I made a new friend recently, a very personable - and yet a straight-up, say-it-like-it-is - tech startup leader. Before long he mentioned a major cybersecurity pain point that his team struggles with - they spend countless hours fielding and responding to customers' security questionnaires.
If you lead a tech startup or a community of tech startups, it's likely that you can relate. For my friend's startup, their customers (usually prospective customers) want to know that the startup has processes, tools, and techniques for keeping their data safe. So, they create questionnaires that the startup must study, complete, and review with the prospect before any sale is feasible. But the problem for him is that almost every prospect of theirs has custom questionnaires with custom security questions that don't quite match the responses they have handy via one completed and popular security certification.
This didn't surprise me at all. Virtually every growing tech startup that I've come across has this same problem - especially if they process sensitive data or are in a security-sensitive industry like HealthTech, FinTech, EnergyTech, or EdTech. For my team and me, at Resilient, it's become a passion problem for us. We are eager to share that there are simple ways to avoid expending limited resources and hours on the grunt work of customer security questionnaires. Let's look at the top 3...
3 Proactive Ways to Reduce the Hassle of Customers' Security Questionnaires
1. Take Control of Your Security Narrative - Craft A Public-facing Security Attestation and Controls Document.
Your customers create security questionnaires so they can learn and understand the security of your product. They just want to know what's going on. However, there's also the reality that the IT or Cybersecurity team of that customer usually creates the questionnaires based on their knowledge and experience of security, which may be a complete mismatch of the security paradigm of your startup. This is particularly relevant for innovative and cutting-edge products that involve new ways of protecting data or avoiding unnecessary data capture altogether. In these cases, your team will spend lots of time mapping the custom security questions of the customer to their security design and controls.
In the scenarios described here, your startup can be proactive by creating a public-facing security attestation statement. This statement should concisely describe the security practices and processes that you use to build security into your product(s). It can also describe the high-level security paradigm, design, and controls of the product.
Crafting a statement like this is a game-changer for the following reasons:
It answers many questions that your customers will have, and will greatly reduce the questionnaires that your startup receives. And when you do need to complete questionnaires, many more people on your team will be empowered to most questions.
Different sections, summaries, or the whole statement can be placed on your website, internal wiki, brochures etc... and even referenced in Ads or landing pages.
It gets Executive Leadership, Sales, Marketing, and Engineering on the same page about the security posture of the company. For instance, you don't want your salespeople confusing your prospects about security in their discovery calls, potentially scaring away customers or creating a mountain for your startup to climb to get the sale.
Something I must note is the need to be careful to craft the statement without revealing IP or exposing your company to legal liability.
2. One Response to Rule Them All - Use a broad framework like ISO27001 to draft a master response
Often, questionnaires provided by your customers were created based on a particular security and privacy framework i.e NIST, ISO27001, SOC2, CIS, HIPAA, FedRAMP, GDPR etc. Additionally - although this is not always the case - the questionnaires are usually generated by a risk compliance tool, which will group questions (and their available responses) in one of several framework’s domains... particularly, ISO27001/2 or NIST 800-53.
The good news is that most of the major frameworks address the same concerns, just with differences in breadth, styles, approaches, emphasis, or cost. For example, NIST-853 is free, ISO-27001 is paid, and FedRAMP is very dense. Another example is that NIST-853 doesn't provide certification, but ISO does (and any work done in NIST will apply in ISO, if you decide to pursue a certification).
A proactive startup can select a broad framework like NIST-853 or ISO-27001 which will cover most customers' security questions, get the required processes and controls in place - even without pursuing certification - and simply respond to all questionnaires based on your chosen security framework. You can also let your customers know the framework you're responding from.
Except for customers who require you to have a specific certification like HIPAA, FedRAMP, or PCI-DSS, most customers just want to know you're doing your due diligence. And for the customers that require a specific certification, the fact that you're already working from a major security framework will greatly speed up your certification process.
3. Who says you have to be the ones to complete them? - You can outsource.
Yep, there's an app for that - or more accurately put, there are people for that. As awareness of the importance of cybersecurity grows, customer security questionnaires have become the norm. In recent years, companies and services have sprung up specifically to respond to those questionnaires for tech startups. Essentially, a startup gets a questionnaire, forwards it to such companies, they complete it, and send it back for review.
Some companies also feature a searchable repository where customers can conveniently search your security attestation documents, security audit reports, or security framework status reports to find answers to specific questions or queries that they may have before they consider sending you a questionnaire.
It is evident though, that to benefit from outsourced security questionnaire response companies, you would likely need to execute one or both of the other two proactive steps that we described above. The outsourced response companies will need to be able to understand your product's security to avoid providing responses that require lots of review or correction.
The FREE 5-Minute Security Assessment for Startups ™
I hope you found this article helpful. If you're a SaaS startup leader, please check out our Free 5-Minute security assessment, designed specifically for software startups. Yes, it really does take you only 5 minutes, then we do the rest. Once you complete the assessment, we craft two confidential reports - A Security Assessment report that shows where you are with software security and your score, and A Security Recommendations Report with custom solutions that your team can either begin implementing or add to your roadmap.