Why security questionnaires are a familiar—but ineffective—norm for assessing risk

‍Security questionnaires are a standard part of almost every due diligence process before companies sign on to work with a new third party.

‍

By asking detailed questions via questionnaires, organizations learn about a seller’s security controls and compliance with relevant standards. With that information, they determine how and if a partnership with that third party will expand their attack surface and increase risk—and ultimately decide if the increased risk is acceptable. 

‍

In theory, this process sounds great. But in practice, security questionnaires are an imperfect solution to truly assess third-party risk.

‍

For the issuing party, questionnaires only provide a point-in-time snapshot of an organization’s security posture and—unfortunately—are rarely evaluated in the way they should be. For sellers, questionnaires present a huge burden that often gets in the way of high-value security tasks that really move the needle.

‍

A brief history of security questionnaires

Before diving deeper into the issues around security questionnaires, it’s important to acknowledge how we got here. At one point in time, security questionnaires really were the best option to assess third-party risk. 

‍

Questionnaires—or some form of them—were used throughout the late 1990s and early 2000s and really gained traction when the Shared Assessments organization developed the Standardized Information Gathering (SIG) Questionnaire in 2005. The SIG streamlined the questionnaire process and provided an industry standard that offered guidance for vendor evaluation—a significant step toward broader adoption of TPRM best practices.

‍

As data breaches became more prevalent—and third-party ecosystems expanded and became increasingly interdependent—the use of security questionnaires continued to rise. New questions were developed alongside technological advancements, covering topics like multi-factor authentication, secure development practices, and new compliance frameworks. At the same time, old questions with outdated and irrelevant assumptions outlived their welcome. 

‍

Today, questionnaires are still the norm, and industry-standard versions like the SIG, and the more recently-introduced CAIQ, include hundreds of questions about topics like endpoint security, compliance, operational resilience, and more.

‍

Why the system is broken

Questionnaires have been around for a long time, but that doesn’t necessarily mean that they continue to be the best option for assessing risk. There are a lot of well-documented issues with questionnaires, including:

• Questionnaire responses only represent a single point in time: Questionnaires have a limited shelf-life. They inherently focus on an organization’s current security practices and compliance posture—but don’t necessarily account for continuous monitoring or tracking and communicating important updates. Responses that are passable at the time the questionnaire is issued may change by the time an organization onboards with a vendor—rendering the entire process useless for organizations trying to truly assess the risk of working with a third party.

• It’s hard to verify the accuracy of questionnaire responses: With questionnaires, organizations need to take vendors at their word. There is little opportunity and ability to investigate the information included within questionnaire responses, so it’s hard to know what information you can even trust. Alarmingly, reports indicate that only 34% of TPRM professionals believe the information included in security questionnaire responses. 

• Questionnaires are rarely evaluated: Questionnaires are somewhat of a formality. Often, issuing parties will consider a vendor “secure” if they simply complete and return the questionnaire. There isn’t always a thorough evaluation of the actual information included in the questionnaire—or an effective way for issuing parties to request remediations for unsatisfactory responses.  

• Questionnaires are a massive burden on security teams: Organizations tasked with completing questionnaires for prospects are left with a heavy burden. It’s difficult to gather all the necessary information, route through approvals, and complete extensive and in-depth questionnaires for each prospect relationship. Questionnaires can take anywhere from 5-15 hours to complete. Consider that against the volume of incoming questionnaires from prospects—which could amount to hundreds each month for larger companies. The time spent on security questionnaires takes resource-strained teams away from the high-value security work they really need to focus on to secure their systems, products, and data. 

‍

At the end of the day, questionnaires check a box and provide a basic solution for buyers to assess risk. They’ve stood the test of time not because of efficacy but because there simply hasn’t been a better and more effective solution. 

‍

The future of verification

A one-to-one approach made sense when third-party ecosystems were smaller and less complex, and the amount of documents and information to share was more limited. 

‍

But today, the pace of innovation is significantly faster and the threat landscape is larger. Organizations move quickly, rely on an ever-growing ecosystem of third-party partners, and need to monitor security on an ongoing basis. 

‍

With all these changes in mind, forward-thinking organizations view the security verification process differently. They see verification as something that emerges from building mutual trust and promoting ongoing transparency versus something that’s earned by passing a test in the final stages of a deal cycle.

‍

Instead of issuing questionnaires, the future of verification is about promoting continuous visibility to answer questions about an organization’s security posture—at any point in time—before they even need to be asked.

‍

And those answers shouldn’t be restricted to a single recipient. Organizations across industries must commit to a baseline of public transparency, allowing us to create a network of public information where buyers and sellers can both prove their own security and verify the security of any potential partner they consider adding to their ecosystem instantly. This will foster better collaboration, a faster pace of innovation, and broad accountability for the security of all systems. 

‍

Thinking about verification in this way opens the door for new solutions that accomplish the goals of security questionnaires without the persistent issues related to timeliness, trust, and usefulness. 

‍

Verification with Vanta Trust Centers

Organizations like Intercom, SmartRecruiters, ZoomInfo, and Miro are living in the future of verification and opted to invest in transparency with a Vanta Trust Center. 

‍

Trust centers present a better option to approach verification for many reasons: 

‍

• Public facing: Anyone can access a public-facing trust center—whether you are actively engaged in contract negotiations with the hosting organization or simply considering a partnership in the future. While sensitive information may sit behind NDA approval (which can be easily managed within a trust center, too), the bulk of information is readily available to the public for fast and efficient review.

• Continuous monitoring: Some trust centers present static information. But trust centers of the future (including Vanta) display real-time evidence of an organization’s security posture by continuously monitoring the state of passing controls—and communicating those to the viewer. This is a more effective way to verify security and eliminates issues with limited shelf life.  

• Self-serve information: Trust centers consolidate all the information an organization needs to evaluate the security of the vendor operating the trust center. They use source materials versus summarized answers. With access to real policies, compliance audits, reports, and more—viewers can rest assured that the information is accurate. This is a significant step toward increasing trustworthiness in security verification. 

• Accessible communication: In addition to an information repository, trust centers can also act as a one-stop shop to facilitate communications between an organization and its customers and prospects. Customers and prospects can ask questions about the materials and information provided in the trust center—in Vanta this happens via an AI-powered chatbot—and also request remediations. While security questionnaires don’t inherently invite ongoing conversation, trust centers offer an always-on two-way communication platform to have more meaningful conversations about security concerns.

• Less manual work: For organizations that complete security questionnaires, trust centers offer a significantly better solution. With a single source of truth, they offer an opportunity to eliminate manual work and ease information-sharing processes. The bulk of work shifts toward actually securing systems—and away from managing an influx of incoming questions and redundant document sharing. 

‍

With the broad adoption of trust centers, we can begin to build a trust network of the future—where buyers and sellers can instantly evaluate third parties and continue to move at the pace of innovation. 

‍

Come join the effort. Step toward the future of verification with Vanta and learn more about the value of trust centers.