Pro tips for dealing with security questionnaires

Ever received a 328 question Excel sheet from a prospective customer that inevitably asks about controls you don’t have? Here are some tips I’ve found useful for dealing with them:

Don’t say you do something that you don’t. This will come back to bite you if the thing you said you did results in an incident or makes an incident worse than it needed to be.

Understand that just because you don’t have a control they’re asking about in place, it doesn’t mean it will be a deal breaker. Some questions are just informational. They’ll let you know if it’s important.

Try to understand what they’re really asking about and answer in that context.

If they’re asking about VPNs, they probably don’t actually care about VPNs. More likely they want to ensure traffic is encrypted in transit.

You could describe how all your traffic is encrypted with TLS, how plaintext protocols are prohibited, how your engineers connect to a bastion host with MFA using SSH, etc. Whatever makes sense in the context of your systems. If they really care about VPNs, they’ll follow up.

Those questions about something you’re very much not interested in doing? You can always say “No”.

If they push back, use your most powerful weapon - “Why?”

Ask them to help you understand their specific concerns. You likely have other controls in place to address similar concerns. If they’re asking if you monitor employee web browsing or something equally unpalatable, try a semi-tangential answer like “No, but we have endpoint detection on all hosts to catch malware that may be downloaded”.

Sometimes, you’ll find questions that might not make sense as written any longer. Do your best to map it to whatever might make sense for this millennium and describe how you address those risks.

Are they asking for guarantees that you don’t have time bombs and trap doors in your cloud offering? After you get done looking up the definitions (if you’re under 40), provide a gentle reminder that there are no guarantees in security and then describe your secure development practices like peer review and code analysis tools or touch on your network controls and intrusion detection monitoring.

Despite the general ineffectiveness of many security questionnaires, there may be asks for genuinely useful controls you don’t yet have in place. Having a prospective customer asking about it is a very good way to shine a light on risks you’ve wanted to address but haven’t had budget or time for.

Proactively provide a pre-filled Cloud Security Alliance CAIQ or Vendor Security Alliance worksheet. Often, large customers will still want you to fill theirs out but it’s always worth a try.

If all else fails, I’m sure there’s some AI products, fine tuned for patience, ready to help fill out even the longest, multi-tab spreadsheet that may come your way. Full disclosure: I ended up building one. TrustMind handles the nightmare formatting automatically — upload a Word doc or Excel, get it back completed in the same format.