What’s your “hot take” when it comes to security questionnaires?

SOC2 compliance, PCI compliance and Incident Response SLAs

It amazes me that security questionnaires are still seen as a key component of vendor due diligence. Most of the time this is a checkbox compliance exercise. I rarely see meaningful follow-up to responses that are clearly high-risk and I can say that as someone who has sat on both sides.

Companies know how to answer these questionnaires to pass compliance knowing full well that if the requester dug any deeper they would fail.

Do not let this be your own process in checking compliance. Ask for evidence and follow-up on answers. Don't let completing a questionnaires be your only due diligence.

We know that they are lying, they know that they are lying, they even know that we know they are lying, we also know that they know we know they are lying too, they of course know that we certainly know they know we know they are lying too as well, but they are still lying.

My "hot take" on security questionnaires is that while they’re a useful starting point, it’s vital not to depend solely on any single document. Always look for certifications, audit reports like SOC2, and other third-party assurances to confirm your security posture. Check if the organization already has a completed questionnaire to avoid duplication and save time. It’s crucial to incorporate your specific security requirements directly into the agreement, especially for non-regulated industries. For regulated industries, ensure you include a formal compliance statement and a requirement for proof of compliance. Ultimately, create a customized set of questionnaires and assessments based on the nature of the services, data sensitivity, and level of access involved—this detailed approach more effectively manages risk and clarifies expectations.

Everyone are utilizing these questionnaires extensively, yet their attention remains largely unengaged unless there is a compelling reason to do so. In my experience, even companies in highly regulated industries have found themselves wasting a significant amount of time completing security questionnaires. A potential improvement involves incorporating these questionnaires into the contract itself. By sending the questionnaire prior to the contract signature, you can clearly state that the questionnaire will become an annex, thereby binding the individual who answers it to the contract.

For instance, despite working in an insurance institution in Europe that is heavily regulated by DORA and EIOPA, we still have clients who request that to complete their security questionnaires. I fail to discern any practical purpose in this request, as we are already subject to the regulations and supervision of the local regulator.