THE RFPIO BLOG

Start Responding Like a Pro

The RFPIO blog is full of insights and best practices, giving you the tools you’ll need to streamline your process and respond with confidence.

Thank you for subscribing.

Something went wrong.

How Accruent responds to 5x more RFPs using RFPIO

How Accruent responds to 5x more RFPs using RFPIO

Accruent is an SaaS (Software-as-a-Service) company dedicated to helping customers and clients with their physical space and asset management. In […]


Category: Tag: Security questionnaire response

How Accruent responds to 5x more RFPs using RFPIO

How Accruent responds to 5x more RFPs using RFPIO

Accruent is an SaaS (Software-as-a-Service) company dedicated to helping customers and clients with their physical space and asset management. In recent years, the company has seen notable growth as they’ve acquired other companies to increase their share in the space. They now have nine different products—all of them technical in nature.

Between all those products, the proposals team has a lot of RFPs (request for proposals) to manage and is regularly juggling several at once. According to Jack Pearce, Manager of the Proposal Team, the technical nature of Accruent’s products means the proposals team doesn’t have the knowledge required to answer all the questions themselves. But the company’s subject matter experts (SMEs) are busy people, and the team has to be cautious how much of their time they ask for.

Before Jack became the proposal manager at Accruent, he was a proposal writer. As such, he knew the company had access to RFPIO. But he never used it himself. “None of us did,” he explained. “It wasn’t really rolled out properly. No one was trained on it, everyone just thought it was another system they had to learn.”

They had some content stored in it, but none of it was organized. As a proposal writer, Jack hadn’t fully understood the value of RFPIO. But as a proposal manager, his view changed. Suddenly, he saw how much potential the tool had to make all their lives easier.

Making RFPIO’s potential a reality

In 2020, Jack embarked on a project to re-roll out RFPIO at Accruent. He worked with his colleague James May, at that time a Proposal Writer new to the organization, to better organize the content already contained in RFPIO’s Content Library. They reworked the collections the content was organized within, and created a better tagging structure. They now have nine content collections—one for each product—and another collection for security questions.

Beyond that initial project of getting the Content Library in good shape, they make a point of performing ongoing content maintenance. Whenever James—now considered the company’s resident RFPIO guru—isn’t busy working on an RFP, he devotes time to cleaning up the tags, makes sure the moderation queue is at zero (or close to it), and works with SMEs to keep all content up to date.

RFPIO is now central to Accruent’s RFP process

The proposals team now knows to start the RFP process in RFPIO, and to complete as much of it as they can using the content available. That creates a better relationship with the company’s SMEs, who now know that anytime the proposals team asks for their help, it means they’ve already done as much as they can on their own. Even better, they know each answer they provide will go in the Content Library, saving them that much more time on future RFPs.

In addition to the Content Library, the team also gets a lot of value from RFPIO’s collaboration features. Between everyone involved in the proposal process, they often have 3-8 SMEs working on RFPs at a time. Enabling efficient communication between the various people involved is important.

Before RFPIO, “Every time someone didn’t like an answer, we’d have to have a call about it,” explains Jack. “Now we just use the comments function in RFPIO to facilitate that conversation.” That makes for a more efficient process, and keeps all the correspondence in one place.

The proposals team aren’t the only ones who feel the difference. Chris Low, a Senior Account Director at Accruent, has also shared his feelings on the change: “RFPIO and the processes the team created around it make collaborating with our amazing proposals team even easier. From a simple intake form, to answering questions at a canter with the library, it’s been a huge help and certainly attestable to winning new business.”

The result: submitting more RFPs, with more confidence

With the help of the Content Library in RFPIO, the proposals team is now able to complete around 50% of all RFP questions on their own. That increases efficiency to the degree that they’ve gone from working on 5-6 live RFPs at a time to tackling 15-25 live projects at once. “That is simply because we can do more because of the platform,” Jack says.

Completing more RFPs has also made them better at determining which ones are worth their time. In practice, that has meant fewer no-gos than before. “It’s given us the confidence to take on more opportunities,” Jack shared.

They’ve also seen a big difference in how they handle security questionnaires. The responsibility for those has generally fallen to one person—and it was really too much work to put on him alone. Now, the proposals team is generally able to get 75% of the questionnaires completed on the first pass. That’s cut the response time from ten days to five.

Before RFPIO After RFPIO
Answering RFP questions meant asking busy SMEs to give up their time The proposals team is able to answer around 50% of all questions on their own, giving SMEs that time back
They juggled 5-6 live RFPs at a time They handle 15-25 live RFPs at a time
Security questionnaires were primarily the responsibility of one SME, and took around 10 days to complete The proposals team can answer 75% of the security questionnaire before they send it on to the SME, and they’re completed in half the time
They were limited in how many RFPs they felt comfortable responding to Replying to more RFPs has increased their confidence in which ones they believe they can win, meaning an increase in the number they submit

Jack and his team don’t mince words when they talk about the difference RFPIO has made. “A life without RFPIO would not be worth living,” he says. “It would be bloody difficult. And you can quote me on that.”

According to T.C. Kaiser, SVP – Global Solution Consulting at Accruent, “Our proposals team has a high volume of projects live and RFPIO enables them to deliver with speed while maintaining a high level of quality. Our team relies on the platform to deliver value to our organization and make the best impression with our customers.”

When it came time for Jack to make the case to superiors for renewal last year, he reports, “I said, ‘this is non-negotiable. If we don’t have RFPIO, we cannot do as much work as we do currently.’”

Not that anyone needed much convincing. The proposal process is so centered on RFPIO that people have taken to referring to the proposals team as the “RFPIO team.” According to Jack, “that is probably the biggest compliment we can give the system.”

How to respond to a security questionnaire

How to respond to a security questionnaire

If you’re like me, you regularly receive emails advising you to change your passwords because one company or another has suffered a security breach. Unfortunately, data breaches are all too common.

In 2021, there were over 1,800 reported data breaches. That is a significant uptick from prior years. 83% of those breaches involved sensitive customer information, such as Social Security and credit card numbers.

The average data breach costs $4.4 million, and much of that is passed on to customers—the same customers who had their sensitive data compromised.

No wonder many businesses now consider cybersecurity their number one concern. Not only does a data breach cost money, it also runs the risk of damaging credibility and eroding trust. Some companies, especially small companies, never recover.

More than half of organizations have experienced third-party data breaches, often despite having what they think is a rigorous security protocol.

The average tech stack might contain dozens of different applications and tools. Sometimes, bad actors sneak in through one of those third-party applications, so it’s critical to properly vet each vendor’s security protocols as you would your own.

The most common way to vet vendors is through security questionnaires. But what are security questionnaires, and how do you respond to them in a way that you, as a vendor, will instill trust?

What is a security questionnaire?

After reading this far, you probably have a good idea of what a security questionnaire is. Still, to boil it down, it’s a questionnaire designed to determine whether a vendor or potential vendor is compliant with your security and legal requirements.

Not surprisingly, security questionnaires are complex and highly technical. The good news is that most questions have “yes” or “no” answers.

DDQ vs. security questionnaire

Many people confuse security questionnaires and DDQs (due diligence questionnaires). It’s easy to see why, as both are issued to assess a company’s compliance with the issuer’s regulations and security requirements.

Neither DDQs nor security questionnaires are specifically part of a sales cycle, although they may be issued before entering into a contract. They might also be issued before an organization is even buying to weed out non-compliant companies before and if the buying process begins.

There are significant differences between the two types of documents, however. You’re most likely to see DDQs if you’re in the financial segment. They are broader in scope than security questionnaires and may ask about business plans, profits and losses, revenue, etc. They might also ask about cybersecurity policies.

A security questionnaire is more straightforward and can be issued from any segment to any organization, although primarily to tech companies. While DDQs ask broad questions about processes, often in narrative form, a security questionnaire forces you to pony up your proof of compliance.

You might see both a DDQ and security questionnaire before receiving an RFP. Generally, the DDQ will come first. Once the issuer is satisfied that you meet their requirements, they might send a security questionnaire to gather certificates and other forms of proof.

In some cases, a security questionnaire follows an RFP and could be the last step before finalizing a deal.

Preparing for a security questionnaire response

Security questionnaires usually arrive via the response manager or perhaps through a CRM. Since most questions center around cybersecurity, SMEs can be from IT, risk management, sales engineering, accounting, information security, operations, and even HR.

The response turnaround time is typically shorter with a security questionnaire than with an RFx. The issuer might want it within days.

Components of a security questionnaire

There are many, many types of security questionnaires, and it would be impossible to list them in this blog post, but here are some examples of what a security questionnaire might assess:

  • Network security
  • Information security
  • Datacenter and physical security
  • Web application security
  • Infrastructure security
  • Business continuity
  • Security audits and penetration testing
  • Personnel policies, hiring practices, and training programs
  • Security certifications
  • SLAs and uptime vs. downtime

Types of security questionnaires

There are several types of security questionnaires, but primarily, you will see these:

Security Questionnaires and Security Questionnaires Lite – Standardized Information Gathering Questionnaires

  • VSAQ – Vendor Security Assessment Questionnaire
  • CAIQ – Consensus Assessments Initiative Questionnaire
  • VSA – Vendor Security Alliance Questionnaire
  • NIST 800-171 – National Institute of Standards and Technology Questionnaire
  • CIS Controls – Center for Internet Security Questionnaire

How to respond to security questionnaires – and how RFPIO will help

If you are a response manager, you’re likely very comfortable responding to an RFx or even a DDQ. Both allow for a bit of creativity, in that, along with answering questions, you’re constructing a narrative to show how your company is the right fit for the issuer.

Security questionnaires aren’t about narratives. They are straightforward and stringent, and accuracy is a legal requirement. Clearly, there’s no room for error. If you’re ready, let’s grab a cup of coffee, or your favorite motivational elixir, and dive right in.

Step 1 – Search for all available materials

While security questionnaires are undeniably bulky and complex, there’s a lot of redundancy. You have probably answered many similar questions before. Search your existing database for those answers.

Often, issuers send a boilerplate questionnaire rather than customize it to each product. Eliminate the questions that don’t apply to your product. Don’t be afraid to ask the issuer to clarify questions that seem confusing or unnecessary.

Step 1 with RFPIO – Prebuilt centralized Content Library

RFPIO features the industry-leading AI-powered prebuilt Content Library. Every previous security questionnaire and all your documentation are housed in one place, accessible to any authorized user.

Step 2 – Answer only the pre-existing matching responses

Response management isn’t like school. In fact, copying other people’s work is encouraged. Search your existing database for pre-existing matching responses and use them when you can.

Step 2 with RFPIO – System-driven identification of sections and questions

RFPIO’s import capabilities, which include Lightning import through Salesforce, leverages machine learning to automatically find matching responses, without you having to initiate the process. This feature alone can do up to 80% of the work for you.

Step 3 – Group all unanswered questions and collaborate with SMEs

Once you’ve found all the applicable existing content, you’ll need to collaborate with SMEs to finish the process. Group all your unanswered questions, broken up by SME, and inform them of their timelines.

Step 3 with RFPIO – Automate through AI

RFPIO’s auto-respond feature and recommendation engine find existing documents and similar, although not specifically matching, content for SMEs’ review. As a side benefit, once SMEs recognize the time-saving capabilities of RFPIO, they’ll be far more likely to help you in the future.

Step 4 – Follow up and track the status of responses

Make sure every team member is completing their portion in a timely manner.

Step 4 with RFPIO – Streamline collaboration through project management capabilities

RFPIO’s Project Module offers up-to-the-minute reporting and reminders to ensure that the questionnaire will be ready on time.

Step 5 – Manually collate and complete the questionnaire

Whew! You’ve answered all the questions and all you have to do is collate the answers and export them back to the original document. Unfortunately, for many companies, that’s a manual process which could take hours—and sometimes days.

Step 5 with RFPIO – Export to the source file

RFPIO eliminates all of the cumbersome manual work with automatic exporting to the response file, all within seconds.

Security questionnaire response obstacles

There’s no direct line from a security questionnaire to revenue generation, which is why they’re sometimes left on the back burner. But that’s not the only reason there might be reluctance on the part of your response team. Other obstacles include:

  • Length – A security questionnaire can have hundreds to thousands of questions. That’s more than a little intimidating if the answers aren’t ready to go.
  • You’re time-bound – Sometimes the questionnaire gets stuck in an internal limbo, and sometimes the issuer sends it expecting an almost immediate turnaround. Having most of the answers ready will cut your response time to a fraction of what it could have been.
  • SME cooperation – SMEs are busy people, so understandably, they might not put the security questionnaire at the top of their “to-do” list. Assure them that you value their time by completing as much of the questionnaire as possible.
  • You don’t have all the certifications and protocol – Most companies won’t be able to answer every question in the affirmative. Submit what you have and perhaps see this as an opportunity to reevaluate where your company might be lacking.
  • Too much jargon – Security questionnaires tend to be jargon-heavy, and if you aren’t familiar with what they’re asking, you might not provide an accurate answer. SMEs can help but so can a well-organized, searchable even by jargon, Content Library.
  • Scattered knowledge (identifying and locating the right content) – If you have a siloed knowledge base, tracking everything down is challenging and time-consuming. Upload all of your certificates, documents, and Q&A pairs to a single source of truth accessible to any authorized stakeholder.
  • Non-compliant content management software – If your content management software isn’t compliant with your company’s requirements, SMEs, especially those in security, won’t use it. RFPIO is even secure enough for Microsoft.

Priorities and tips for the response process

As you’re staring down a seemingly infinite inbox and a calendar filled with back-to-back meetings, speed might be your top priority. However, security questionnaires are legal documents, so accuracy is the most crucial consideration. Fortunately, response software with built-in content management helps ensure both.

Streamlining workflow

RFPIO has several tools to help streamline your workflow, including:

  • Import/Export capabilities – Avoid disorganized, inconsistent, illogical formatting by importing security questionnaires right into your customized template for uniformity, making each stakeholder’s job much more manageable. Once you’ve completed the questionnaire, upload it onto your branded response template or straight to the source document.
  • Project management – If your workforce is like ours, you have people working from home, on other floors, in other buildings, and across the world. RFPIO helps you virtually gather your scattered stakeholders and track progress without chasing people down.
  • Content management – If I, for some reason, were forced to choose my favorite RFPIO feature, it would be the AI-powered Content Library. It:
    • Busts down silos – RFPIO’s Content Library is a single source of truth, with all of your company’s knowledge and documents in one repository.
    • Does most of the work for you – Once you upload the questionnaire, the Content Library’s magical gnomes—we call them the recommendation engine—comb through past responses to make suggestions. All you have to do is accept, edit, or reject. Since security questionnaires ask yes/no questions, there’s little to no editing.
    • Stores content – As the company creates more knowledge and documents, the Content Library will store them for future use.
    • Organizes content – Format, tag, and generally organize the content how you want.
    • Helps keep you compliant – Since we’re talking about security questionnaires, your security team will love this! RFPIO reminds you of expiration and “shred by” dates. It also reminds you when to review specific content and when to audit.
  • Integrations – RFPIO seamlessly integrates with nearly all the communication apps, CRMs, and productivity apps your company uses every day.
  • RFPIO® LookUp – Access the Content Library from anywhere in the world.
  • Autograph – With RFPIO’s Autograph, there’s no need to hunt signatories down. They can sign right from their computers.

Improving Content Library

Keep your Content Library clean, up to date, and organized by consulting with sales engineers and others involved in answering security questionnaires. Ask for their input in categorizing and tagging.

Keeping information up-to-date

Because security questionnaires are legal documents, accurate and up-to-date information is vital. RFPIO reminds you to clean out all the ROT (redundant, outdated, and trivial) information and documents. It even helps you locate all the ROT.

Software for security questionnaire responses

Many companies still rely on manual responses, which are time-consuming and inefficient.One way to differentiate your company from your competitors is to use advanced response software for security questionnaires.

Response software, such as RFPIO, gives each security questionnaire the thoroughness and scrutiny required while saving your team’s time, keeping SMEs on your good side, and helps keep you compliant.

Automation

If you use a CRM or project management software, you probably already know the benefits of automation. Most users do. In fact, IT professionals, such as those helping answer security questionnaires, save up to 20 hours a week using automated processes.

Automation is a morale booster! 45% of knowledge workers report feeling less burned out when they use automation tools, and 29% say automation lets them leave their jobs at the end of the official workday.

RFPIO’s automated response processes automatically fill in most of your answers to a security questionnaire and pull corresponding documents. One customer reports that after RFPIO security questionnaire automation, they can answer 100 questions in just 2 hours!

Templated responses

Most security questionnaires arrive in Excel, which, as you know, is about as standardized as the snowflakes covering Mount Everest. Excel isn’t to blame. Microsoft designed the OG of spreadsheets to track everything from kids’ activities to trips to space.

RFPIO imports the hundreds to thousands of lines on a security questionnaire spreadsheet onto your customized template, ensuring that everyone knows exactly how to find what they need. Additionally, since many questions are redundant, RFPIO answers those duplicate questions for you.

RFPIO’s approach to security questionnaire responses

Breathe a little easier next time you receive a security questionnaire, knowing that RFPIO has your back. You will save loads of time, create accurate, complete responses, and stay on your SMEs’ good sides.

If you don’t already use RFPIO, try a free demo.

DDQ vs. security questionnaire

DDQ vs. security questionnaire

From content to timing, confusion often surrounds the differences between due diligence questionnaires and security questionnaires. Read on to learn the nuances of each document to improve your responses and win that next deal.

What is a DDQ?

A DDQ stands for due diligence questionnaire. Organizations send them to mitigate risk before entering into an agreement with another company. It is a formal document designed to establish whether a vendor complies with industry and/or customer standards or needs, including how the vendor manages its own network and cybersecurity protocols.

Unlike an RFP, a DDQ is not as much about competitive evaluations. A DDQ is all about compliance and business practices.

What is a security questionnaire?

Much like it sounds, a security questionnaire is sent to potential vendors to determine whether their security protocol meets the issuer’s standards and legal requirements. Security questionnaires are technical and usually highly complex, however most questions are “yes” or “no” rather than narrative.

Note that neither DDQs nor security questionnaires are sales documents.

DDQs vs. Security Questionnaires

Now that you know the definition of a DDQ, let’s get into how security questionnaires are unique, along with a few similarities they share with DDQs.

Common industry

Any organization can issue a DDQ, but we see them most in the financial services industry. Security questionnaires are primarily used by organizations operating in technology—either hardware or software.

Market evaluation

Much like a DDQ, a security questionnaire will not be used as a method of evaluation between vendors. Although, if an organization throws an RFP (request for proposal) into the mix, then both questionnaires play a role in market comparison.

Because a security questionnaire is not a competitive evaluation, the issuer won’t spend time performing a security review with more than five potential vendors. It’s completely different from responding to an RFP, which may be sent out to tons of vendors to cast a wide net.

Issuing departments

Usually, a security questionnaire comes from a security department (infosec, IT security, cloud security, etc.). While a DDQ will not necessarily come from that department—marketing, client services, or compliance teams frequently send these documents to responders.

Sales timing

Security questionnaires and DDQs typically show up early in the sales cycle. They may come in when an organization is trying to set you up as the vendor of choice or before it’s time to renew. Before you can become their new vendor, they need to make sure you’re compliant. If you’re an existing vendor, they might need to ensure you’re still compliant.

Even when you become their vendor partner, you might see a due diligence questionnaire again and again. Especially in the financial services industry, DDQs are sent to vendors annually—even quarterly—so make sure you’re up to speed on industry regulations.

Document types

A security questionnaire is predominantly an Excel spreadsheet. A DDQ could be a spreadsheet, but about 70% of the time, this questionnaire lives in a Word document.

Question types

Security questionnaires tend to be a standard set of questions, where you answer some variation of a yes/no answer in a drop down. You might need to add some commentary to back up your answer. While there will be some black or white questions in a DDQ, there is also room for interpretation and creating a narrative.

Succeeding with Security Questionnaires and DDQs

To knock content out of the park with security questionnaires and DDQs, naturally, the best technique is accuracy. With that top of mind, here are other tips to help you succeed as a responder.

Security Questionnaires

You have a lot less room to knock this content out of the park. Your data is encrypted or it’s not. You either have the firewall or you don’t. It’s not about how you implement the firewall, it’s simply: Do you have the firewall set up?

Stick to the facts

Obviously, one thing you don’t want to do is lie. Let’s say you are asked if you check your disaster recovery plans every 60 days. If your process is checking disaster recovery plans once a year, don’t say “yes.” They will find out 60 days later when you don’t meet their requirements.

Time to completion

Time to completion is a really good thing to shoot for with security questionnaire responses. You’re usually still in an evaluation process where you might be the vendor of choice or you’re one of two choices.

DDQs

Similar to an RFP response, there is more room for creativity with your DDQ content. However, don’t respond to a DDQ exactly as you would to an RFP. Before you respond, consult with the correct SMEs (subject matter experts).

Early stage advice

If you receive a DDQ in the early stages of the sales cycle, this document might be their vendor filtering method. DDQs are not the time for a sales pitch. Instead, consider showing your strengths with compelling and (most importantly) accurate narratives showing compliance. Late stage advice

During the late stage of the cycle, your DDQ might be a recurring document you respond to with an existing client, or it could be in addition to a DDQ you’ve already answered. Get straight to the point and ensure accuracy to show you are still in compliance.

Next steps

If a DDQ is part of a sales process, and even if it’s not, response software such as RFPIO makes answering it a whole lot easier. Your RFPIO Content Library can answer many of a DDQ’s questions with a few clicks.


RFPIO can help you increase DDQ and security questionnaire accuracy and efficiency.  Demo RFPIO today to support your sales process.

Get the latest stories delivered straight to your inbox

Subscribe to our blog and never miss an important insight again.

Thank you for subscribing.

Something went wrong.