The IT pro’s guide to security questionnaires

Our digital lives don’t feel as secure as they used to. Equifax and Uber are just the latest examples of a seemingly never-ending series of malware and phishing scams making headlines, leading businesses and end consumers alike to question what is safeguarding their information. The effects of these attacks on the corporate world are widespread: not only must businesses revisit the strength of their internal security systems, but they also need to ensure that partners, customers and prospects are doing the same.   

As data protection standards and guidelines quickly adapt to stay ahead of threats, security is a top-of-mind issue for any company seeking an outside vendor. Businesses that store sensitive information or offer software as a service are seeing an influx of security assessments and questionnaires as part of the Request for Proposal (RFP) process—a vital component of sales teams’ success at companies of all shapes and sizes. Given to vendors bidding on business by the prospect or existing vendors for yearly assessments, security questionnaires (also known as “standardized information gathering” questionnaires) ask the vendor about their security controls, such as patching, business continuity and security policies, all in an effort to ensure the company has adequate data protection measures in place to reduce the client’s risks.

The burden of responding to security questionnaires has become a fact of life for many organizations—especially banks and other financial service businesses, healthcare enterprises and technology service providers. But while RFPs have traditionally been the responsibility of proposal teams and sales professionals, the highly technical nature of security questionnaires means that those people are increasingly turning to their IT teams for help. While supporting RFP teams may fall outside of IT’s usual day-to-day job responsibilities, helping complete questionnaires efficiently and thoroughly is instrumental in enabling the company to win bids.

But that’s not an easy task. Any business that manages or stores data—such as sensitive customer or employee information, including financial details and intellectual property—is likely aware that completing these highly detailed, complex questionnaires bears a substantial cost and burden. Proposal automation software can help streamline the process significantly, but it’s still important for IT subject matter experts (SMEs) to approach this important project with the right mindset and tools.

Here are best practices for IT teams to ensure that their participation in the RFP process is as efficient and effective as possible: 

Ask the right questions from the start 

Thanks to proposal automation software, an IT employee may be assigned to complete some or all of a security questionnaire via email, and directed to work within the system. That doesn’t mean that they can’t or shouldn’t question the proposal writer or sales executive managing the project about the process to determine exactly what is expected. Key questions to ask at the start of the process include:  

When is the questionnaire due?: Proposal writers and sales teams are often under tight deadlines to submit documents. Most RFPs are due within two weeks or less, according to an industry survey recently conducted by Qvidian, and security questionnaires often face the same tight deadlines. IT teams must know when content needs to be reviewed internally as well as when the completed questionnaire must be submitted to the vendor.   

What is IT’s role, and who else is participating?: Often, completing security questionnaires is a true team effort: expertise from multiple SMEs across departments such as product development, IT, HR and compliance might be required. Getting a sense of who else will be contributing will help the IT team hone in on where they can add value most.   

What can IT draw from so they don’t need to reinvent the wheel?: There might be approved content from previous questionnaires that the team can adapt to fit the current one. This will cut down the time spent drafting and—since it’s based on material that has already been vetted—the time the proposal team spends reviewing it. 

Create and use a centralized repository of approved content  

When responding to a security questionnaire, teams need to deliver accurate answers to upwards of hundreds of detailed questions, often within a limited timeframe. These questionnaires are frequently one of the last requirements before a customer signs a contract. The more quickly a team can respond, the sooner the deal can close.  

A centralized content library lets an organization store standard responses to recurring questions, updating answers as policies, procedures and infrastructure evolve. Rather than rewriting this information for every questionnaire, teams can draw on this content each time a new questionnaire arrives, saving time and guaranteeing content is both current and thoughtful.   

Implement intelligent workflows to ensure appropriate updates, reviews and approvals  

Working with the proposal team and any proposal automation software the company uses to determine an intelligent workflow will save time and effort on all ends. An optimal workflow should allow for:  

The creation of an audit trail. To confirm that the content the team is using reflects the most up-to-date standards by the most credible SMEs—especially if the company outsources certain software development to offshore resources, or changes policies to comply with new privacy laws—workflows should clearly show both tracked changes and the author of those changes. Teams should be able to see who created, edited and approved answers to each question, and have the ability to schedule regular content reviews.  

A mechanism for ensuring updated content is stored in a central library. The careful edits teams have made to bring content up to date won’t do much good the next time they need to fill out a security questionnaire if that new content isn’t archived in a centrally accessible library or database. It’s not unusual for there to be a three to six month lag between the time content is approved and the time it’s archived in a library, which can lead to teams repurposing outdated content; reducing that lag can also increase efficiency and speed up approvals. Automating that upload process takes the burden off the content team, leaving them more time to spend working with and finalizing answers for questionnaires.  

A way to easily and clearly track deadlines and approvals. When many stakeholders are involved in the creation and approval of a document, it can be difficult to keep track of who needs to submit what by when, and who is responsible for approvals. Making deadlines and ownership as clear as possible ensures that proposal teams can follow up with SMEs in a prompt manner, keeping the submission on time. 

In today’s digital age, companies know that the security measures protecting their customers’ sensitive information are only as good as their vendors’ weakest security measures. As prospects put their potential vendors under the microscope, security questionnaires are becoming a routine part of life for many IT teams—but they don’t have to be a burden. An efficient process for completing them will lead to reduced stress on both IT and sales teams—and more successful bids.    

Jeffrey Weil, General Manager at Upland Qvidian 

Image Credit: Helloquence / Unsplash