“Cybersecurity is not just a higher priority for companies today, it is a critical function that demands unique handling.” CompTIA revealed many interesting insights in this cybersecurity trends survey, stressing the need for organizations to step into the modern age with their data security processes.
DDQs and security questionnaires are alive and well in our modern landscape, a key player in the sales cycle. From content to timing, confusion often surrounds the differences between due diligence questionnaires and security questionnaires. Read on to learn the nuances of each document to improve your responses and win that next deal.
What is a DDQ?
A DDQ stands for due diligence questionnaire. An organization sends out a due diligence questionnaire to grasp the vendor’s process, how the vendor will comply with their standards and handle their needs. A DDQ is not as much about an evaluation against the rest of the market. A DDQ is all about compliance.
DDQs vs. Security Questionnaires
Now that you know the definition of a DDQ, let’s get into how security questionnaires are unique, along with a few similarities they share with DDQs.
You likely already guessed what the most common industry is for security questionnaires and DDQs. They are primarily used by organizations operating in technology, either hardware or software.
Much like a DDQ, a security questionnaire will not be used as a method of evaluation between vendors. Although, if an organization throws an RFP (request for proposal) into the mix, then both questionnaires play a role in market comparison.
Usually, a security questionnaire comes from a security department (infosec, IT security, cloud security, etc.). While a DDQ will not necessarily come from that department—marketing, client services, or compliance teams frequently send these documents to responders.
Security questionnaires typically show up later in the sales cycle compared to DDQs. A lot of times the security questionnaire will come in when an organization is trying to set you up as the vendor of choice. Before you can become their new vendor, they need to make sure you’re compliant.
Remember that a security questionnaire is not a competitive evaluation, meaning the issuer won’t spend time performing a security review with more than five potential vendors. It’s completely different from responding to an RFP, which is sent out to tons of vendors to cast a wide net.
A DDQ will potentially arrive much earlier in the sales cycle. A DDQ can be used as a filter, where you, as the vendor, must check all of the boxes to be considered. If you don’t make it through the filter, you won’t move on in the process.
Even when you become their vendor partner, you might see a due diligence questionnaire again and again. Especially in the financial services industry, DDQs are sent to vendors annually—even quarterly—so make sure you’re up to speed on industry regulations.
A security questionnaire is predominantly an Excel spreadsheet. A DDQ could be a spreadsheet, but about 70% of the time, this questionnaire lives in a Word document.
Security questionnaires tend to be a standard set of questions, where you answer some variation of a yes/no answer in a drop down, then provide a bit of commentary to back up your answer. While there will be some black or white questions in a DDQ, there is also room for interpretation.
Succeeding with Security Questionnaires and DDQs
To knock content out of the park with security questionnaires and DDQs, naturally, the best technique is accuracy. With that top of mind, here are other tips to help you succeed as a responder.
You have a lot less room to knock this content out of the park. Your data is encrypted or it’s not. You either have the firewall or you don’t. It’s not about how you implement the firewall, it’s simply: Do you have the firewall set up?
Obviously, one thing you don’t want to do is lie. Let’s say you are asked if you check your disaster recovery plans every 60 days. If your process is checking disaster recovery plans once a year, don’t say “yes.” They will find out 60 days later when you don’t meet their requirements.
Time to completion is a really good thing to shoot for with security questionnaire responses. You’re usually still in an evaluation process where you might be the vendor of choice or you’re one of two choices.
Submitting your security questionnaire ahead of the deadline shows you’re committed and it builds goodwill. And, of course, responding accurately and honestly puts your organization in the best possible light and increases your chance of winning their business.
Similar to an RFP response, there is more room for creativity with your DDQ content. However, don’t respond to a DDQ exactly as you would to an RFP. Before you respond, fully understand your position in the sales funnel.
If you receive a DDQ in the early stages of the sales cycle, this document might be their vendor filtering method. And, you may not want to pitch your business against the market. Instead, consider showing your strengths with compliance. Then, the evaluator will understand what your team can bring to the next stage.
During the late stage of the cycle, your DDQ might be a recurring document you respond to with an existing client. Get straight to the point and ensure accuracy to show you are still in compliance.
Final thought…sometimes a DDQ is issued and it is treated like an RFP. They are not synonymous, as we’ve already explored together. Even if this happens to your team, consider where you are in the sales process and write the response accordingly.