnaires You Will Encounter
“61% say their organizations evaluate the security capabilities of cloud providers prior to engagement or deployment, according to Gemalto’s 2018 Global Cloud Data Security Study. Although these security evaluations are increasingly relying on contractual negotiations and legal reviews, 34% of organizations still require the formality of security and compliance questionnaires. That means you need to prepared (not surprised) when a security assessment arrives.
Being prepared isn’t as easy as it sounds. We can write an entire blog—scratch that—a novel about the different types of RFP security questionnaires you might stumble upon. While a security questionnaire has many names, it also has many types.
Here are various security questionnaires you will encounter:
- SIG and SIG Lite – Standardized Information Gathering Questionnaires
- VSAQ – Vendor Security Assessment Questionnaire
- CAIQ – Consensus Assessments Initiative Questionnaire
- VSA – Vendor Security Alliance Questionnaire
- NIST 800-171 – National Institute of Standards and Technology Questionnaire
- CIS Controls – Center for Internet Security Questionnaire
No matter the type of security questionnaire, the need for a complete RFP response solution along with a reliable internal process can’t be stressed enough. Without this dynamic duo, you run the risk of losing valuable hours with an inefficient approach—but, you also risk losing potential business if the responses are not executed accurately and well.
Why You Should Take Each Security Questionnaire Seriously
The short version? Because you don’t want to be the one that throws the deal. You want to be the one that helps land it.
Whether you’re a cloud provider or an on-premise provider, security questionnaires are a key requirement in this leg of the sales process. Organizations care a great deal about data security and they scrutinize vendors like you to make sure you are the partner they can trust long-term.
As a cloud service provider, your customers entrust their organization’s most sensitive data with you. There’s a very strong chance that the solution you provide is a mission critical application for them. That’s why they want to hire your services in the first place.
Since you make everything available in a publicly shared infrastructure, the controls need to be that much more airtight. There are plenty of control frameworks that govern cloud security. However, lack of visibility leads by a wider margin in SaaS than IaaS, with almost one third of organizations having difficulty getting a clear picture of what data is in their cloud applications.
It’s important for your customers and prospects to feel confident that you have the proper control in place, so their data isn’t compromised. Proper controls protect a data leak from happening, regardless if it happens accidentally or through malicious attacks.
At one time on-premise solutions used to be less of a concern. People used to believe that security within an infrastructure behind firewalls was more secure. In the last decade, things have changed dramatically.
In some ways, on-premise solutions are more vulnerable than cloud solutions. When customers use a cloud-based solution, their data is likely hosted with a reputable, secure cloud hosting service provider like Amazon or Google or Microsoft or IBM.
With on-premise, frequently the compromise comes from within—through social engineering, through employees making mistakes. So, on-premise security is something buyers are aware of and really paying attention to.
EU GDPR Requirements
On May 25th, 2018 the EU is rolling out GDPR (General Data Protection Regulation) and the penalties are pretty severe, with the potential to cripple organizations who do not take these requirements seriously.
In McAfee’s 2017 study, Beyond the General Data Protection Regulation (GDPR), more than 80% of organizations said they expected help from their cloud service providers to achieve regulatory compliance. Yet only half of the respondents stated that all of their cloud providers had a plan in place for GDPR compliance.
How will GDPR affect cloud investments? Fewer than 10% anticipate decreasing their cloud investments as a result of GDPR. Even still, take the right measures and demonstrate that you have made every effort you possibly can to keep your customer’s data secure. Starting with how you respond to security questionnaires.
Security Questionnaires: The Culprit of Time and Team Friction
Organizations understand that data security is highly valued by their customers, so they respond to security questionnaires to build confidence in their solution. The complicated part for you and/or the team completing these vendor assessments…the time factor.
When responding to RFP security questionnaires, security experts are brought into the process to ensure accuracy. Since security encompasses many different aspects of an organization, multiple team members must work together to answer their respective questions and sections.
Typically these SMEs work in understaffed conditions, where time is truly limited for additional responsibilities outside high priority tasks. If this is all hitting close to home, then you know exactly how challenging it is to respond to hundreds and hundreds of security questionnaires under a tight deadline.
RFP software like RFPIO helps you do the job right the first time. Technology allows you to reuse historical content and customize as needed, while encouraging stronger collaboration for a more efficient process.
ProTip: “Be self-aware of both your strengths and your limitations in your responses. If you don’t have something, don’t lie, but don’t over-emphasize your own deficiencies. Devote your time to addressing the issues the customer will be most concerned with.” – Ken Stasiak, SecureState’s Guide to Responding to 3rd Party Questionnaires
How RFP Software Increases Efficiency Levels
A security questionnaire is basically a massive spreadsheet with hundreds of questions on the lower end and thousands on the higher end. You need to be able to answer volumes of questions quickly, but with incredible accuracy. Such is the beauty of RFP software.
Recently our CIO, Sunder, had a lengthy security questionnaire to complete on his own. (Yep, we have to respond to these just like any other cloud solution provider.)
RFPIO’s auto-response feature filled in 74% of the questions for Sunder. About 11% of the questions needed to be tweaked, because some of the controls had changed. The remaining questions didn’t need to be touched at all, and he had very few questions to respond to manually. Something that would have taken our CIO about a day or two to complete was done within an hour.
A team of one can benefit from RFP software as can a mid-sized or enterprise organization. A larger organization will require several review cycles, but still the time-savings is noticeable for all contributors. This technology, in combination with close collaboration and an established RFP response process, is a game-changer for anyone completing security questionnaires.
When you’re searching for an RFP response solution to help you streamline the security questionnaire process, having a few key features will make a difference in productivity improvements.
“Our immediate instinct with SIG questionnaires was that the Excels were too macro-heavy. It was going to be a huge challenge for us to solve. But, like so many of our clients, we’ve gone through this pain enough and we figured we might as well solve it. RFPIO’s advanced security questionnaire functionality makes the response process much easier for teams.” – A.J. Sunder, CIO at RFPIO
Security Questionnaire Features to Look for in RFP Software
As with any solution you add to your growing technology stack, you want to make sure the investment is worth it. What are your pain points? What are your aspirations and objectives? The needs of your organization always come first, which is good to remember when you’re hunting for a solution.
If you’re answering security questionnaires regularly, you need RFP software with built-in features to support that effort. These are specific RFPIO features that help you take control…
Security Questionnaire Import
An RFP security questionnaire project can start off on the right foot…or the wrong one. With RFP software, the import should be painless for your team—it doesn’t matter if it’s a macro-heavy Excel with 799 security questions.
Even some of the most sizable Standardized Information Gathering (SIG) questionnaires can be imported into RFPIO with a single click. You upload the right template for the job (CAIQ, SIG – Core, SIG – Full, or SIG – Lite) and import directly from your local computer or cloud storage provider.
Have a wealth of historical responses from previous security questionnaires? Rather than being lost in a maze of online folders, all of your content is centralized in an answer library. Easily accessible content means a proposal manager or proposal management team can take the vendor assessment to a certain level of completion before calling in the security SMEs.
This way SMEs can focus on reviewing and revising specific questions or sections, versus answering hundreds of repetitive questions they’ve seen before. Over time, as your team responds to more security questionnaires within the solution, the answer library will continue to expand. If cared for properly, this knowledge repository will flourish.
Being that your answer library is the heart and soul of your RFP response solution, managing this content well is a must. From encryption technology to infrastructure, security controls and standards change often. As long as that information is current, security SMEs will not need to do as much heavy lifting with responding. Content audits should be routine at your organization.
From this expansive knowledge base, an auto-response feature brings up relevant responses to answer the majority of the questions for you. Proper algorithms find the best match, so your auto-response needs to be reliable.
Auto-response cuts down completion time dramatically from the first RFP security questionnaire project—and efficiency levels increase with consistent use. Essentially, the solution does a majority of the responding for you.
Strong collaboration is behind every great RFP response process. Your RFP response solution must have communication features that promote a collaborative environment. Proposal managers should be able to reach out to security SMEs in a low-touch manner, and vice versa.
Team members should be able to easily leave comments and @-mention for clarification as needed. Built-in chat features and Slack integration are additional ways to help teams work together easily, with less emails and fewer meetings.
At the end of the RFP security questionnaire, every team wants to finish up and move on with their lives. However, like the import, the export can really be a time-consuming challenge with large spreadsheets. Being able to easily export back into the original source with clean data is a necessary feature of RFP software, especially with security questionnaires.
“We appreciate the lengths RFPIO has taken to accommodate the Standardized Information Gathering (SIG) tool. They have been incredible in their help addressing the SIG’s imbedded scoping and automation abilities within the spreadsheet to preserve the purpose of the document. RFPIO’s efforts to research and develop a new upload specific to the SIG has been invaluable to MGIC.” – Vickie Kusch, Vendor Due Diligence Liaison at Mortgage Guaranty Insurance Corporation
Repetitive questions are the name of the game with security and compliance questionnaires. Bulk answering does exactly what you think it does…answers in bulk! (Didn’t see that coming, did you?)
As you respond to a SIG questionnaire, a solution like RFPIO understands how the macro is programmed and aligns with your selection process. If you answer “yes,” it knows the dependencies and presents those 300ish questions to you. If you answer “no,” it knows not to show irrelevant questions.
Sometimes security questions aren’t black and white. Teams must use their best judgement and answer only what they can backup. An audit history shows who answered the question, so they can “backup” or explain their response if a situation should arise with the issuer.
Sometimes an issuer will add a clause in the contract that mentions their right to audit in fine print. You want to be ready for this, and an audit trail will help you tremendously.
Time is On Your Side Now, Responder
The dark days of losing hours and sleep are all over. The next security questionnaire that lands in your inbox will be a piece of cake—er—okay, it will certainly be easier than before when you didn’t have your trusty automated technology friend.
So, there you have it. RFP software isn’t just for RFPs. Take control of your next security questionnaire with RFPIO.