It’s not hard to understand why security questionnaires are necessary. Because regulations like GDPR and NYDFS are holding businesses accountable for their third parties’ cybersecurity, it’s important for enterprises to assess and continuously monitor all vendors, suppliers and business partners. And the initial vetting of any third parties typically begins with a comprehensive security questionnaire to evaluate cyber posture.
But this process is far from perfect. Why do so many companies have trouble dealing with security questionnaires? Here are our top three reasons.
Because the digital world is dynamic and the IT of a company changes rapidly, a one-time security questionnaire becomes outdated as soon as the questions are completed. As a result, the questionnaires don’t provide a true picture of the supplier’s security posture.
Let’s say a company wishes to work with a supplier. Typically, the company will send the supplier a lengthy security questionnaire, usually on a spreadsheet, which needs to be completed. When this is finished, the spreadsheet is sent back to the company for review. Often there are additional clarification questions. And so the process typically continues for a long time, until security approval is approved or rejected. In fact, companies report that it takes an average of nine weeks to complete a questionnaire.
Ironically, the process that is supposed to help companies grow instead becomes a business inhibitor. Rather than enabling companies to onboard suppliers as quickly as possible, the security vetting stalls the process. In today’s competitive digital world, companies obviously can’t afford this delay.
To assess, track, validate and follow up on security questionnaires, enterprises require a team. In many cases, that team is still not able to review all suppliers, so many fall through the cracks. With some questionnaires including as many as 850 questions, many teams do not succeed in adequately reviewing all the answers as well as they should. Bottom line? Security questionnaires demand lots of people, time and money.
How can companies alleviate this arduous security questionnaire process? Using Panorays’ automated security management platform, companies can customize questionnaires, automate standardized ones like the Consensus Assessments Initiative Questionnaire and easily track responses without using even a single spreadsheet. These responses are combined with an outside-in view of a supplier’s attack surface to provide a complete picture of a supplier’s cyber posture.
Panorays’ questionnaires also take business context into consideration, so that irrelevant questions are removed while others receive greater weight. Because the process is automated, customers have seen their security vetting process reduced from months to days.
Want to learn more about how your company can speed up its security questionnaire process? Contact us for more information.