back to top button
Back to OmBlog
Response Management

How to Efficiently Respond to Security Questionnaires and Assessments

May 27, 2020

In a new ISACA survey, only 51% of the respondents said they are highly confident in their security team’s ability to detect and respond to cyber threats during the pandemic. 

If we thought security regulations were stringent before, the pandemic has only heightened concerns in this area. With more people working remotely than ever before and SaaS solutions becoming the lifeblood of businesses for collaboration, a renewed focus will be taken on how to protect valuable assets and information in the cloud.

This brings us to the security assessment. Security assessments are a due diligence tool used by prospective customers to ensure vendor compliance. Within our client base, we’ve seen an uptick over the last year of not only the volume of security questionnaires our clients are receiving but an increase in the size of these questionnaires—with some even pushing 1,000+ questions. 

With this increase in volume and need for security assessments in the sales process, how do you streamline their completion? And, how do you make it painless, even with over 1,000 questions?

1. Avoid Them When You Can

The best way to streamline your security assessment process? Perhaps you can avoid them altogether. Frequently, vendors send standardized assessments as part of due diligence versus crafting each and every question. Posting a robust security FAQ on your website or having a standard response format handy to deliver to prospects can stave off the need for custom security assessment responses. 

Other resources you could share include summaries of recent security audits, abridged versions of your security policies, or ISO 270001/SOC2 compliance attestations.

2. Create a Response Repository

If you’re not leveraging a response platform like Ombud, you should be. With Ombud, you can create a response repository by importing recent security questionnaires, as well as authoring responses straight in the platform. 

— See how Ombud helped LogMeIn increase its yearly response capacity by 150% —

When creating a repository, you should first look to standard formats you receive. A format we see most often at Ombud is Shared Assessment’s Standard Information Gathering (SIG) Assessment. Other standard formats our team regularly encounters are CAIQ, ARIBA, and VRMMM. Each of these formats is made available for use by teams by third-party security firms and solutions instead of the customer having to create homegrown security assessments. They generally have specific scoring around how a vendor answers, so be sure to research how each is scored. 

After curating responses for the standard formats, understand the gaps you may still have. This may include looking at your less popular product offerings, region-specific responses (think GDPR and other regional regulations), and industry-specific responses. 

3. Define a Clear Process for Responses & Updates

Once you create the repository, you’ll have to keep those responses updated. Generally, it’s a best practice to update either yearly or product-release cadences (depending on the content). A response solution like Ombud makes this process easy with expiration date functionality and notification triggers so content never goes stale. 

When responding to questionnaires, it’s invaluable to have the curated response repository. Ombud even has a functionality where you can leverage only the curated answers so you always know you have accurate information going out to your prospective customers. Additionally, we can automate the response process through our “automated suggestions” feature, which takes the first pass at responding to a questionnaire, saving your team valuable time and streamlining your efforts.

4. Limit Security Team Intervention

With a repository in place with regular updates, it’s easier to trust the content you have and, in turn, that makes it easier to trust your team to manage these questionnaires. For standard formats as those mentioned above, it may even be possible to allow the sales team to respond with no intervention from IT, security, or compliance experts. 

Scale Your Security Expertise - And Start Today

Perhaps security assessments aren’t the first place you’ve thought to explore when looking for areas of your business to automate and streamline. However, as we’ve pointed out now’s the time. More standardization and a greater level of demand from clients make this a perfect aspect of both your sales and customer relationship management processes to optimize. Not to mention, security and compliance expertise is at a premium which makes scaling knowledge and approved content across your organization more critical than ever.

Recommended for you