Do You Have a Golden Cybersecurity Questionnaire?
It’s that time of year again – my two kids head off this month to overnight camp. They had a great time last summer: swimming, hiking, scavenger hunts, camp fires, stargazing, field trips, and much more.
And while it may sound like fun and games – okay, it is fun and games – getting them to camp is another matter.
In addition to writing a big check and procuring the requisite ten thousand items to accompany them (I may be exaggerating), there is the matter of …
… forms. Lots and lots of forms to be filled out.
There’s the enrollment form, the permission to treat form, and the camper care profile …
Why Rob, that doesn’t sound too bad.
… the health history, bunkmate requests, elective preferences, updated medical information …
Settle down Rob, you’re being overly dramatic.
… the family contract, camper photo, insurance information, transportation permission, liability waiver …
Okay, I get it.
It gets worse. There are no family forms; we have to fill out a complete set for each child. You know, in case our two kids happen to be covered by different health insurance plans or we have somehow changed our mailing address since completing forms for the first camper.
And, as it turns out, sleepaway camp and cybersecurity have more in common than just unwanted bugs (!) – compliance requirements for cybersecurity programs
Whose Responsibility Is It?
In addition to asking to see certification and attestation reports, potential clients will often send along cybersecurity questionnaires. These can range from just a few pages to literally hundreds.
That’s a challenge, especially for small and midsize companies. Unlike their larger counterparts which have a Request for Proposal (RFP) department
So, who should take care of this – the CEO, CTO, or other high level executive??
If it is a multimillion-dollar deal, maybe. But if the senior team needs to get involved with this kind of thing regularly, many other important tasks will likely not be accomplished. As cybersecurity questionnaires become a bigger part of a company’s business, a formalized approach is required
Often, the company will construct a “Golden Questionnaire” – a single document that answers all the common questions regarding its approach to cybersecurity. In addition to providing a degree of consistency across various prospect interactions, this document allows more junior team members to do the bulk of the work.
There are even commercially available tools in the marketplace that aid in assembling, answering, and tracking the answers. (Each of these has its own set of pluses and minuses.)
But none of this is entirely plug and play. The questions can vary slightly – but significantly – from questionnaire to questionnaire, they can easily be misinterpreted, and the company’s certifications and approach to technology can change over time. Any one of these scenarios can have a material effect on what constitutes a correct answer.
领英推荐
So, while the concept of a Golden Questionnaire makes sense, it’s never as simple as cut, paste, and push send. Instead, here are some guidelines for developing a process that works…
#1. Tell the truth.?
One hundred percent of the time. Yes, some of your answers may be “bad” in the context of proving your cybersecurity credentials. But typically, they are not disqualifying. (If they are, they may serve as a datapoint for something that needs attending to.)
For example, if asked, “Do you use MFA on all your systems?” – and you do not – the customer may ask for a fix or accept something less than perfect. But if you shade the truth and a problem arises in the future, now you may be on the hook for a lot more than just a lost customer.
#2. Involve an expert .?
Once the answers are assembled from the Golden Questionnaire, make sure your internal product experts review them. This is especially important for in-depth or technically complicated questions.?
Over time, things change. Especially after a new product release, make sure to update your answers.
#4. Take advantage of AI.?
AI will save a lot of time. You can load in your source documents and ask AI to take the first cut at providing answers. AI can probably write better than your tech person and is likely more technically accurate than a writer. Again, just make sure it’s reviewed by an expert.
#5. Involve the executive team as needed.?
This is particularly critical in the context of future roadmap commitments.?
For example, let’s say you’ve got an obvious deficiency in your program – a data center in just one region with no resilient back up in another part of the country. If, to satisfy a questionnaire requirement, you agree to having a second data center operational by the end of the year, you have just committed a lot of money to a future project.?
Senior management needs to be involved. Then, make sure to track commitments made so nothing falls through the cracks.
Develop a Process
For a company without a dedicated RFP department, the cybersecurity questionnaire process is invariably hectic, even chaotic. It’s not done frequently, and while not especially hard, it’s easy to make mistakes, especially when first getting started.
You can improve the outcome and reduce errors by doing as much as you can to follow these guidelines and standardize your approach.
As for me, I look forward to enjoying three and a half weeks of solo adult time with my wife. Thankfully, there are no forms to fill out.?
Want to get great cybersecurity content delivered to your inbox??Click here?to sign up for our monthly newsletter, Tales from the Click.
This article originally appeared on the Fractional CISO blog.
Tenacious, Authentic, Inclusive, Caring, Influential
5 个月Great stuff per usual. Had a good chuckle at "...sleepaway camp and cybersecurity have more in common than just unwanted bugs (!)"
What does good look like?
5 个月Ok, a completes questionnaire ensures security?
CMMC Town Crier | Ask me about NIST security controls | Smashing compliance frameworks for fun and profit | Cyber policy wonk |
5 个月Security, security everywhere and not a drop of assurance.
Security & Compliance Leader | Chief Information Security Officer & vCISO| Risk, Audit, Compliance and Governance.. oh yeah!
5 个月Years ago, I developed an Access database to track all the questions we were asked and the corresponding answers. It streamlined our process—turning what used to take days into just a few hours. By simply referencing previous responses and ensuring they accurately addressed the current questions, we significantly improved response times. It was remarkable how much customers, and especially potential customers, valued the quick turnaround. Today, with AI, the process has evolved even further. Now, you can simply feed in a questionnaire and a set of answers, and the AI can handle most of the work. What used to take hours can now be done in minutes. It’s incredible how far technology has come!
Consultant ISO 27001 - ISO 42001 - EU AI Act | Helping startups going from 0 to compliance | Sharing tools for lead implementors & auditors
5 个月I understand why some professionals can have objections on whether to use AI or not. Fair enough. But I believe that security questionnaires is really an area where it is relevant (high pain level, repeatability, existence of a knowledge base).