Do You Have a Golden Cybersecurity Questionnaire?

Do You Have a Golden Cybersecurity Questionnaire?

It’s that time of year again – my two kids head off this month to overnight camp. They had a great time last summer: swimming, hiking, scavenger hunts, camp fires, stargazing, field trips, and much more.

And while it may sound like fun and games – okay, it is fun and games – getting them to camp is another matter.

In addition to writing a big check and procuring the requisite ten thousand items to accompany them (I may be exaggerating), there is the matter of …

… forms. Lots and lots of forms to be filled out.

There’s the enrollment form, the permission to treat form, and the camper care profile …

Why Rob, that doesn’t sound too bad.

… the health history, bunkmate requests, elective preferences, updated medical information …

Settle down Rob, you’re being overly dramatic.

… the family contract, camper photo, insurance information, transportation permission, liability waiver …

Okay, I get it.

It gets worse. There are no family forms; we have to fill out a complete set for each child. You know, in case our two kids happen to be covered by different health insurance plans or we have somehow changed our mailing address since completing forms for the first camper.

And, as it turns out, sleepaway camp and cybersecurity have more in common than just unwanted bugs (!)compliance requirements for cybersecurity programs also demand the completion of all kinds of detailed questionnaires.?

Whose Responsibility Is It?

In addition to asking to see certification and attestation reports, potential clients will often send along cybersecurity questionnaires. These can range from just a few pages to literally hundreds.

That’s a challenge, especially for small and midsize companies. Unlike their larger counterparts which have a Request for Proposal (RFP) department specifically tasked with answering cybersecurity and other product-related questions, they do not.

So, who should take care of this – the CEO, CTO, or other high level executive??

If it is a multimillion-dollar deal, maybe. But if the senior team needs to get involved with this kind of thing regularly, many other important tasks will likely not be accomplished. As cybersecurity questionnaires become a bigger part of a company’s business, a formalized approach is required.

The Golden Questionnaire

Often, the company will construct a “Golden Questionnaire” – a single document that answers all the common questions regarding its approach to cybersecurity. In addition to providing a degree of consistency across various prospect interactions, this document allows more junior team members to do the bulk of the work.

There are even commercially available tools in the marketplace that aid in assembling, answering, and tracking the answers. (Each of these has its own set of pluses and minuses.)

But none of this is entirely plug and play. The questions can vary slightly – but significantly – from questionnaire to questionnaire, they can easily be misinterpreted, and the company’s certifications and approach to technology can change over time. Any one of these scenarios can have a material effect on what constitutes a correct answer.

So, while the concept of a Golden Questionnaire makes sense, it’s never as simple as cut, paste, and push send. Instead, here are some guidelines for developing a process that works…

#1. Tell the truth.?

One hundred percent of the time. Yes, some of your answers may be “bad” in the context of proving your cybersecurity credentials. But typically, they are not disqualifying. (If they are, they may serve as a datapoint for something that needs attending to.)

For example, if asked, “Do you use MFA on all your systems?” – and you do not – the customer may ask for a fix or accept something less than perfect. But if you shade the truth and a problem arises in the future, now you may be on the hook for a lot more than just a lost customer.

#2. Involve an expert.?

Once the answers are assembled from the Golden Questionnaire, make sure your internal product experts review them. This is especially important for in-depth or technically complicated questions.?

#3. Periodically review your answers.?

Over time, things change. Especially after a new product release, make sure to update your answers.

#4. Take advantage of AI.?

AI will save a lot of time. You can load in your source documents and ask AI to take the first cut at providing answers. AI can probably write better than your tech person and is likely more technically accurate than a writer. Again, just make sure it’s reviewed by an expert.

#5. Involve the executive team as needed.?

This is particularly critical in the context of future roadmap commitments.?

For example, let’s say you’ve got an obvious deficiency in your program – a data center in just one region with no resilient back up in another part of the country. If, to satisfy a questionnaire requirement, you agree to having a second data center operational by the end of the year, you have just committed a lot of money to a future project.?

Senior management needs to be involved. Then, make sure to track commitments made so nothing falls through the cracks.

Develop a Process

For a company without a dedicated RFP department, the cybersecurity questionnaire process is invariably hectic, even chaotic. It’s not done frequently, and while not especially hard, it’s easy to make mistakes, especially when first getting started.

You can improve the outcome and reduce errors by doing as much as you can to follow these guidelines and standardize your approach.

As for me, I look forward to enjoying three and a half weeks of solo adult time with my wife. Thankfully, there are no forms to fill out.?


Want to get great cybersecurity content delivered to your inbox??Click here?to sign up for our monthly newsletter, Tales from the Click.

This article originally appeared on the Fractional CISO blog.

Michael Skidmore

Tenacious, Authentic, Inclusive, Caring, Influential

5 个月

Great stuff per usual. Had a good chuckle at "...sleepaway camp and cybersecurity have more in common than just unwanted bugs (!)"

Koenraad Béroudiaux

What does good look like?

5 个月

Ok, a completes questionnaire ensures security?

Jacob Horne

CMMC Town Crier | Ask me about NIST security controls | Smashing compliance frameworks for fun and profit | Cyber policy wonk |

5 个月

Security, security everywhere and not a drop of assurance.

James Flowers CISSP, CISM

Security & Compliance Leader | Chief Information Security Officer & vCISO| Risk, Audit, Compliance and Governance.. oh yeah!

5 个月

Years ago, I developed an Access database to track all the questions we were asked and the corresponding answers. It streamlined our process—turning what used to take days into just a few hours. By simply referencing previous responses and ensuring they accurately addressed the current questions, we significantly improved response times. It was remarkable how much customers, and especially potential customers, valued the quick turnaround. Today, with AI, the process has evolved even further. Now, you can simply feed in a questionnaire and a set of answers, and the AI can handle most of the work. What used to take hours can now be done in minutes. It’s incredible how far technology has come!

Tristan Roth

Consultant ISO 27001 - ISO 42001 - EU AI Act | Helping startups going from 0 to compliance | Sharing tools for lead implementors & auditors

5 个月

I understand why some professionals can have objections on whether to use AI or not. Fair enough. But I believe that security questionnaires is really an area where it is relevant (high pain level, repeatability, existence of a knowledge base).

要查看或添加评论,请登录

Rob Black的更多文章

  • Cybersecurity Needs Your Attention

    Cybersecurity Needs Your Attention

    December. That magical time of year when so many conversations turn to… … the pick and roll, great team defense, smart…

    2 条评论
  • Cybersecurity’s Unanticipated Benefits

    Cybersecurity’s Unanticipated Benefits

    Longtime readers of this newsletter may assume that the only professionals I ever call to my house for assistance are…

    11 条评论
  • Cybersecurity Controls – All Are Not Created Equal

    Cybersecurity Controls – All Are Not Created Equal

    The last time I bought a new pair of ski boots was the late 90s. Just to give you some sense of how long ago that was…

    4 条评论
  • Why you need a Quantitative Cybersecurity Risk Assessment

    Why you need a Quantitative Cybersecurity Risk Assessment

    You are presented with two arguments about who is going to win the Super Bowl this weekend. Which sounds more…

    3 条评论
  • Top 5 Rob & Rob Videos of 2024!

    Top 5 Rob & Rob Videos of 2024!

    I am settling into my role as the principal member of the one-man short-video sketch comedy troupe Rob & Rob. This…

    8 条评论
  • Prepare for the Cybersecurity Championships!

    Prepare for the Cybersecurity Championships!

    The NBA season kicked off last night. This year, our beloved Boston Celtics are favored to win it all, again! I…

  • Let’s Get Physical

    Let’s Get Physical

    “Dad, the house alarm went off!” This is not great news at any time of day, but it’s especially unnerving when your…

    3 条评论
  • What’s Your “After Action” Plan?

    What’s Your “After Action” Plan?

    It shouldn’t have been a problem. After all, what could possibly go wrong helping a vacationing neighbor whose plants…

    7 条评论
  • Don’t Ignore the Warning Signs

    Don’t Ignore the Warning Signs

    Our house is only 18 months old. At this point, few things need repairing, painting, or upgrading.

    6 条评论
  • Hope for the Best; Plan for the Worst

    Hope for the Best; Plan for the Worst

    This past Saturday was a big day for the Black Family – my 13-year-old son had his Bar Mitzvah. He read from the Torah…

    5 条评论

社区洞察

其他会员也浏览了