Do You Have a Golden Cybersecurity Questionnaire?

It’s that time of year again – my two kids head off this month to overnight camp. They had a great time last summer: swimming, hiking, scavenger hunts, camp fires, stargazing, field trips, and much more.

And while it may sound like fun and games – okay, it is fun and games – getting them to camp is another matter.

In addition to writing a big check and procuring the requisite ten thousand items to accompany them (I may be exaggerating), there is the matter of …

… forms. Lots and lots of forms to be filled out.

There’s the enrollment form, the permission to treat form, and the camper care profile …

Why Rob, that doesn’t sound too bad.

… the health history, bunkmate requests, elective preferences, updated medical information …

Settle down Rob, you’re being overly dramatic.

… the family contract, camper photo, insurance information, transportation permission, liability waiver …

Okay, I get it.

It gets worse. There are no family forms; we have to fill out a complete set for each child. You know, in case our two kids happen to be covered by different health insurance plans or we have somehow changed our mailing address since completing forms for the first camper.

And, as it turns out, sleepaway camp and cybersecurity have more in common than just unwanted bugs (!) – compliance requirements for cybersecurity programs also demand the completion of all kinds of detailed questionnaires.?

Whose Responsibility Is It?

In addition to asking to see certification and attestation reports, potential clients will often send along cybersecurity questionnaires. These can range from just a few pages to literally hundreds.

That’s a challenge, especially for small and midsize companies. Unlike their larger counterparts which have a Request for Proposal (RFP) department specifically tasked with answering cybersecurity and other product-related questions, they do not.

So, who should take care of this – the CEO, CTO, or other high level executive??

If it is a multimillion-dollar deal, maybe. But if the senior team needs to get involved with this kind of thing regularly, many other important tasks will likely not be accomplished. As cybersecurity questionnaires become a bigger part of a company’s business, a formalized approach is required.

The Golden Questionnaire

Often, the company will construct a “Golden Questionnaire” – a single document that answers all the common questions regarding its approach to cybersecurity. In addition to providing a degree of consistency across various prospect interactions, this document allows more junior team members to do the bulk of the work.

There are even commercially available tools in the marketplace that aid in assembling, answering, and tracking the answers. (Each of these has its own set of pluses and minuses.)

But none of this is entirely plug and play. The questions can vary slightly – but significantly – from questionnaire to questionnaire, they can easily be misinterpreted, and the company’s certifications and approach to technology can change over time. Any one of these scenarios can have a material effect on what constitutes a correct answer.

So, while the concept of a Golden Questionnaire makes sense, it’s never as simple as cut, paste, and push send. Instead, here are some guidelines for developing a process that works…

#1. Tell the truth.?

One hundred percent of the time. Yes, some of your answers may be “bad” in the context of proving your cybersecurity credentials. But typically, they are not disqualifying. (If they are, they may serve as a datapoint for something that needs attending to.)

For example, if asked, “Do you use MFA on all your systems?” – and you do not – the customer may ask for a fix or accept something less than perfect. But if you shade the truth and a problem arises in the future, now you may be on the hook for a lot more than just a lost customer.

#2. Involve an expert.?

Once the answers are assembled from the Golden Questionnaire, make sure your internal product experts review them. This is especially important for in-depth or technically complicated questions.?

#3. Periodically review your answers.?

Over time, things change. Especially after a new product release, make sure to update your answers.

#4. Take advantage of AI.?

AI will save a lot of time. You can load in your source documents and ask AI to take the first cut at providing answers. AI can probably write better than your tech person and is likely more technically accurate than a writer. Again, just make sure it’s reviewed by an expert.

#5. Involve the executive team as needed.?

This is particularly critical in the context of future roadmap commitments.?

For example, let’s say you’ve got an obvious deficiency in your program – a data center in just one region with no resilient back up in another part of the country. If, to satisfy a questionnaire requirement, you agree to having a second data center operational by the end of the year, you have just committed a lot of money to a future project.?

Senior management needs to be involved. Then, make sure to track commitments made so nothing falls through the cracks.

Develop a Process

For a company without a dedicated RFP department, the cybersecurity questionnaire process is invariably hectic, even chaotic. It’s not done frequently, and while not especially hard, it’s easy to make mistakes, especially when first getting started.

You can improve the outcome and reduce errors by doing as much as you can to follow these guidelines and standardize your approach.

As for me, I look forward to enjoying three and a half weeks of solo adult time with my wife. Thankfully, there are no forms to fill out.?

Want to get great cybersecurity content delivered to your inbox??Click here?to sign up for our monthly newsletter, Tales from the Click.

This article originally appeared on the Fractional CISO blog.