You might know them as vendor security questionnaires (VSQs) or due diligence assessments (DDQs) or vendor security assessments (VSAs). No matter what they’re called, these assessments are all ways for one company's (prospect) vendor risk team to evaluate another company’s (vendor) security posture before doing business with them.
What exactly is a vendor security questionnaire?
A vendor security questionnaire is a comprehensive set of questions covering a wide range of security topics, typically in an excel spreadsheet or an online platform, designed to assess a third party vendor's security posture. This will include questions about security and compliance policies, information about their security program including security controls, security incidents, and their ability to safeguard customer data.
By answering these questions, third party vendors can establish trust and credibility because their security practices are sound, ultimately convincing customers to invest in their software or services. With the rise in data breaches and expectation of increased transparency around a company's data security policies, most B2B vendors today have to complete this security questionnaire for a prospect before they can close the deal.
Filling out security questionnaires: the 'worst job' in information security
For most security teams, completing these security questionnaires for prospects and customers is often cited as the ‘worst job in information security’, and for good reason.
Companies that are scaling fast will get hit with multiple questionnaires a week or even a day as their sales teams grow the business.
In these questionnaires, the same security and compliance questions and topics are asked in a myriad of ways and in dozens of formats - including in macro-enabled excel files with over 10 tabs, in third-party portals that are challenging to use, and sometimes in word documents and PDFs.
Besides navigating the complex formats, concocting precise security questionnaire responses from a vast knowledge base is time consuming, often taking precedence over other tasks. The consistent influx of multiple questionnaires week over week leaves employees who are responsible for completing the security questionnaires feeling demoralized.
The process for answering these often involves a few team members dedicated solely to security questionnaire response, but can vary widely depending on company size and bandwidth. Sometimes, it even involves senior level executives weighing in on some of the questionnaire answers.
Naturally, this means that the information security team becomes a bottleneck in the sales process when inundated with vendor security questionnaires.
What software exists on the market today to help teams complete security questionnaires?
Information security teams automate the process of answering of security questionnaires using either a 'DIY' method of home grown tools like spreadsheets, ticketing systems, and internal 'wikis' to store question and answers that they can refer to or they turn to software that can automate filling in the answers for them. Teams usually seek out automation software when they reach 10+ security questionnaires a month.
RFP Software
RFP software is software where you can upload a question and answer bank and auto-populate or search to recall answers to commonly asked questions on RFPs (request for proposals). Teams also use this software for security questionnaires.
Typically, RFP software is for broader RFPs that may include a security questionnaire component. This need for broad coverage means the knowledge base ends up containing tens of thousands of questions long covering more domains than just security.
We dive into the details of why RFP software has trouble addressing the nuances that arise with security questionnaires in this blog.
Security questionnaire automation software
This is software specifically designed for completing security questionnaires. Similar to RFP software but more narrowly scoped, this software lets you upload a question and answer bank and either auto-populate answers or search for answers to commonly asked questions on security questionnaires specifically.
Compliance software with security questionnaire answering
Many compliance automation platforms out there that are used for completing SOC 2 audits, monitoring controls, and other compliance related activities have added features to help with security questionnaire answering as part of their platform. This feature is typically an 'add-on' and not the main focus of the compliance software vendor; therefore, there are limitations to the effectiveness of these features.
Managed service providers
These providers act as an outsourced arm of your security or compliance team. You pass them the security assessment from your customer and they complete it for you in the format it was provided within a contracted SLA. There is sometimes a software component where teams can access and manage a knowledge base (like with Conveyor's white-glove service) but with some providers, the knowledge base is managed by the service provider and not available for you to use.
The challenges with existing software used on security assessments
In our 2021 Customer Trust Benchmark report that surveyed 100+ information security professionals across companies of all sizes, we found that the same challenges exist when using both a homegrown or purchased software option.
In fact, 60% of the respondents experienced at least two of the challenges below:
- Reviewing security questionnaire answers is a painful, manual process
- It is difficult coordinating with different team members across departments
- It is difficult keeping reference documents updated
- It is hard to find answers quickly
- It is difficult coordinating with customers
- Import/export in the software is clunky
- The security questionnaire automation software is expensive
Here's an excerpt from the Customer Trust Benchmark report:
Why these still challenges exist
Inaccurate answers
Most tools on the market today are using natural language processing in their software which means they often only bring back top 'matches' to the question. A given security questionnaire question on a topic can be asked in dozens of different ways which can be challenging for the software to recall the correct response for and even if a software tool can auto-populate answers for you, they might not be bringing back the right one.
For example, a commonly asked question is on sensitive customer data.
"Do you encrypt data in transit and at rest?" can be also asked in these ways:
- "What data encryption standards do you use?"
- "How do you encrypt customer data?"
- "What are your protocols for encrypting data?"
Existing RFP software, for example, can miss the fact that all of these questions are essentially asking for the same answer and provide an answer that's not quite in line with what is being asked.
Third party portals are hard to use
Third-party risk management software allows customers to automate sending a security questionnaire to a vendor through an online portal. They've grown so much in popularity that across 8,300 security reviews performed in Conveyor's platform in 2022, 35% were sent to the vendor in a third-party portal. Customers are now opting to send a custom questionnaire through a spreadsheet or portal in lieu of an industry standard questionnaire so that number will continue to increase.
Though they are 'automated' and 'online', that doesn't necessarily make things easier for teams. In fact, infosec teams often prefer spreadsheets that they can upload into their security questionnaire software to get auto-generated answers to the clunky, hard to use portals where they have to struggle with answering questions one by one or being left in a bind when the portal doesn't save and deletes all the previous answers.
Many questionnaire tools have browser extensions available to use with portals or can ingest an export from a portal (but not always with success). Formatting an export from a portal can oftentimes takes longer than just answering the questions in a portal one by one. That's why third party portals continue to be a problem for any security questionnaire automation tool.
Collaboration needs
According to our 2021 survey, 80% of companies have two or more departments involved in the security review process and 50% have more than three departments involved. Typically, information security or compliance teams are involved, along with sales, IT and legal.
With sensitive information at stake, infosec teams want to make sure the right answers are sent to customers and need a way of making sure the subject matter experts are "blessing" the latest answers. The teams on the front lines of providing security questionnaire responses are also tasked with keeping all stakeholders updated on the status of any security assessment in their queue.
There are a myriad of ways this process can be designed across teams and organizations of all sizes and industries which means that the while software will address common collaboration challenges, there probably will never be a one-size fits all solution. Understanding the main bottlenecks to the process is key to figuring out which solution will work best for your organization.
Knowledge Base Management
Managing a knowledge base can be a daunting task for any team, no matter what software or DIY solution you choose. For RFP software specifically, the accuracy problem we highlighted earlier – where most RFP software requires exact wording to match a question to an answer – creates a strong incentive for teams to store a multitude of question and answer pairs on the same topic to cover all possible variations of a question.
The centralized repository becomes unruly as time goes on. Teams end up spending more time searching through dozens of Q&A pairs to find the answer they need or combining answers to form a new answer that then needs to be added.
How to evaluate software for answering security questionnaires
We know the market for security questionnaires is getting crowded. With all the marketing claims out there (including our own), how do you properly evaluate security questionnaire automation tools?
Ask for a proof of concept or free trial
Based on information from our customers and prospects, it shouldn't take more than a week to run some testing with your own data to see value from the software you're evaluating.
This is done by setting up a knowledge base within the software or with your managed service provider.
Tip: Using 1,000+ question and answer pairs is, in our opinion, the most comprehensive way to test.
Metrics to consider in your evaluation
Speed and accuracy have been at the top of our prospects' lists in their evaluation. Most teams are looking for tools that cut time spent per question by 50% at the very least.
These should be fairly straightforward to assess if you are measuring each step in your process.
Here are some metrics used by many prospects who are evaluating a security assessment automation vendor:
1. Accuracy percentage - how often are you getting the right answers when using an auto-fill feature?
How to evaluate accuracy? Remove all answers from previously filled out questionnaire, run it through the tool and compare with approved answers.
2. Speed - how fast can you answer each question precisely in the format required?
- Time saved per questionnaire question
- Time saved per questionnaire
- Time saved getting questionnaire back to customer
- Time saved on collaboration with other teams using the tool
3. Do I see immediate results?
It shouldn’t take you more than a week -- or testing 2-3 questionnaires -- to see improvements.
Benchmarks
Based on real customer data and 1,000 knowledge base question and answer pairs, you can expect to see:
Accuracy
- Customers who have used compliance software with an add-on questionnaire feature auto-generated less than 20% accurate answers
- Customers who have used RFP software auto-generated less than 50% accurate answers
- Customers using Conveyor's GPT-questionnaire response auto-generate 80-90% accurate answers
Speed
Best in class tools will bring down time spent per question to 20-30 seconds.
The future of security questionnaires
In today's rapidly changing world of digital security, navigating through vendor security questionnaires to assess a vendor's security posture has become a 'must-have' to close a deal, but has become a burden for information security, compliance, and sales teams everywhere.
The wide range of available tools highlights the challenges and complexities of this process itself and how it varies across organizations and even within different internal teams. Our suggestion is to test the tools out there against the benchmarks listed above when shopping for software in this space.
With the leaps that new LLMs and AI have made, you can expect to see software that can 100% accurate answers (that's what we're aiming for at least 😉) so teams can spend as little time as possible on these security assessment questionnaires.
----------
Try Conveyor's GPT-questionnaire response tool with a free proof of concept today. With the most accurate answers on the market, you'll be flying through questionnaires faster than ever before. A free proof of concept involves our team helping you upload a knowledge base, identifying the gaps, and our product team helping you measure success.