Want to win a big exciting client?
Have they asked you to complete a lengthy, jargon heavy cyber security questionnaire?
Want to answer it well and impress them along the way?
Contact me.
Not ready to part with your hard-earned cash and want to do it in-house? Great. You’re in the right place.
I’ve been on both sides of the table. I’ve been the client who sends you the questionnaire. I’ve designed them and reviewed answers many times over.
More recently, as a freelance security consultant, I’ve been helping startups satisfy such processes so they can win big clients. For one of my ongoing clients, I have to play two different roles as their trusted security advisor:
- Being their security leader and doing the right thing.
This means doing what I can to improve their security environment in the right way i.e. in a risk-based, cost effective manner. Sometimes this means telling the client things they may not enjoy hearing, and trying to influence them to buy into my recommendations in order to reduce the probability and impact of a breach. - Getting them through audits and security questionnaires.
This is where my role changes slightly and instead of being a good, ethical security professional, my objective is to ensure that I help them get over the line with any security audits and completing security questionnaires to ensure they can win new business.
Here I’ll explain the role of the latter, what purpose the questionnaire process seeks to gain, and how to complete them well, or, boss them.
Why a security questionnaire?
Sending a potential supplier a security questionnaire is known in the cyber security industry as the security due diligence process. It can be seen as the security alternative to the financial due diligence check. It basically means: “Want to do business with us? Give us confidence you can behave securely with our data.”
In a idealistic, completely transparent world, (we wish), it’s an ass-covering exercise.
Imagine this. One year after signing a contract with your new client, you suffer (sorry) a cyber security breach impacting that clients data and/or their reputation. The client can now effectively remove any blame on their part and say “we did our security due diligence, the supplier told us they had their house in order”.
It’s worth covering one last aspect to the process. The prospective client are only interested in their own data and reputation. The questionnaire will not cover areas such as protecting your employee data, looking after other customers or securing your intellectual property because it is not in their interests. I’m mentioning this because it’s important you don’t use the questionnaire as the only review/baseline of your security environment. Sure, use it to supplement your own gap assessments, audits/reviews, risk assessments etc. but don’t use it alone because it doesn’t show the bigger picture in relation to your own security risks and processes.
So, now we understand the ‘why’, let’s look at the ‘how’.
How to boss the questionnaire
The best way to do this is to think empathically. The person who will read your completed security questionnaire will very possibly send and review tens or hundreds of questionnaires throughout the year. Big companies, especially financial companies have entire departments of third party security due diligence managers. They could be bored out of their minds of following such a repetitive process. So, think “how do I make their lives easier?”, and, “how do I impress them by doing something that others probably aren’t?”.
Here are some ideas. I’ve categorised them into three tailored areas. Go straight to the one which fits your situation
- We have no security in place. Please help.
- We have reasonable security in place but there is room for improvement
- Our security environment is outstanding
Before we get into it, ensure you have a non-disclosure agreement in place before you send them the completed questionnaire and any supporting documentation. This will keep your legal people happy and demonstrate to the prospective client that healthy legal practices are in place.
1. We have no security in place
This isn’t an unusual scenario. I’ve helped a few clients in this situation and in some ways, it gives them a distinct advantage – they can design the security environment from scratch in the most risk-based, effective and efficient way. It’s slightly harder to manage them through the security questionnaire process, of course, but here’s how I navigate such situations:
- Be ‘optimistically honest’
If the questionnaire asks a question about an area where you have nothing in place, but you plan on implementing it in the next months, say something along the lines of “we aim to have ‘x’ fully in place by ‘y'”. This is sneaky, but it’s a way of communicating the area is a priority and there is some kind of road-map in place, without giving anything else away. - State you’re on a road-map/improvement program
Further to the above, just by communicating you’re on a journey, you are giving the prospective client confidence that you take cyber security seriously. Again, think about being in the shoes of the other person: seeing that they are on a journey to improve means they know the importance of good security hygiene. Obviously, don’t say this if you have no program or intention of building one 🙂 - If you don’t have a security policy or any documentation, create one whilst filling in the questionnaire.
Similar to the previous point, having a security policy shows you’ve got some governance in place and considered what security processes your company need to follow. If you don’t have one yet, use this opportunity to get a basic one in place and include it as supporting documentation along with the completed questionnaire. - Refer to the security policy
Once you have a security policy – refer to it where relevant when answering each question, but also answer the question inline whenever possible. This makes life easy for the person on the other side, they will appreciate it. - Offer to speak with the person responsible for reviewing the questionnaire
Again, this delivers confidence that you care about security and gives an opportunity to build some rapport with another representative of your prospective client. If you want expert security representation on the call, get in touch with a consultant (like me) and ask them to help you along. - Offer a progress catch up call six months from now
This is a great tactic, especially if you don’t have much security in place. It shows your commitment to security improvements and says “I won’t forget about security after this questionnaire”.
2. We have reasonable security in place but there is room for improvement
- Provide any evidence you have to back up your answers
If you are certified to any ISO standards, Cyber-Essentials or any other relevant standards, proactively send evidence along with the completed questionnaire. Also, provide copies of your related security documentation such as policies, procedures. - Send an executive summary of your latest penetration test
This is relevant if you’ve performed a pen test against your web application, mobile app or similar in the last year, and it shows you any dealt with any high/critical findings. This proves you are not only implementing good security processes but you are actively testing them and using it as an opportunity for improvement. - State you’re on a road-map/improvement program
Just by communicating this, you are giving the prospective client confidence that you take cyber security seriously. Again, think about being in the shoes of the other person: seeing that they are on a journey to improve means they know the importance of good security hygiene. - Refer to the security policy
Once you have a security policy – refer to it where relevant when answering each question, but also answer the question inline whenever possible. This makes life easy for the person on the other side, they will appreciate it. - Offer to speak with the person responsible for reviewing the questionnaire
Again, this delivers confidence that you care about security and gives an opportunity to build some rapport with another representative of your prospective client. If you want expert security representation on the call, get in touch with a consultant (like me) and ask them to help you along. - Offer a progress catch up call six months from now
This is a great tactic. It shows your commitment to security improvements and says “I won’t forget about security after this questionnaire”.
3. Our security environment is outstanding
Not many companies are in this situation, if any at all. If they are, the company probably won’t need to read this blog but know where to fin me if they need help 🙂
Conclusion
I hope this article proved helpful in your bid to complete the security questionnaire and win over your potential client when it comes to security.
Don’t forget although the process is ultimately there to cover asses, it is an opportunity to impress the prospective client and an even better opportunity to baseline your security environment against the expectations of a client.
If you need an experienced consultant to help you along the way by providing some clarity or answering the questionnaire on your behalf, get in touch here:
https://practical-infosec.com
"But we've always secured it this way" 
Leave a comment