What’s your “hot take” when it comes to security questionnaires?

Everyone are utilizing these questionnaires extensively, yet their attention remains largely unengaged unless there is a compelling reason to do so. In my experience, even companies in highly regulated industries have found themselves wasting a significant amount of time completing security questionnaires. A potential improvement involves incorporating these questionnaires into the contract itself. By sending the questionnaire prior to the contract signature, you can clearly state that the questionnaire will become an annex, thereby binding the individual who answers it to the contract.

For instance, despite working in an insurance institution in Europe that is heavily regulated by DORA and EIOPA, we still have clients who request that to complete their security questionnaires. I fail to discern any practical purpose in this request, as we are already subject to the regulations and supervision of the local regulator.

To attempt to cover risk security questionnaires often ask for a growing range of security certifications. There does not appear to be a correlation between security breaches and the completion of these certifications. They are more a comfort exercise than a true test. On paper certifications may give a false sense of security with the vendor in question given some of the most high profile security failures have come from what would undoubtedly be some of the most well certified vendors.