Tips on vendor assessments from experts in the industry
So you’ve just closed a deal with your first big enterprise client. Or, almost closed the deal. You just have to fill out a vendor security questionnaire and make it through that part of the process. Then the deal will be complete.
The only problem is, the questionnaire is hundreds of questions long. Some of the questions don’t make sense. Lots of them seem to be asking the exact…same…thing. And you don’t exactly have everything in place that they’re asking about.
The first few times you are asked to fill one of these out, it can be extremely intimidating.
What’s a SaaS company to do?
I interviewed 3 security experts who are the go-to people at each of their SaaS companies for completing these questionnaires and getting past the critical security review stage of procurement to close important deals with enterprise clients.
Don’t worry, we’ve got you covered. From sale to deal, here’s what every SaaS company needs to know about vendor security assessments.
#1: Tough it out
Contentful is an API-first CMS that enables developers to quickly structure and use content to build, release, and fine tune applications. As a technical product owner with a focus on security, Andreas Tiefenthaler ensures that the product meets security standards and teams follow security best practices.
“It’s a matter of trust — I’ve been on both sides of the vendor security process, sending out questionnaires and receiving questionnaires. Most of the time you just have to go through the hassle of filling them out. If you can manage to get through, it usually establishes enough trust to proceed further.” — Andreas, Contentful
#2: Be proactive
Cengage Learning is an EdTech company delivering eBooks and Learning Management Solutions. In his former role as Application Security Manager, Aaron Weaver was responsible for Rugged DevOps security, application security architecture, penetration testing, mobile security testing, and security training.
“It’s my least favorite part of my job, because there is no standard format that is accepted by all enterprises. I like to be proactive where I can and put things in place to prepare for what’s coming next, but in the case of vendor security every questionnaire that I receive is different and slightly nuanced to the customer’s specific situation.” — Aaron, (Former) Cengage
#3: It’s part of the job
Cobalt is an application security firm that connects organizations with vetted security researchers to deliver penetration tests on-demand via a SaaS platform. As CTO, Christian Hansen is responsible for building the Cobalt platform and overseeing product and employee security practices.
“Meeting vendor security requirements is just another part of building a good product. In order to do business, we must satisfy the security needs of the customer.” — Christian, Cobalt
I’ve compiled the advice I received from these three experts and put it into an FAQ style format below:
Q: When is it necessary to fill out a vendor security questionnaire?
A: For most deals, a buyer will send a vendor security questionnaire once the terms of the deal have been discussed, but not finalized. Security review is simply another part of the procurement process. Depending on what type of service the vendor is providing to the buyer, the buyer may be taking on additional security risk by working with the vendor and they want to know about it upfront. In some cases, you may need to fill out a vendor security questionnaire at the beginning rather than the middle or end of the sales process, in order to even be considered for an RFP. In either scenario, the buyer wants to know if you meet their security requirements before you move onto further stages for consideration.
“Sometimes you have to fill out a vendor security questionnaire just to even be considered. It’s part of the qualifying round. The client wants to know if you meet their requirements so that you can move to the next stage for consideration.” — Aaron, (Former) Cengage
Q: Who is the right person to fill out the vendor security questionnaire?
A: Usually one person takes the lead and fills out as much as he or she can, then asks others in the organization for help as needed. It really depends on the complexity of the particular questionnaire, as well as the way that roles are set up within the vendor organization. A more established vendor organization might have a large security team, with different individuals providing information on various topics, e.g. security policy, network security, application security. In a small start-up, each person wears many hats and one person may know enough about what’s going on to complete the entire questionnaire by his or herself.
“I was employee number 5, and now we have 110. I’ve been through lots of stages here. I have a background in software development and have also been a pen tester. Right now I am basically the go-to person for vendor security questionnaires and then I reach out to various teams (e.g. Finance, CTO, Infrastructure) if there are any questions that I am not able to answer myself.” — Andreas, Contentful
Q: How much time does it take to complete a vendor security questionnaire?
A: This step of the sales process usually has a fairly tight deadline ranging from a few days to a couple of weeks. Most vendor security questionnaires have hundreds of questions. One should expect at least a full day of effort for a single technical person to fill it out. If you fill out a lot of these questionnaires, you might want to consider preparing a set of responses to the Shared Assessments Standardized Information Gathering (SIG) or keeping past questionnaires organized and available in a database. Something else that helps is to have a clearly defined and published security policy — e.g. at Cobalt we have dedicated security policy.
“Typically these vendor security questionnaires have very tight deadlines, ranging from just a couple weeks to even faster in some situations.” — Aaron, (Former) Cengage
Q: What if we’re not doing everything listed on the vendor security questionnaire?
A: You don’t necessarily need to have everything in place 100%. Some organizations send these questionnaires out just to check a box, and others are quite serious about the responses and supporting evidence. Do you best to gauge which situation you’re in, and act accordingly. Enterprise firms understand that smaller companies typically have fewer resources to dedicate to security.
Think about what it is that you really do. A small start-up might not have a full blown security training program in place, but requiring all employees to complete a security checklist on a periodic basis is an appropriate level of training for a company of that size. As your organization grows and matures, it’s likely that your answers for vendor security questionnaires will change as well. You need to be transparent about the processes that you have, and hope it’s enough. You should never give up and say “no we don’t have this at all.” Even if you don’t have something in place today, it’s important to explain what your plan is for the future.
“It’s important to explain for each item that you are working on it, that it’s on your roadmap, or that you have compensating controls.” — Andreas, Contentful
Q: Is every vendor security questionnaire the same? Can I just respond to one of them and then copy-paste my same answers in the future?
A: Unfortunately, no. There is no single standard that is commonly used across all enterprises, but many start with the Shared Assessments Standardized Information Gathering (SIG) Questionnaire and customize from there. The number of items in a vendor security questionnaire may range from 30 to hundreds. Topics covering process, technology, and infrastructure are usually grouped into a handful of categories. Most of the time the questionnaire is sent over as a spreadsheet, but enterprises with the most mature vendor security programs (managing hundreds or thousands of vendors) will provide their vendors with access to a platform that can be used to manage the process of completing the questionnaire. A platform makes it much easier to work on the questionnaire for a little while, then save your work and come back to it later. You can ask questions and flag items for further discussion. Overall a platform makes things much easier for both you and the enterprise you’re negotiating with.
“The last time we completed a vendor security questionnaire, we were able to re-use about 60% of the answers based on a recent prior questionnaire. We of course reviewed the answers to ensure they were still the right fit, but it did save some time” — Christian, Cobalt
Q: What happens after I fill out the vendor security questionnaire?
A: Once you’ve completed the questionnaire to the best of your ability and turned it in, it’s then up to the receiving company to decide if they will accept it or not. In many cases, there may not be much questioning or further instruction. Unless the client has a couple of hot button issues (they may be going through an audit themselves, need to meet compliance requirements, or may have been burned in the past), they typically take your word for it. Sometimes, however, you will be challenged and required to provide further detail or submit evidence of a particular item or set of items.
“Some enterprises have no formal processes for asking about vendor security. They will just send a questionnaire, and go on from there. Others have a well-defined process for how to respond and want to see very specific answers and evidence for their questions.” — Christian, Cobalt
Q: Do I need to submit evidence for every little thing?
A: Some security controls are easier to verify than others. For example, it’s relatively easy to ask to see the results of a third party risk assessment or penetration test that covers the OWASP Top 10 and business logic. It’s harder to prove that a particular security process or best practice is being followed. When your client does ask to see the results of a recent pen test, your first response might me, “We don’t typically provide that information.” If they press further, you can begin by sharing a high level summary of findings, generally referred to as an attestation. Some companies will require that you share detailed findings from a pen test report, and a few may request evidence that findings have been fixed.
“How often do they ask for evidence? Rarely. It depends on what kind of organization it is and what they are going through. For example, if they are currently undergoing an audit, then they’re more likely to ask for evidence.” — Andreas, Contentful
How much evidence you are required to submit as part of a vendor security questionnaire typically depends on three key factors -
Type of enterprise: What kind of business do they do? What kind of regulatory requirements must they comply with? Organizations who deal with the most sensitive and regulated data will likely require the most evidence.
Type of deal: What kind of business are you proposing to do with them? If you are providing them with a key component of their product or service, or otherwise handling sensitive data on their behalf, the requirements are likely to be more strict.
Maturity in vendor risk management: Some enterprises are more mature than others when it comes to managing their vendors. On the low end of the maturity scale, enterprises will ask, “Are you secure?” and request that you fill out a vendor security questionnaire with little to no follow up. On the high end of the scale (larger companies, public companies, regulated companies), the enterprises that are most mature in this area are most likely to have documented security standards and follow their processes all the way to completion, which often means they will ask for evidence to verify certain types of security activities (e.g. third party penetration test).
What additional questions do you have about how to survive a vendor security questionnaire? Ask away in the comments below.
I plan to write a second article on this subject, Vendor Security Questionnaires: A Buyer’s Perspective, in which I share stories from the folks who are on the sitting on the other side of the table and managing vendor security risk across an enterprise. Stay tuned.
Interested in learning more?
Watch Chris Haag, Senior Director of Engineering at Agari, talk about the need for third party pen testing being driven by prospects and customers asking for it as part of their vendor risk management process.