Measuring/certifying security programs Risk management

Understanding and accelerating security questionnaires

As more and more organizations migrate sensitive customer data to the cloud, System and Organization Control 2 (SOC 2) compliance increasingly becomes a necessity for doing business. Any company offering software as a service (SaaS) or storing customer data in the cloud needs to be SOC 2 compliant. More than a simple technical audit, SOC 2 requires companies to demonstrate policies and procedures that maintain security, availability, and confidentiality of customer data.

A very critical part of the sales process is passing the security review and before you have proof of a SOC 2 (or even oftentimes after) you'll be asked to complete a security questionnaire, also known as a security assessment, vendor assessment, or third-party questionnaire.

For the sales team, security questionnaires can be an obstacle to closed deals. Regardless of where an organization is on its SOC 2 journey, this can delay the sales process for several days or weeks, even for companies that have responded to security questionnaires in the past. Organizations still in the “What is SOC 2?” stage of the journey may need weeks or even months to complete a SOC 2 questionnaire. In either case, if a competitor has processes and technology in place to produce the questionnaire faster, they are in a better position to close the sale.

So when the email containing a security assessment questionnaire arrives, have the tools and procedures ready to tackle the job before the email is forwarded to the CIO or IT Director.

SOC 2 security questionnaires

Every security questionnaire is different. They contain lists of technical, often complex, questions that require input from multiple people in different departments that can turn the process into a circus very easily. Though the goal of security questionnaires is always to determine if an organization can be trusted with sensitive customer data (the best way to do this is to get SOC 2 compliant!) the subject areas and the number of questions can differ. Security questionnaires often touch on subjects like identity and access management, threat management, application, and interface security, business continuity, and risk management.

They take time and effort to complete and are almost always placed in the lap of the CIO/CISO (or other IT lead), who has much more important things to do. Questions can range from the simple and easy—checking boxes on a list—to in-depth with probing follow-up questions that depend on answers given. Questionnaires can be as short as 20 questions or as long as 100 or even more. The scope depends on the complexity of the product purchased, type of service delivered, and sensitivity of customer data stored. Check out Security questionnaires 101: the basics for a quick guide to what you need to know.

Third-party vendor security and privacy questionnaires

Procurement departments issue security questionnaires and require SOC 2 compliance to help quantify the risk associated with choosing an organization as a third-party vendor who will provide products and services to the company doing the purchasing.

For organizations who serve less heavily regulated verticals, they may see some amount of standardization in security questionnaires designed to meet specific industry regulations. But almost regardless of industry, regulations about customer data are evolving so rapidly, the need for specific answers and more depth of understanding often demands custom questionnaires. Custom questionnaires create more work because it’s harder for companies to work from a library of answers should they be fortunate enough to have one. In these cases, it helps to have technology and processes at hand that can help translate answers from one questionnaire to another.

Why do companies receive SOC 2 questionnaires?

Security questionnaires typically arrive when potential customers want proof of an  organization's security posture and SOC 2 compliance, usually during an RFP process. The questions asked and answered on the questionnaire create the library of responses companies use to respond to security questionnaires.

How long does it take to complete security questionnaires?

Too long.

Typically, having a SOC 2 report on hand will replace the need for completing a questionnaire, but many large enterprise customers will still insist all vendors complete security questionnaires and vendor assessments. This is table stakes for any sales team selling cloud-based solutions. Security questionnaires need to be completed as quickly as possible to accelerate the sales cycle and close deals, but the sales team is not who completes the form. It’s the IT team, HR manager, and legal department—all the personnel charged with maintaining security controls around systems and policies. 

Each of these experts takes time away from their primary responsibilities to answer the security questionnaires, often seeing some version of the same question over and over. It’s time consuming and disruptive to department workflows. 

The cumbersome manual process is often too slow and deals are lost. Depending on the size of the questionnaires and the length of sales cycles, security questionnaires can feel like a never-ending cycle. Finish one and another arrives the next day, one with questions just different enough from the last questionnaire to make the next completion slog just as brutal as the last one. That’s why forward-thinking companies are finding ways to leverage their SOC 2 reports to respond to the questionnaires.

It’s time to free up the IT department’s time and leave completion of security questionnaires in good hands, leaving organizations with peace of mind knowing that response time will be faster and answers correct.

How can we speed up the process with AI?

Strike Graph tackles the security questionnaire pain point with a machine learning (ML) solution that uses existing control sets to respond to security questionnaires efficiently and accurately. Strike Graph uses AI to streamline the process and leverage the active internal control program to respond consistently to each questionnaire. The Strike Graph solution uses predictive modeling to respond to each item using the most appropriate control in an organization’s active control library. After a company uses Strike Graph for SOC 2 readiness, an existing control will likely map to one of the security questions. 

After submitting SOC 2 reports to Strike Graph, another report is produced showing the most relevant active control (or controls) that address the specific area of each question within 48 hours. This saves time, improves accuracy, and provides confidence about the answers provided. By leveraging existing internal controls to respond to security questionnaires, organizations gain the advantage of faster response—closing more deals and not losing out because of cumbersome, time-consuming response measures.

  • copy-link-icon

    Copy URL

  • facebook-icon
  • linkedin-icon

Learn how you can leverage Strike Graph for your cybersecurity needs