Ok, how do you feel about security reviews? This is the one question we know we can get 100% accuracy on again and again. The answer is always, “We can’t stand them.”
And seriously, who can blame you? The saying goes that time kills deals and the security review is the trickiest time suck out there. No one wants a random 600 question security questionnaire dropped in their lap. But the market is changing. Gone are the days of canned answers, slowed deals, and too much back and forth between teams.
In this blog post, we're diving into the insights shared in our recent webinar hosted by Presales Collective’s General Manager Chris Mabry, “How to Make Security Reviews Your Secret Weapon” .
We'll unpack the top questions and answers discussed with guests TJ Guyton, Solutions Consultant for Figma, and Conveyor’s own VP of Product Marketing, Daniel Kish. With their insights, you can arm yourself with the knowledge to navigate security reviews on the presales side like a pro. Stay tuned to learn how to make security reviews work for you, not against you. Let’s get into it.
The Q&A highlights from the PreSalesCollective x Conveyor webinar
If you were to design a security process or an RFP process from scratch how would you do it?
Daniel (VP Product Marketing @ Conveyor): Great question. I’d focus on four main things in the build to get the most value out of any tools you might be using.
- Prioritization Through Deal Scoring: Use deal scoring and likelihood metrics to prioritize efforts. This makes it easier to assess if the potential revenue justifies the time spent on RFPs and questionnaires.
- Customer Self-Service: It’s incredibly valuable to enable customers to self-serve their security questionnaires based on their size and spend threshold, reducing the burden on pre-sales and infosec teams. Do yourself a favor and deflect the work where you can.
- Instant Questionnaire Responses: Having generative AI automate your answering process frees up so much time given that the tool is accurate.
- Measuring ROI and Team Efficiency: Infosec teams are being measured and evaluated differently than before, so it’s crucial to be able to communicate your value. Implement measures to assess ROI and resource efficacy, ensuring visibility at every step to optimize team workload and maximize business value.
How do you view the role of security questionnaires in the discovery process?
TJ (Solutions Consultant @ Figma): Discovery is crucial, and it's often hindered by cumbersome Excel files with nuanced questions. Many rush through security questionnaires, but I find success in using them to slow things down. This approach helps mature my network within the customer, allowing me to understand their security process, culture, and evaluation criteria. Building these relationships through discovery leads to meaningful security improvements.
I’ve never thought to use questionnaires to slow down deals. Can you share a specific example of this approach in action?
TJ : Sure. I've filled out countless security questionnaires, and they rarely impact security meaningfully. For instance, a seller here was struggling with a non-responsive account. He sent a DM to the CTO on LinkedIn highlighting that SSO wasn’t turned on for their instance, which led to a meeting with senior leadership within 48 hours. It both improved the security of their Figma deployment and helped us restart conversations with their team. It really showed us the value of direct, meaningful interactions over simply completing questionnaires just to check a box. You can actually use security questionnaires as a platform for discovery to a customer and you can do that pretty successfully.
Can you offer some practical advice on how to get customers to self-serve questionnaires more often? What does good self-service look like?
TJ: Self-service (having the customer find information they seek on their own) is valuable if you have a tool tracking customer activity - for the data and insights it provides, such as document views and downloads. This helps us approach calls with credibility. However, convincing customers to self-serve can be challenging. A great user experience is crucial—if customers struggle to find information, they'll be reluctant to try again. I often position the completion of the security questionnaires as a task that needs to be done live with the customer, scheduling a call to guide them through it. This sometimes encourages them to self-serve to avoid lengthy calls and enhances productive discovery sessions when calls are scheduled.
Speaking more on the customer experience side, Daniel, do you have anything to add?
Daniel: It's all about creating a great experience. The infosec team alone shouldn't drive it; client-facing teams like pre-sales should co-own it to ensure it meets customer needs. Use tools to prioritize leads and manage low-level info. Self-service isn't about full automation but enhancing high-value, human-to-human conversations with rich context and clear differentiation.
Many teams are doing more with less these days. Our responsibilities have grown, but our personnel haven't.
In regards to tooling, how should teams present the business impact when seeking a budget or building a security review council?
Daniel: Treat security needs as a revenue problem to secure significant investment. Tie the issue to substantial financial impacts like improving win rates and accelerating deal velocity. You should use concrete metrics to show how budget allocation can influence these areas. But remember that productivity gains alone don’t usually justify large budgets; executives need to see clear, revenue-related outcomes.
To get over this, provide third-party validation and benchmarks showing how similar investments have benefited other companies. This approach highlights the risk of falling behind if the organization doesn't invest, making a compelling case for the necessary budget.
TJ: Speaking from Figma's standpoint, when we brought in Conveyor, it was to address a specific need, and it fit the bill perfectly. Since then, its usage has grown across our SE team. Figma has been in a rapid growth phase for a while, so our approach to tooling has been to get what we need to scale quickly.
Now, though, we're shifting towards a more balanced approach. It's crucial to gather insights and metrics to gauge the impact of tools accurately. However, it's equally important to ensure that these tools are actually solving problems rather than just being kept because someone on the team likes them. That's the stance I've taken, at least.
Everybody’s keeping a close eye on GenAI. What are the trends you're watching and what do you wanna tell us to look out for?
Daniel: Yeah, the AI landscape is shifting, and we're seeing significant adoption in security review productivity. According to our recent survey, 55% of companies are already using or planning to use AI in the next year. This indicates a pivotal moment where investments in AI will be put to the test in 2024.
Another trend I'm noticing is the increased measurement of back-office processes by revenue team leadership. They're realizing that delays in legal and finance reviews directly impact revenue generation. This realization is driving the integration of AI, improved workflows, and process redefinition to streamline operations.
Additionally, there's a growing recognition of the importance of compliance teams in enabling big deals and upmarket expansions. And so as we talk about teams pulling in other teams and solving a cross functionally, what TJ said is right. We love our compliance teams. We need to elevate them in the eyes of our CRO because let's be honest; a lot of them are not too good at selling themselves internally, but we know having worked with them how good they are. And so I think that’s the third trend if I had to pull one out—it's a partnership. And part of that partnership involves helping those teams sell themselves and connect to revenue. It’s a really exciting time to show your value in a whole new light.
What opportunities and more importantly what are some of the risks you guys see in GenAI?
TJ: Alright, first off, I'm a strong advocate for expanding compliance teams, so don't see Gen AI as a replacement for them. Having a robust knowledge base and policies in place enhances Gen AI's effectiveness, although accuracy remains a concern, especially in security contexts.
To mitigate risks, we need to train the AI conservatively and continually refine its data. While AI streamlines some processes, it doesn't address all questionnaire complexities, like detailed AWS infrastructure inquiries. However, it excels at connecting disparate data points in our knowledge base and providing nuanced answers, making it invaluable for navigating the evolving compliance landscape and efficiently addressing security inquiries.
Daniel: I mean that’s the magic word right? Accuracy. It’s crucial when considering AI tools Many claims about accuracy in the market are exaggerated, and users quickly assess whether a tool is accurate enough for their needs. While traditional AI tools act as copilots, newer AI agents are designed to function holistically for the entire organization. Successful GenAI tools function more as experts, possessing comprehensive knowledge, spanning functions, and managing complexity.
The future of GenAI holds promise, and it will take time to realize its full potential. Still, I think this will happen sooner than we think.
Want more tips?
Turning security reviews into your secret weapon isn't as daunting as it seems. With the tips and tricks shared in our blog post, you're well-equipped to make it happen. But hey, we've only scratched the surface here. For more insights, make sure to check out the complete webinar. It’s worth it, we promise.