How to Survive a Vendor Security Questionnaire

So you’ve just closed a deal with your first big enterprise client. Or, almost closed the deal. You just have to fill out a vendor security questionnaire and make it through that part of the process. Then the deal will be complete.

The only problem is, the questionnaire is hundreds of questions long. Some of the questions don’t make sense. Lots of them seem to be asking the exact…same…thing. And you don’t exactly have everything in place that they’re asking about.

The first few times you are asked to fill one of these out, it can be extremely intimidating.

What’s a SaaS company to do?

I interviewed 3 security experts who are the go-to people at each of their SaaS companies for completing these questionnaires and getting past the critical security review stage of procurement to close important deals with enterprise clients.

Don’t worry, we’ve got you covered. From sale to deal, here’s what every SaaS company needs to know about vendor security assessments.

#1: Tough it out

Contentful is an API-first CMS that enables developers to quickly structure and use content to build, release, and fine tune applications. As a technical product owner with a focus on security, Andreas Tiefenthaler ensures that the product meets security standards and teams follow security best practices.

“It’s a matter of trust — I’ve been on both sides of the vendor security process, sending out questionnaires and receiving questionnaires. Most of the time you just have to go through the hassle of filling them out. If you can manage to get through, it usually establishes enough trust to proceed further.” — Andreas, Technical Product Owner at Contentful

#2: Be proactive

Cengage Learning is an EdTech company delivering eBooks and Learning Management Solutions. In his former role as Application Security Manager, Aaron Weaver was responsible for Rugged DevOps security, application security architecture, penetration testing, mobile security testing, and security training.

“It’s my least favorite part of my job, because there is no standard format that is accepted by all enterprises. I like to be proactive where I can and put things in place to prepare for what’s coming next, but in the case of vendor security every questionnaire that I receive is different and slightly nuanced to the customer’s specific situation.” — Aaron, (Former) Application Security Manager at Cengage

#3: It’s part of the job

Cobalt is an application security firm that connects organizations with vetted security researchers to deliver penetration tests on-demand via a SaaS platform. As CTO, Christian Hansen is responsible for building the Cobalt platform and overseeing product and employee security practices.

“Meeting vendor security requirements is just another part of building a good product. In order to do business, we must satisfy the security needs of the customer.” — Christian, CTO at Cobalt

Frequently Asked Questions

I’ve compiled the advice I received from these three experts and put it into an FAQ. Check it out here and read their answers to the following questions:

• When is it necessary to fill out a vendor security questionnaire?
• Who is the right person to fill out the vendor security questionnaire?
• How much time does it take to complete a vendor security questionnaire?
• What if we’re not doing everything listed on the vendor security questionnaire?
• Is every vendor security questionnaire the same? Can I just respond to one of them and then copy-paste my same answers in the future?
• What happens after I fill out the vendor security questionnaire?
• Do I need to submit evidence for every little thing?

What additional questions do you have about how to survive a vendor security questionnaire?

Ask away in the comments below.

I plan to write a second article on this subject, Vendor Security Questionnaires: A Buyer’s Perspective, in which I share stories from the folks who are on the sitting on the other side of the table and managing vendor security risk across an enterprise.

Stay tuned.