Responding to Security Questionnaires: Advice from an InfoSec Expert

Jennifer Tomlinson
Written by Jennifer Tomlinson / Aug 12, 2021

As Executive VP of Marketing, I work to identify business needs and help QorusDocs’ clients generate revenue more effectively and efficiently. I spearhead efforts to increase brand awareness through digital marketing and client engagement.

There used to be a time when a firewall and some anti-virus software was enough for companies to feel protected. But those days are long gone. Today cloud-based computing services enable employees to access software applications, data storage, and other services remotely via wireless connections, creating a new digital ecosystem rife with information security (InfoSec) complexities. 

Adding to the cybersecurity complexities, the global pandemic shifted everyone to home offices and kitchen tables, accelerating digital transformation as companies tried to keep pace with the collaboration and communication challenges of remote working.

As companies continue to digitize their processes—including the transfer, storage, and processing of important and sensitive data and communications—and grapple with the challenge of securing both legacy and cloud systems, the role of InfoSec has never been more critical.

Under Attack

With the surge of people working from home, costly data breaches, phishing, and ransomware threats are on the rise. Did you know that the average total cost of a data breach has increased $137,000 due to remote working?! In fact, 61% of companies reported a 25% or greater increase in cyberthreats since the beginning of the pandemic, while 68% of business leaders feel their cybersecurity risks are increasing. 

Digital business has created a new ecosystem, one in which the greatest risk to information security may come from outside the organization as companies start to rely more heavily on third parties (e.g., professional services firms, SaaS vendors, cloud infrastructure).

In 2019, 70% of businesses rated their reliance on outside vendors as moderate to high, with nearly half (47%) experiencing a risk incident involving the use of a third party in the last three years. As a result, vendor risk management (VRM), and the accompanying information security questionnaire, have moved to the top of the priority list for many organizations—and rightly so.

What is vendor risk management?

Let’s talk shop for a minute. VRM includes a set of proactive actions that help the organization identify, manage, and monitor risks resulting from third-party vendors and suppliers of IT products and services. VRM programs are concerned with ensuring third-party products, IT vendors, and service providers do not disrupt business or damage the company’s finances or reputation.

What is a security questionnaire?

What exactly are those security questionnaires that are clogging up your inbox? An integral part of a company’s VRM program, a security questionnaire (also called a vendor risk assessment questionnaire or IT risk assessment questionnaire) is a tool that an organization circulates to a prospective product vendor or service provider to evaluate and validate their security practices before choosing to do business with that organization.

Typically composed of 150+ questions that can take up to 16-20 hours to complete (without the benefit of automation), security questionnaires are designed around five trust principles:

  1. Security
  2. Availability
  3. Processing integrity
  4. Confidentiality
  5. Privacy

The security questionnaire is how prospects and potential business partners collect the information about your organization that they need to feel secure in doing business with you. And it is your opportunity to demonstrate clearly and concisely the foundational role InfoSec plays within your company’s digital ecosystem.

How to Respond to an InfoSec Questionnaire Like a Pro

While responding to security questionnaires may seem like a daunting task—especially with tight turnarounds and sales reps depending on you to help keep the prospect moving through the buyer’s journey—there are ways to make the process not only simpler and speedier, but a valuable piece of your sales and RFP process. If you do it right, the process can foster trust and loyalty amongst prospective and existing customers and partners—which, ultimately, leads to winning more business. Sounds pretty good, right?

We sat down with Johan Olivier, Security and Compliance Director at QorusDocs, and picked his brain about all things InfoSec. He shared five tips to help you navigate the security questionnaire process like a pro:

  1. Appreciate the need for vendor risk management

    Your potential customers and business partners want peace of mind that you can be trusted with their data. It’s as simple as that. And to fully assure your prospects and partners, you must go above and beyond simply answering a set of questions: make an effort to really listen to stakeholders and ensure you interpret each question accurately so that you can get behind what is truly being asked.

    Support your responses with quality documentation and offer to engage in Q&A sessions to clarify uncertainties and answer questions. If you do this, the entire exercise will be more valuable, accurate, and rewarding to all parties. A solid win-win.

  1. Identify the ‘Value Add’ for your organization

    With the right approach, different business areas within your organization can benefit immensely from responding to security questionnaires. Security questionnaires provide direct feedback from the industry in terms of highlighting which aspects of security and organizational resilience are important.

    It’s a smart move to aggregate data from multiple questionnaires and use the most common topics as a yardstick to measure your own organization’s security posture across divisions (HR, Engineering, IT Operations, etc.). This exercise is incredibly valuable in terms of aligning and improving your organization’s security and resilience.

    And remember, the fact that you’ve been asked to respond to a security questionnaire is a good thing! It’s sign that you’re succeeding, that you’re of interest to prospects, and are on the path to closing more sales.
  1. Work smarter, not harder

    Because most security questionnaires require collaborating with SMEs across various departments, it’s critical to streamline collaboration and optimize efficiency on complex questionnaires. Simplify collaboration across the organization by using tools and applications that your contributors are familiar with, like Microsoft Word, Excel, etc.
  1. Build a Knowledge Library

    Knowledge libraries steal the show when it comes to filling out an InfoSec questionnaire. By capturing questions and answers into a knowledge base and consistently maintaining this repository of high-quality, accurate, and up-to-date supporting documentation, you’ll always have the resources and info you need to complete any questionnaire at the click of a button.
  1. Automate the process

    Make life easier by taking advantage of software that automates the response process. I’ll admit we’re a little biased but QorusDocs is a stellar choice for automating your security questionnaire process. I mean, who wouldn’t want to complete complex questionnaires 5x faster?!

QorusDocs simplifies the way you respond to security questionnaires in multiple ways, including an intuitive auto-answer capability, task assignment across teams, progress monitoring, and easy access to up-to-date reusable content.

I hate to toot our own horn (do I?) but with QorusDocs on your side, you’ll be able to collaborate in everyday applications you already use, boost productivity with AI-powered content, and gain instant questionnaire insight for smarter follow-up conversations with prospects.

To learn more about security questionnaires and how to bring your ‘A’ game to the InfoSec table, visit our Template Hub to download The QorusDocs “Everything-you’ve-ever-wanted-to-know-and-more” Guide to Security Questionnaires. The QorusDocs Template Hub has a variety of templates, tools, and resources to accelerate and streamline your response process to win more business.

Your guide to understanding Questionnaires