The security questionnaire conundrum

While it's important that we assess one another’s security and governance there should be a more standardized, reasonable, streamlined process to do so.

question man

It’s Friday afternoon, the weekend is right around the corner and just when you thought you were in the clear, a security questionnaire lands in your inbox. You sit back and wonder: “what are the chances this will be a well-reasoned, logical request with a rational deadline?”

You glance at the email, and it says something like “Hey, can you fill this out for me? The customer needs it by Monday!” Well, that answers that question…ZERO chance. You open the questionnaire and see that it’s four hundred questions in length and looks suspiciously like an entire security governance framework that has been dropped into a locked spreadsheet. Oh, and your only options are “yes” or “no.”

Realizing you are missing a lot of important detail, you reach out to the sender with clarifying questions: what services and solutions are in scope for the questionnaire? What type of data is involved? Are any solutions hosted/cloud-based? Are the services and solutions onsite or offsite? Does this scenario sound familiar?

While the actual clarifying questions will vary depending on your company (or client), the point is the request was completely void of the information you need to accurately answer the questionnaire. Which brings us to the next point: applicability.

All too often the very need for the security questionnaire is called into question. Regardless a questionnaire with four hundred questions likely isn’t appropriate or necessary. To compound the problem, if you do need to question its applicability, getting to a resource that can have that discussion can be a challenge. Particularly if the questionnaire came from the customer’s procurement team that may be just trying to “check a box.” Ultimately, you may get the answer(s) you were seeking but the time and energy required are not insignificant and avoidable.

On the flip side, let’s say the questionnaire is applicable and you found out what’s in scope. You then determine your company is providing a combination of solutions; some onsite, some offsite and some hosted, each potentially with its own valid answer…now what? When your only options are “yes” or “no” do you fill out multiple copies (400 x3)? Or try and modify it, assuming it’s not locked, so you can provide multiple answers and comments? That’s a lot of extra work for one questionnaire.

Unfortunately, the above scenario is becoming a near daily occurrence for today’s security teams. Don’t get me wrong, we must assess one another’s security and governance; however, there should be a more standardized, reasonable, streamlined process to do so.

So, what’s the answer? While some vendors have developed tools that try to solve this puzzle, I haven’t seen a silver bullet yet. Some companies have opted to push this function out to a third party to deal with it. However, in my experience, working through a third party makes an already lengthy and frustrating process substantially longer as you now have to work through even more people who may lack the proper context.

Without having that “silver bullet,” here are some suggestions to help streamline the process:

For questionnaires that you respond to:

  • Implement a process, automated if possible, that documents requests and associated training that helps ensure you receive the questionnaires as soon as possible
  • Require all employees, or requestors, to share all of the relevant information (scope, data types etc.) upfront
  • Catalog the answers you are providing to help ensure consistent information is provided, review that information on a regular basis and add new answers as you see new questions

For questionnaires you develop or use:

  • Always have not applicable (N/A) as a valid answer
  • Allow the user to provide comments for each answer and require them when the answer is N/A
  • Don’t drop a formal framework into a spreadsheet. Think about what it is you are really trying to determine. If you do need to base the questions on a framework make sure they are worded in a logical straightforward manner
  • Make sure any requests for documentation are reasonable. For example, I am not going to provide detailed network diagrams…that’s just bad security and I am far more likely to show you documentation via remote session as opposed to sending you the documents
  • Consider the length and depth of the questionnaire. There is a difference between a full audit and trying to determine if the other party understands and has implemented reasonable security controls

While the above doesn’t solve the broader issue, it should help streamline your current processes. In the future, I hope to see a universally accepted hosted solution that enables you to populate all your solutions/services along with comprehensive answers covering a wide array of governance/security topics that can be mapped to multiple frameworks.

Once the initial effort is completed the data would be validated and updated on a regular basis. This standardized approach would require more effort upfront but would be far more efficient. Bottom line, a comprehensive questionnaire with the right context is much more efficient and ultimately more relevant to the customer’s needs.

I’d like to share more insights but since I started writing this three more landed in my inbox. I’d better get going…

Copyright © 2018 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.