Accruent is an SaaS (Software-as-a-Service) company dedicated to helping customers and clients with their physical space and asset management. In recent years, the company has seen notable growth as they’ve acquired other companies to increase their share in the space. They now have nine different products—all of them technical in nature.
Between all those products, the proposals team has a lot of RFPs (request for proposals) to manage and is regularly juggling several at once. According to Jack Pearce, Manager of the Proposal Team, the technical nature of Accruent’s products means the proposals team doesn’t have the knowledge required to answer all the questions themselves. But the company’s subject matter experts (SMEs) are busy people, and the team has to be cautious how much of their time they ask for.
Before Jack became the proposal manager at Accruent, he was a proposal writer. As such, he knew the company had access to RFPIO. But he never used it himself. “None of us did,” he explained. “It wasn’t really rolled out properly. No one was trained on it, everyone just thought it was another system they had to learn.”
They had some content stored in it, but none of it was organized. As a proposal writer, Jack hadn’t fully understood the value of RFPIO. But as a proposal manager, his view changed. Suddenly, he saw how much potential the tool had to make all their lives easier.
Making RFPIO’s potential a reality
In 2020, Jack embarked on a project to re-roll out RFPIO at Accruent. He worked with his colleague James May, at that time a Proposal Writer new to the organization, to better organize the content already contained in RFPIO’s Content Library. They reworked the collections the content was organized within, and created a better tagging structure. They now have nine content collections—one for each product—and another collection for security questions.
Beyond that initial project of getting the Content Library in good shape, they make a point of performing ongoing content maintenance. Whenever James—now considered the company’s resident RFPIO guru—isn’t busy working on an RFP, he devotes time to cleaning up the tags, makes sure the moderation queue is at zero (or close to it), and works with SMEs to keep all content up to date.
RFPIO is now central to Accruent’s RFP process
The proposals team now knows to start the RFP process in RFPIO, and to complete as much of it as they can using the content available. That creates a better relationship with the company’s SMEs, who now know that anytime the proposals team asks for their help, it means they’ve already done as much as they can on their own. Even better, they know each answer they provide will go in the Content Library, saving them that much more time on future RFPs.
In addition to the Content Library, the team also gets a lot of value from RFPIO’s collaboration features. Between everyone involved in the proposal process, they often have 3-8 SMEs working on RFPs at a time. Enabling efficient communication between the various people involved is important.
Before RFPIO, “Every time someone didn’t like an answer, we’d have to have a call about it,” explains Jack. “Now we just use the comments function in RFPIO to facilitate that conversation.” That makes for a more efficient process, and keeps all the correspondence in one place.
The proposals team aren’t the only ones who feel the difference. Chris Low, a Senior Account Director at Accruent, has also shared his feelings on the change: “RFPIO and the processes the team created around it make collaborating with our amazing proposals team even easier. From a simple intake form, to answering questions at a canter with the library, it’s been a huge help and certainly attestable to winning new business.”
The result: submitting more RFPs, with more confidence
With the help of the Content Library in RFPIO, the proposals team is now able to complete around 50% of all RFP questions on their own. That increases efficiency to the degree that they’ve gone from working on 5-6 live RFPs at a time to tackling 15-25 live projects at once. “That is simply because we can do more because of the platform,” Jack says.
Completing more RFPs has also made them better at determining which ones are worth their time. In practice, that has meant fewer no-gos than before. “It’s given us the confidence to take on more opportunities,” Jack shared.
They’ve also seen a big difference in how they handle security questionnaires. The responsibility for those has generally fallen to one person—and it was really too much work to put on him alone. Now, the proposals team is generally able to get 75% of the questionnaires completed on the first pass. That’s cut the response time from ten days to five.
Answering RFP questions meant asking busy SMEs to give up their time
The proposals team is able to answer around 50% of all questions on their own, giving SMEs that time back
They juggled 5-6 live RFPs at a time
They handle 15-25 live RFPs at a time
Security questionnaires were primarily the responsibility of one SME, and took around 10 days to complete
The proposals team can answer 75% of the security questionnaire before they send it on to the SME, and they’re completed in half the time
They were limited in how many RFPs they felt comfortable responding to
Replying to more RFPs has increased their confidence in which ones they believe they can win, meaning an increase in the number they submit
Jack and his team don’t mince words when they talk about the difference RFPIO has made. “A life without RFPIO would not be worth living,” he says. “It would be bloody difficult. And you can quote me on that.”
According to T.C. Kaiser, SVP – Global Solution Consulting at Accruent, “Our proposals team has a high volume of projects live and RFPIO enables them to deliver with speed while maintaining a high level of quality. Our team relies on the platform to deliver value to our organization and make the best impression with our customers.”
When it came time for Jack to make the case to superiors for renewal last year, he reports, “I said, ‘this is non-negotiable. If we don’t have RFPIO, we cannot do as much work as we do currently.’”
Not that anyone needed much convincing. The proposal process is so centered on RFPIO that people have taken to referring to the proposals team as the “RFPIO team.” According to Jack, “that is probably the biggest compliment we can give the system.”
If you’re like me, you regularly receive emails advising you to change your passwords because one company or another has suffered a security breach. Unfortunately, data breaches are all too common.
In 2021, there were over 1,800 reported data breaches. That is a significant uptick from prior years. 83% of those breaches involved sensitive customer information, such as Social Security and credit card numbers.
The average data breach costs $4.4 million, and much of that is passed on to customers—the same customers who had their sensitive data compromised.
No wonder many businesses now consider cybersecurity their number one concern. Not only does a data breach cost money, it also runs the risk of damaging credibility and eroding trust. Some companies, especially small companies, never recover.
More than half of organizations have experienced third-party data breaches, often despite having what they think is a rigorous security protocol.
The average tech stack might contain dozens of different applications and tools. Sometimes, bad actors sneak in through one of those third-party applications, so it’s critical to properly vet each vendor’s security protocols as you would your own.
The most common way to vet vendors is through security questionnaires. But what are security questionnaires, and how do you respond to them in a way that you, as a vendor, will instill trust?
What is a security questionnaire?
After reading this far, you probably have a good idea of what a security questionnaire is. Still, to boil it down, it’s a questionnaire designed to determine whether a vendor or potential vendor is compliant with your security and legal requirements.
Not surprisingly, security questionnaires are complex and highly technical. The good news is that most questions have “yes” or “no” answers.
DDQ vs. security questionnaire
Many people confuse security questionnaires and DDQs (due diligence questionnaires). It’s easy to see why, as both are issued to assess a company’s compliance with the issuer’s regulations and security requirements.
Neither DDQs nor security questionnaires are specifically part of a sales cycle, although they may be issued before entering into a contract. They might also be issued before an organization is even buying to weed out non-compliant companies before and if the buying process begins.
There are significant differences between the two types of documents, however. You’re most likely to see DDQs if you’re in the financial segment. They are broader in scope than security questionnaires and may ask about business plans, profits and losses, revenue, etc. They might also ask about cybersecurity policies.
A security questionnaire is more straightforward and can be issued from any segment to any organization, although primarily to tech companies. While DDQs ask broad questions about processes, often in narrative form, a security questionnaire forces you to pony up your proof of compliance.
You might see both a DDQ and security questionnaire before receiving an RFP. Generally, the DDQ will come first. Once the issuer is satisfied that you meet their requirements, they might send a security questionnaire to gather certificates and other forms of proof.
In some cases, a security questionnaire follows an RFP and could be the last step before finalizing a deal.
Preparing for a security questionnaire response
Security questionnaires usually arrive via the response manager or perhaps through a CRM. Since most questions center around cybersecurity, SMEs can be from IT, risk management, sales engineering, accounting, information security, operations, and even HR.
The response turnaround time is typically shorter with a security questionnaire than with an RFx. The issuer might want it within days.
Components of a security questionnaire
There are many, many types of security questionnaires, and it would be impossible to list them in this blog post, but here are some examples of what a security questionnaire might assess:
Datacenter and physical security
Web application security
Security audits and penetration testing
Personnel policies, hiring practices, and training programs
SLAs and uptime vs. downtime
Types of security questionnaires
There are several types of security questionnaires, but primarily, you will see these:
Security Questionnaires and Security Questionnaires Lite – Standardized Information Gathering Questionnaires
NIST 800-171 – National Institute of Standards and Technology Questionnaire
CIS Controls – Center for Internet Security Questionnaire
How to respond to security questionnaires – and how RFPIO will help
If you are a response manager, you’re likely very comfortable responding to an RFx or even a DDQ. Both allow for a bit of creativity, in that, along with answering questions, you’re constructing a narrative to show how your company is the right fit for the issuer.
Security questionnaires aren’t about narratives. They are straightforward and stringent, and accuracy is a legal requirement. Clearly, there’s no room for error. If you’re ready, let’s grab a cup of coffee, or your favorite motivational elixir, and dive right in.
Step 1 – Search for all available materials
While security questionnaires are undeniably bulky and complex, there’s a lot of redundancy. You have probably answered many similar questions before. Search your existing database for those answers.
Often, issuers send a boilerplate questionnaire rather than customize it to each product. Eliminate the questions that don’t apply to your product. Don’t be afraid to ask the issuer to clarify questions that seem confusing or unnecessary.
Step 1 with RFPIO – Prebuilt centralized Content Library
RFPIO features the industry-leading AI-powered prebuilt Content Library. Every previous security questionnaire and all your documentation are housed in one place, accessible to any authorized user.
Step 2 – Answer only the pre-existing matching responses
Response management isn’t like school. In fact, copying other people’s work is encouraged. Search your existing database for pre-existing matching responses and use them when you can.
Step 2 with RFPIO – System-driven identification of sections and questions
RFPIO’s import capabilities, which include Lightning import through Salesforce, leverages machine learning to automatically find matching responses, without you having to initiate the process. This feature alone can do up to 80% of the work for you.
Step 3 – Group all unanswered questions and collaborate with SMEs
Once you’ve found all the applicable existing content, you’ll need to collaborate with SMEs to finish the process. Group all your unanswered questions, broken up by SME, and inform them of their timelines.
Step 3 with RFPIO – Automate through AI
RFPIO’s auto-respond feature and recommendation engine find existing documents and similar, although not specifically matching, content for SMEs’ review. As a side benefit, once SMEs recognize the time-saving capabilities of RFPIO, they’ll be far more likely to help you in the future.
Step 4 – Follow up and track the status of responses
Make sure every team member is completing their portion in a timely manner.
Step 4 with RFPIO – Streamline collaboration through project management capabilities
RFPIO’s Project Module offers up-to-the-minute reporting and reminders to ensure that the questionnaire will be ready on time.
Step 5 – Manually collate and complete the questionnaire
Whew! You’ve answered all the questions and all you have to do is collate the answers and export them back to the original document. Unfortunately, for many companies, that’s a manual process which could take hours—and sometimes days.
Step 5 with RFPIO – Export to the source file
RFPIO eliminates all of the cumbersome manual work with automatic exporting to the response file, all within seconds.
Security questionnaire response obstacles
There’s no direct line from a security questionnaire to revenue generation, which is why they’re sometimes left on the back burner. But that’s not the only reason there might be reluctance on the part of your response team. Other obstacles include:
Length – A security questionnaire can have hundreds to thousands of questions. That’s more than a little intimidating if the answers aren’t ready to go.
You’re time-bound – Sometimes the questionnaire gets stuck in an internal limbo, and sometimes the issuer sends it expecting an almost immediate turnaround. Having most of the answers ready will cut your response time to a fraction of what it could have been.
SME cooperation – SMEs are busy people, so understandably, they might not put the security questionnaire at the top of their “to-do” list. Assure them that you value their time by completing as much of the questionnaire as possible.
You don’t have all the certifications and protocol – Most companies won’t be able to answer every question in the affirmative. Submit what you have and perhaps see this as an opportunity to reevaluate where your company might be lacking.
Too much jargon – Security questionnaires tend to be jargon-heavy, and if you aren’t familiar with what they’re asking, you might not provide an accurate answer. SMEs can help but so can a well-organized, searchable even by jargon, Content Library.
Scattered knowledge (identifying and locating the right content) – If you have a siloed knowledge base, tracking everything down is challenging and time-consuming. Upload all of your certificates, documents, and Q&A pairs to a single source of truth accessible to any authorized stakeholder.
Non-compliant content management software – If your content management software isn’t compliant with your company’s requirements, SMEs, especially those in security, won’t use it. RFPIO is even secure enough for Microsoft.
Priorities and tips for the response process
As you’re staring down a seemingly infinite inbox and a calendar filled with back-to-back meetings, speed might be your top priority. However, security questionnaires are legal documents, so accuracy is the most crucial consideration. Fortunately, response software with built-in content management helps ensure both.
Import/Export capabilities – Avoid disorganized, inconsistent, illogical formatting by importing security questionnaires right into your customized template for uniformity, making each stakeholder’s job much more manageable. Once you’ve completed the questionnaire, upload it onto your branded response template or straight to the source document.
Project management – If your workforce is like ours, you have people working from home, on other floors, in other buildings, and across the world. RFPIO helps you virtually gather your scattered stakeholders and track progress without chasing people down.
Content management – If I, for some reason, were forced to choose my favorite RFPIO feature, it would be the AI-powered Content Library. It:
Busts down silos – RFPIO’s Content Library is a single source of truth, with all of your company’s knowledge and documents in one repository.
Does most of the work for you – Once you upload the questionnaire, the Content Library’s magical gnomes—we call them the recommendation engine—comb through past responses to make suggestions. All you have to do is accept, edit, or reject. Since security questionnaires ask yes/no questions, there’s little to no editing.
Stores content – As the company creates more knowledge and documents, the Content Library will store them for future use.
Organizes content – Format, tag, and generally organize the content how you want.
Helps keep you compliant – Since we’re talking about security questionnaires, your security team will love this! RFPIO reminds you of expiration and “shred by” dates. It also reminds you when to review specific content and when to audit.
Integrations – RFPIO seamlessly integrates with nearly all the communication apps, CRMs, and productivity apps your company uses every day.
RFPIO® LookUp – Access the Content Library from anywhere in the world.
Autograph – With RFPIO’s Autograph, there’s no need to hunt signatories down. They can sign right from their computers.
Improving Content Library
Keep your Content Library clean, up to date, and organized by consulting with sales engineers and others involved in answering security questionnaires. Ask for their input in categorizing and tagging.
Keeping information up-to-date
Because security questionnaires are legal documents, accurate and up-to-date information is vital. RFPIO reminds you to clean out all the ROT (redundant, outdated, and trivial) information and documents. It even helps you locate all the ROT.
Software for security questionnaire responses
Many companies still rely on manual responses, which are time-consuming and inefficient.One way to differentiate your company from your competitors is to use advanced response software for security questionnaires.
Response software, such as RFPIO, gives each security questionnaire the thoroughness and scrutiny required while saving your team’s time, keeping SMEs on your good side, and helps keep you compliant.
If you use a CRM or project management software, you probably already know the benefits of automation. Most users do. In fact, IT professionals, such as those helping answer security questionnaires, save up to 20 hours a week using automated processes.
Automation is a morale booster! 45% of knowledge workers report feeling less burned out when they use automation tools, and 29% say automation lets them leave their jobs at the end of the official workday.
RFPIO’s automated response processes automatically fill in most of your answers to a security questionnaire and pull corresponding documents. One customer reports that after RFPIO security questionnaire automation, they can answer 100 questions in just 2 hours!
Most security questionnaires arrive in Excel, which, as you know, is about as standardized as the snowflakes covering Mount Everest. Excel isn’t to blame. Microsoft designed the OG of spreadsheets to track everything from kids’ activities to trips to space.
RFPIO imports the hundreds to thousands of lines on a security questionnaire spreadsheet onto your customized template, ensuring that everyone knows exactly how to find what they need. Additionally, since many questions are redundant, RFPIO answers those duplicate questions for you.
RFPIO’s approach to security questionnaire responses
Breathe a little easier next time you receive a security questionnaire, knowing that RFPIO has your back. You will save loads of time, create accurate, complete responses, and stay on your SMEs’ good sides.
From content to timing, confusion often surrounds the differences between a due diligence questionnaire (DDQ) and a security questionnaire. Read on to learn the nuances of each document to improve your responses and win that next deal.
What is a DDQ?
A DDQ stands for due diligence questionnaire. Organizations send them to mitigate risk before entering into an agreement with another company. It is a formal document designed to establish whether a vendor complies with industry and/or customer standards or needs, including how the vendor manages its own network and cybersecurity protocols.
Unlike an RFP, a DDQ is not as much about competitive evaluations. A DDQ is all about compliance and business practices.
What is a security questionnaire?
Much like it sounds, a security questionnaire is sent to potential vendors to determine whether their security protocol meets the issuer’s standards and legal requirements. Security questionnaires are technical and usually highly complex, however most questions are “yes” or “no” rather than narrative.
Note that neither DDQs nor security questionnaires are sales documents.
Any organization can issue a DDQ, but we see them most in the financial services industry. Security questionnaires are primarily used by organizations operating in technology—either hardware or software.
Much like a DDQ, a security questionnaire will not be used as a method of evaluation between vendors. Although, if an organization throws an RFP (request for proposal) into the mix, then both questionnaires play a role in market comparison.
Because a security questionnaire is not a competitive evaluation, the issuer won’t spend time performing a security review with more than five potential vendors. It’s completely different from responding to an RFP, which may be sent out to tons of vendors to cast a wide net.
Usually, a security questionnaire comes from a security department (infosec, IT security, cloud security, etc.). While a DDQ will not necessarily come from that department—marketing, client services, or compliance teams frequently send these documents to responders.
Even when you become their vendor partner, you might see a due diligence questionnaire again and again. Especially in the financial services industry, DDQs are sent to vendors annually—even quarterly—so make sure you’re up to speed on industry regulations.
A security questionnaire is predominantly an Excel spreadsheet. A DDQcould be a spreadsheet, but about 70% of the time, this questionnaire lives in a Word document.
Security questionnaires tend to be a standard set of questions, where you answer some variation of a yes/no answer in a drop down. You might need to add some commentary to back up your answer. While there will be some black or white questions in a DDQ, there is also room for interpretation and creating a narrative.
Succeeding with Security Questionnaires and DDQs
To knock content out of the park with security questionnaires and DDQs, naturally, the best technique is accuracy. With that top of mind, here are other tips to help you succeed as a responder.
You have a lot less room to knock this content out of the park. Your data is encrypted or it’s not. You either have the firewall or you don’t. It’s not about how you implement the firewall, it’s simply: Do you have the firewall set up?
Stick to the facts
Obviously, one thing you don’t want to do is lie. Let’s say you are asked if you check your disaster recovery plans every 60 days. If your process is checking disaster recovery plans once a year, don’t say “yes.” They will find out 60 days later when you don’t meet their requirements.
Time to completion
Time to completion is a really good thing to shoot for with security questionnaire responses. You’re usually still in an evaluation process where you might be the vendor of choice or you’re one of two choices.
Similar to an RFP response, there is more room for creativity with your DDQ content. However, don’t respond to a DDQ exactly as you would to an RFP. Before you respond, consult with the correct SMEs (subject matter experts).
Early stage advice
If you receive a DDQ in the early stages of the sales cycle, this document might be their vendor filtering method. DDQs are not the time for a sales pitch. Instead, consider showing your strengths with compelling and (most importantly) accurate narratives showing compliance. Late stage advice
During the late stage of the cycle, your DDQ might be a recurring document you respond to with an existing client, or it could be in addition to a DDQ you’ve already answered. Get straight to the point and ensure accuracy to show you are still in compliance.
If due diligence questionnaires are a regular part of your sales process, response software for DDQs, such as RFPIO, makes answering them a whole lot easier. Your RFPIO Content Library can answer many of a DDQ’s questions with a few clicks.
RFPIO can help you increase DDQ and security questionnaire accuracy and efficiency. Demo RFPIO today to support your sales process.
$4.35 million. That’s the global average cost of a data breach in 2019, according to Statista.
So it’s no wonder that companies invest heavily in cybersecurity. By 2025, it’s expected that annual global spending on cybersecurity products will exceed $460 billion—and this trend is only expected to continue on its upward trajectory.
If you’re storing company information in RFPIO to streamline your RFP responses, I have good news: RFPIO has state-of-the-art security controls to protect your data. Even so, there are still extra things you can do to further protect your information.
Here are 10 things you can do to further strengthen security in RFPIO:
1. Use SSO: A Sweet Security Option
SSO stands for Single Sign-On, but it is also a super sweet security option. RFPIO uses the most widely accepted industry standard, SAML 2.0.
With SSO, RFPIO users use the credentials they already have to sign in. That means they don’t have to remember (yet another) separate user ID and password—and Admins don’t have to take on the responsibility of managing user credentials.
SSO isn’t just convenient. It’s also more secure. When you use SSO, passwords aren’t stored in the browser and there’s a lower risk of a lost or forgotten password. This prevents security gaps that hackers will exploit to gain unauthorized access to the application.
Additionally, SSO allows Admins to manage user activities in real-time, which gives you the extra visibility you need for a tightly run security program.
2. Automate user management with SCIM
SCIM stands for System for Cross-Domain Identity Management. Luckily, it is not as complicated as the 13-syllable name would have you believe.
In a nutshell, SCIM simplifies user management. If SCIM is enabled, users can be added or deleted automatically. It’s as easy as that.
On the one hand, SCIM makes life much easier for Admins. No more manually adding and deleting user accounts.
But it’s also important from a security perspective. With SCIM, user accounts are automatically deleted as soon as employees leave your organization, which means employees won’t have access to sensitive company information after they’ve left.
SCIM happens through SSO and is supported by OneLogin and Microsoft Azure. If your identity provider supports it, I highly recommend implementing SCIM—both for the added convenience and peace of mind.
3. In lieu of SSO, use 2-factor authentication
If your organization doesn’t use SSO, I would recommend you set up 2-factor authentication as an additional layer of security.
If you’ve ever had a code sent to your email or phone, that’s 2-factor authentication. After a user enters their username and password, 2-factor authentication prompts users to enter a valid key or code.
2-factor authentication prevents an unauthorized person from accessing data. Even if a cyber attacker learns the login credentials, they will not be able to access the code for 2-factor authentication.
RFPIO supports 2-factor authentication through Google Authenticator and Duo Mobile.
4. Control access with User Roles
With User Roles (default) and Custom Roles (customized), you can define what users can see and do, and ensure users only have access to the data that’s relevant to them. This is key for security. When you reduce the number of people with access to sensitive data, you minimize the risk of leaks.
RFPIO’s out-of-the-box user roles include Super Admin, Admin, Manager, Team Member, and Project Requester. With Custom Roles (available as an add-on, or included with enterprise package), you can create your own roles that make sense for your organization For example, Content Owner, Reseller Partner, or Project Contributor, but really it can be whatever you want. The world of custom roles is your oyster.
Read our Help Center article to learn more about specific permission levels for the out-of-the-box user roles (RFPIO customers only).
5. Control visibility with collections
Collections is another, more granular way to control access to sensitive data.
While User Roles controls access to projects and organization settings, Collections controls access to content.
When you assign a piece of content to a collection, you can restrict visibility to that collection, either by a user group level (e.g. the sales team) or on an individual level. You can get as granular as you’d like.
For example, you may choose to have a “security” collection and restrict visibility to just the InfoSec team. Or maybe you want a “financials” collection, and want to restrict access to just the finance team and upper management. Here’s a blog with more detail on using collections to organize your content (or scroll to the bottom to watch the webinar).
6. Get really granular with permissions
If you want to get really in the weeds with visibility, you can set privacy settings at the individual object level (e.g. a Q&A pair). Rather than assigning it to a collection, you can set privacy settings to control who can view or edit a specific piece of content.
If there’s a Q&A pair you really only want upper management to have access to, you can do that.
You can also adjust view and edit permissions. For example, maybe there’s a question about a product feature that you really only want the product team to be able to edit, but still want to give your marketing team access to view.
Every so often, I’d recommend pulling the Activity Report, which monitors all user activity within the application—including permission changes, user creation, and user deactivation.
For example, if you notice an individual user’s permissions have been changed to have broader access to data that may not be relevant to their role. In response, you can reach out to the person who made the change for more information—and, if necessary, reverse their permission levels to a level more appropriate to their role.
You can also pull the User Login Activity Report. This log includes information about:
Who accessed the account,
When it was accessed,
Where it was accessed (e.g. IP address), and
How they logged in (e.g. SSO, username + password, etc.)
Using the User Login Activity Report, Admins can see if the user logged in at odd hours, like on the weekend or very late at night. This could be an indication of unauthorized access that could lead to a data breach.
8. Set up “session timeout”
Avoid the risk of internal attacks by setting up session timeouts that automatically log you out of the application. This is most relevant for organizations working in an office setting.
Here’s the scenario: The VP of Sales leaves their desk for a meeting. Scooby-Doo walks over to the VP of Sales’ desk and downloads a bunch of sensitive financial information from RFPIO, and uses it to wreak havoc. Classic Scooby move.
To prevent this kind of situation from happening, you should set up “session timeout”. The default timeout is 20 minutes, but you can adjust according to your needs.
9. Bring Your Own Key (BYOK)
Set up an extra layer of security with BYOK. RFPIO already encrypts data with our own mechanism, but if you want that added boost… you should consider BYOK.
Basically, BYOK gives you the ability to provide your own encryption key to protect your data—on top of the encryption that RFPIO already uses. This is an added measure for fighting unauthorized access to data.
10. Securely share information via Linked Companies
Share company information with partners (e.g. resellers) in such a way that they can only view and use it—but don’t have edit access. This essentially transforms your RFPIO Content Library into an internal knowledge base that your reseller partners can use to respond to RFPs or answer any other questions that may come up during the sales cycle.
You can set this up using Partner Companies. Learn more about how to set up and use Linked Companies in the Help Center (RFPIO customers only).
Security questionnaires have become a household name for modern organizations. When the opportunity for new business presents itself, data concerns accompany that opportunity. From vendor security assessments to due diligence questionnaires, complex spreadsheets are a part of daily life for responders with technical expertise.
56% of RFPIO customers use our software to respond to security questionnaires. Security questionnaire automation helps these teams collaborate in a meaningful way and eliminate manual workarounds.
See what life was like before and after security questionnaire automation for six responders. They transformed their process…and so can you.
Collaboration ease with vendor security assessments
Before security questionnaire automation
A senior account executive was frustrated with their internal process of receiving, managing and completing vendor security assessments—and she knew there had to be a better way. The ability to build out an Content Library was her primary objective, as a centralized content hub would align resources and responses. She began evaluating security questionnaire automation platforms to find the best feature stack.
After security questionnaire automation
RFPIO presented neatly categorized information so security questionnaire contributors could complete any project successfully. Security questionnaire automation streamlined the entire process of receiving, managing, and completing vendor security assessments. RFPIO remained responsive to questions and feedback to further support her team’s success.
Security questionnaires tackled by 100+ contributors
Before security questionnaire automation
A director of presales support spent her days wrangling responses (and resources) for security questionnaires, RFPs, and RFIs. Many business units participated in responding to lengthy, repetitive security questionnaires. With so many voices—and a decentralized Content Library—they lacked consistency with their responses, which affected the content quality and win potential for all of their submissions.
After security questionnaire automation
Today over 100 contributors actively use RFPIO and they add new users every week. This director of presales support has integrated users from IT, HR, Legal, Finance, Professional Services, and Education Services. Across departments, team members feel more productive since they process multiple projects simultaneously. Now documents are more consistent and higher on the quality scale.
Centralized database for faster response completion
Before security questionnaire automation
A proposal manager and his response management team completed many security questionnaires from healthcare organizations annually. Since responses were not centralized, SMEs could not find relevant content easily. This team spent roughly 16 hours to complete a single security questionnaire.
After security questionnaire automation
On their first live security questionnaire project in RFPIO, this response management team saw immediate time-saving benefits. Multiple people now collaborated on the same response, eliminating back and forth communication via email and phone calls. The proposal manager viewed progress within the project overview dashboard—offering visibility he never had before so he could stay ahead of deadlines.
100 security questionnaire responses in two hours
Before security questionnaire automation
An information security advisor led the response process for security questionnaires, due diligence questionnaires (DDQs), and RFPs. His presales, sales, and information security teams were all involved, answering 100-700 technical questions on a regular basis. Without security questionnaire automation, they relied on a FAQs document that contained 300 responses to their most common repetitive questions.
After security questionnaire automation
RFPIO’s answer recommendation engine gave the team newly discovered superpowers with security questionnaire responses. They set up their Content Library with past security questionnaires and RFPs. When they started a new project, they leveraged the recommendation engine to fill in most of the responses. This team now responds to 100 questions in two hours.
Enterprise collaboration with the end-user in mind
Before security questionnaire automation
A global RFP manager handled a large number of IT security questionnaires, DDQs, vendor applications, and RFPs for enterprise organizations. He wanted to build a scalable and repeatable response process centered around a cloud-based software system. He evaluated several security questionnaire software providers to find the best platform and pricing structure.
After security questionnaire automation
A collaborative environment was key for such a complex organization. This global RFP manager recognized RFPIO’s authentic focus on teamwork, which allowed quick collaboration among SMEs without license limitations. Throughout their entire group of companies, RFPIO easily allowed him to invite multiple contributors, authors, and reviewers to tackle lengthy security questionnaires efficiently.
DDQ automation makes a team lean and powerful
Before security questionnaire automation
A proposal manager embarked on a self-improvement journey with due diligence questionnaires. Improvements in efficiency and accuracy were at the top of her list. To keep up with DDQ responses, she often hired consultants and writers for additional support. She wanted to keep her team “lean and mean” and scale capabilities, so she turned to security questionnaire software.
After security questionnaire automation
RFPIO allowed this team to drastically improve its DDQ response process. Flagging questions for review made content updates easy to assign to SMEs. Subject matter experts responded to DDQs with greater speed and accuracy, eliminating the need for outsourcing support. Contributors found clarity with their role in DDQ responses—together, this team became more powerful in their pursuit to win new business.
A security questionnaire is a document that organizations use to evaluate and validate security practices with third-party vendors before doing business with them. If you’ve noticed you’re spending more of your time responding to security questionnaires—that seem to have increased in both quantity and complexity—you’re not alone.
As large corporations spend more on cybersecurity, hackers have moved on to weaker targets: vendors and third parties. According to a 2016 study by Soha Systems, 63% of all data breaches can be attributed to a third party.
As a result, InfoSec and PreSales teams are responding to more and more security questionnaires, on top of your other responsibilities. You know this is not the best way to spend your time—especially since security questionnaires can be thousands of questions long, many of which are repetitive.
So what’s the secret to making security questionnaires a lot easier to handle? Having a content repository of responses, also known as an Content Library. And, the most efficient security questionnaire process possible depends on your Content Library setup.
If your product or service is in the realm of telecommunications, SaaS, internet, wireless, or information technology, responding to security questionnaires is the inescapable norm. These days there is no limit to the concerns people have over data and security. When you’re a tech company, those concerns are amplified.
In a recent Deloitte data security report, 70% revealed a moderate to high level of dependency on external vendors, with 47% reporting the occurrence of a risk incident involving external vendors over the past three years. And, 38% cited technology as their primary risk concern.
In other words, these vendor security assessments aren’t going anywhere. Because security questionnaires are a fact of life for you as a sales engineer, the smartest thing you can do is find ways to speed up that process. A more efficient process will take a lot of pressure off you and your sales team, allowing everyone to focus more on closing deals and achieving sales goals.
“We estimated it took roughly 16 hours to complete a security questionnaire, between finding the answer and typing the correct answer, as well as doing other tasks related to the job. Now with RFPIO, multiple people can collaborate on the same response—versus emailing questions back and forth. That has saved a lot of time and effort.” – Rob Solomon
How to effectively set up your Content Library as a unit
How you set up your Content Library totally depends on how your organization is structured. You might have a proposal manager, an entire team, or none of the above. No matter what your situation is, an effective Content Library setup is a joint effort.
Sales engineers tend to be more analytical than most, so you prefer systems over chaos. Categorizing your content repository properly is HUGE. Tagging responses within the Content Library are one of the best ways to organize some of the chaos.
Even when organizations have a response management platform like RFPIO, they don’t always succeed in maximizing the content repository. That’s because they don’t build out and organize their Content Library as a unit. Nobody owns this part of the content management, when really multiple people should…including you.
Let’s say you’re lucky enough to work with a dedicated proposal manager at your organization. They own RFPs and the response management platform, but they are not the experts in specific categories. Security responses can be particularly complex, which is why your proposal manager relies on subject matter experts who have a deep understanding of this information.
You and any other sales engineers involved in security questionnaires will share valuable input when categorizing and tagging security-related responses. If you are not involved in the Content Library setup, the proposal management team will likely categorize and tag the security Q&A pairs in a way that does not make sense to you.
Schedule a brainstorming meeting with your proposal management team to figure out which tags will be used within your Content Library. That way the system works for you, so you can respond to security questionnaires quickly and accurately.
Tagging content within your Content Library involves some administrative work. But it’s one of those tasks that you take care of in the beginning. Then you don’t have to worry about it moving forward.
Achieving security questionnaire efficiency
Building out an Content Library may seem like quite an undertaking upfront. But once this content repository is set up, it saves a tremendous amount of time for everyone involved in the response management process.
Sales engineers are a highly educated bunch that demand a significant salary. As one of the organization’s most valuable internal resources, protecting your time is important. Today a lot of your time is being spent answering those repetitive security questions instead of having the headspace you need to concentrate on closing deals.
With an easier security questionnaire process, you’ll free up your time to focus on key functions of your role and bring more sales effectiveness to your organization.
When your company handles or stores customer data, security questionnaires and RFPs from prospective clients are sure to come through. Companies in highly regulated industries with strict compliance requirements (think finance, banking, insurance, etc.) need to know that their data will be protected, and it’s the job of the potential vendor to answer hundreds or even thousands of questions to assure them it will.
OwnBackup was founded in 2015 as a Salesforce partner that provides a mission-critical backup and recovery solution for companies that use Salesforce—a CRM platform that houses sensitive data about sales activities, financial forecasting, and customer contact info, among other things.
In the case of a user-inflicted data loss or data corruption, OwnBackup recovers that sensitive data and puts it accurately back, relationships intact, into the platform with little to no down time or interruption.
Lihod Rachmilevitch manages the pre-sales engineers and technical customer support teams at OwnBackup. He started in 2016 as the main technical product resource and one of two people answering RFPs and security questionnaires. As the company grew, and they began fielding more and more proposal requests, he made the call to find an RFP and security questionnaire response software to automate some of the work.
Lihod chose RFPIO over the competition because it had the most advanced technology, integrations and project management capabilities. What resulted was cutting their time responding to RFPs and security questionnaires, optimizing their response processes, gaining visibility into performance, and building a strong partnership between the companies.
Optimizing a key revenue-driving process
The initial process for responding to RFPs and security questionnaires at OwnBackup—like at many companies—was inefficient and unsustainable. Lihod said, “In the beginning, the CTO and I were responding to proposals, and we became the bottleneck. We’d get an Excel file with hundreds of questions, and we’d have to review and answer them, and return them back to the account executive to send to the prospect, within a short window of time. It just wasn’t efficient.”
However, those proposals drove a significant proportion of the company’s revenue. “I would say that on every third opportunity we have an RFP or a security questionnaire.”
Lihod’s first step was to build a repository of questions and answers in a shared drive. Then he started hiring more pre-sales engineers as technical support for the account executive team. Because RFPs and questionnaires were full of technical questions about the solution, its security, and the Salesforce integration itself, the pre-sales team began to take over proposal responses, freeing up the account executives to pursue outbound sales opportunities and field proposal requests as they come in.
Once he had the right team in place, finding an automation solution became the next order of business.
Advanced technology for complicated security questionnaires
The cornerstone of RFPIO’s platform is the Content Library, a dynamic, centralized repository for a company’s content. Built into the library is an AI-powered recommendation engine, that uses data based on past activity to serve up contextually relevant content and even suggest contributors with whom a user may have worked before. When he was making his selection of RFP software, this functionality appealed to Lihod for multiple reasons.
“I was really impressed with the recommendation engine because it was able to create a more accurate repository, resulting in two things: One, it expedited the process. Instead of turning around a long questionnaire in three weeks, today it’s less than a week.
Secondly, the answers are much more accurate and consistent. This is another challenge—making sure that everyone is using correct and uniform answers. With the wrong responses, you may be disqualified from moving forward or you run the risk of misleading the prospect or client about what you can and cannot do.”
The other technical advantage that Lihod found with RFPIO is the patented upload process for proposal docs of all sorts. Some companies use standardized formatting for proposal requests, and others reinvent the wheel with their requirements.“Seeing how easy it was to upload all kinds of questionnaires and then manage them within RFPIO was a big relief.”
The pre-sales team sometimes needs help from other departments to answer questionnaires, so having the option to assign questions to guests (like a member of the legal or accounting team) was another useful benefit.
Visibility, security, and accountability
Lihod has more visibility into the RFP and security questionnaire response process now, in both RFPIO and Salesforce, which allows him to see new requests from account executives and then prioritize those requests based on urgency. Everyone can be working on the same project at the same time.
Ironically, it makes their operation even more secure. “This increased visibility allows us to make sure that we are not providing any confidential or sensitive information to prospects when we don’t have an NDA in place,” he said.
As a manager, now he can track a number of key performance metrics like how much time it takes them on average to complete and send a response back, individual contributions to any given project, and how many projects they’ve completed in a certain amount of time.
The partnership between OwnBackup and RFPIO has been strong, partially because of the company’s similarities: SaaS companies experiencing rapid growth; a commitment to providing data security for customers; and a solution that people rely on every day.
“The RFPIO team is very knowledgeable about the product and they are especially responsive to our needs. They are quick to jump on a call to resolve issues—within a few hours or the same day. It helps us keep on track and deliver on proposals,” Lihod said. “They listen to our requirements and have gone as far as to make developments in their platform based on those.
It was very appealing to me to have a partner, not just a vendor, and that’s what we’ve found in RFPIO.”
Looking for help with security questionnaires? Schedule a demo with our team.
“Seeing how easy it was to upload all kinds of questionnaires and then manage them within RFPIO was a big relief.” – Lihod Rachmilevitch is the VP of PreSales and Customer Support at OwnBackup.
Lucky you. A security questionnaire with 467 questions just landed in your inbox and it’s due in two weeks.
But you don’t use RFP software, so you’re looking at about a week and a half of completion time. Since responding to security questionnaires isn’t your primary job responsibility, you will have to make time in between other high priority tasks. You stay after hours or work weekends to meet the looming deadline.
You meet the deadline, just barely—but you don’t feel confident that you answered the questions as effectively as you could have with more time. You wonder: Are we going to lose this deal now?
If you had RFP software to support your process? Hate to be the one to break it to you, friend, but that menacing security questionnaire probably would have taken you a few hours instead.
Understandably, many brave responders take a negative mental turn with security questionnaires—and even dread them. We won’t make outlandish claims, like comparing responding to vendor assessments to a leisurely stroll on a summer day. What we can do is steer you in the right direction, so you gain the upperhand and take control.
By the time you’ve finished reading this post, you’ll understand that:
RFP security questionnaires are complex, but manageable
Various security questionnaires benefit from an RFP response solution
Each completed security questionnaire will throw the deal or land it
RFP software alleviates time and team friction
The majority of a security questionnaire can be completed for you
A specific RFP response solution feature set will help you take control
Time is on your side with RFP software
It starts now, with understanding how technology like RFP software can help you navigate the nuances of security questionnaires. And, rest assured…the next time you’re responding to hundreds or thousands of questions will be better.
The nuances of RFP security questionnaires
As complex as security questionnaires can be, there is a bright side too. Yes, there are gigantic spreadsheets involved. But, it’s a pretty standard set of questions you’re working with.
Sure, you might see variations of the questions or see subsets of a question. You might be facing a Security Questionnaires with what seems like a million questions. Still, the questions are pretty much the same old song and dance. Security questionnaires generally deal with privacy. Compliance, infrastructure security, and data protection fall under that privacy umbrella.
“Only a third of organizations believe they have adequate resources to manage security effectively.” – Ponemon Institute
A team of security subject matter experts (SMEs) sprinkled across multiple teams and departments is often required to respond to these security questionnaires. Answering the same questions repeatedly can become tedious for anyone, no matter how dedicated they are to the organization.
For example, if a proposal manager assigns the same hundred questions to a security architect ten times, friction will inevitably follow. Presumably, that security architect will stop answering them and choose to fulfill other high priorities on his or her plate. He or she may become unresponsive whenever their support is needed for security questionnaire ever after.
To top it all off, there is the compliance aspect of security questionnaires. Teams must answer accurately and honestly—and be able to backup their response should an issuer decide to audit. An RFP software solution is the kind of technology that can handle the nuances of security questionnaires. A great solution will help you solve inefficiencies within your process.
Various security questionnaires you will encounter
“61% say their organizations evaluate the security capabilities of cloud providers prior to engagement or deployment, according to Gemalto’s 2018 Global Cloud Data Security Study. Although these security evaluations are increasingly relying on contractual negotiations and legal reviews, 34% of organizations still require the formality of security and compliance questionnaires. That means you need to prepared (not surprised) when a security assessment arrives.
Being prepared isn’t as easy as it sounds. We can write an entire blog—scratch that—a novel about the different types of RFP security questionnaires you might stumble upon. While a security questionnaire has many names, it also has many types.
Here are various security questionnaires you will encounter:
Security Questionnaires and Security Questionnaires Lite – Standardized Information Gathering Questionnaires
NIST 800-171 – National Institute of Standards and Technology Questionnaire
CIS Controls – Center for Internet Security Questionnaire
No matter the type of security questionnaire, the need for a complete RFP response solution along with a reliable internal process can’t be stressed enough. Without this dynamic duo, you run the risk of losing valuable hours with an inefficient approach—but, you also risk losing potential business if the responses are not executed accurately and well.
Why you should take each security questionnaire seriously
The short version? Because you don’t want to be the one that throws the deal. You want to be the one that helps land it.
Whether you’re a cloud provider or an on-premise provider, security questionnaires are a key requirement in this leg of the sales process. Organizations care a great deal about data security and they scrutinize vendors like you to make sure you are the partner they can trust long-term.
As a cloud service provider, your customers entrust their organization’s most sensitive data with you. There’s a very strong chance that the solution you provide is a mission critical application for them. That’s why they want to hire your services in the first place.
Since you make everything available in a publicly shared infrastructure, the controls need to be that much more airtight. There are plenty of control frameworks that govern cloud security. However, lack of visibility leads by a wider margin in SaaS than IaaS, with almost one third of organizations having difficulty getting a clear picture of what data is in their cloud applications.
It’s important for your customers and prospects to feel confident that you have the proper control in place, so their data isn’t compromised. Proper controls protect a data leak from happening, regardless if it happens accidentally or through malicious attacks.
At one time on-premise solutions used to be less of a concern. People used to believe that security within an infrastructure behind firewalls was more secure. In the last decade, things have changed dramatically.
In some ways, on-premise solutions are more vulnerable than cloud solutions. When customers use a cloud-based solution, their data is likely hosted with a reputable, secure cloud hosting service provider like Amazon or Google or Microsoft or IBM.
With on-premise, frequently the compromise comes from within—through social engineering, through employees making mistakes. So, on-premise security is something buyers are aware of and really paying attention to.
EU GDPR Requirements
On May 25th, 2018 the EU is rolling out GDPR (General Data Protection Regulation) and the penalties are pretty severe, with the potential to cripple organizations who do not take these requirements seriously.
In McAfee’s 2017 study, Beyond the General Data Protection Regulation (GDPR), more than 80% of organizations said they expected help from their cloud service providers to achieve regulatory compliance. Yet only half of the respondents stated that all of their cloud providers had a plan in place for GDPR compliance.
How will GDPR affect cloud investments? Fewer than 10% anticipate decreasing their cloud investments as a result of GDPR. Even still, take the right measures and demonstrate that you have made every effort you possibly can to keep your customer’s data secure. Starting with how you respond to security questionnaires.
Security questionnaires: The culprit of time and team friction
Organizations understand that data security is highly valued by their customers, so they respond to security questionnaires to build confidence in their solution. The complicated part for you and/or the team completing these vendor assessments…the time factor.
When responding to RFP security questionnaires, security experts are brought into the process to ensure accuracy. Since security encompasses many different aspects of an organization, multiple team members must work together to answer their respective questions and sections.
Typically these SMEs work in understaffed conditions, where time is truly limited for additional responsibilities outside high priority tasks. If this is all hitting close to home, then you know exactly how challenging it is to respond to hundreds and hundreds of security questionnaires under a tight deadline.
RFP software like RFPIO helps you do the job right the first time. Technology allows you to reuse historical content and customize as needed, while encouraging stronger collaboration for a more efficient process.
ProTip: “Be self-aware of both your strengths and your limitations in your responses. If you don’t have something, don’t lie, but don’t over-emphasize your own deficiencies. Devote your time to addressing the issues the customer will be most concerned with.” – Ken Stasiak, SecureState’s Guide to Responding to 3rd Party Questionnaires
How RFP software increases efficiency levels
A security questionnaire is basically a massive spreadsheet with hundreds of questions on the lower end and thousands on the higher end. You need to be able to answer volumes of questions quickly, but with incredible accuracy. Such is the beauty of RFP software.
Recently our CIO, Sunder, had a lengthy security questionnaire to complete on his own. (Yep, we have to respond to these just like any other cloud solution provider.)
RFPIO’s auto-response feature filled in 74% of the questions for Sunder. About 11% of the questions needed to be tweaked, because some of the controls had changed. The remaining questions didn’t need to be touched at all, and he had very few questions to respond to manually. Something that would have taken our CIO about a day or two to complete was done within an hour.
A team of one can benefit from RFP software as can a mid-sized or enterprise organization. A larger organization will require several review cycles, but still the time-savings is noticeable for all contributors. This technology, in combination with close collaboration and an established RFP response process, is a game-changer for anyone completing security questionnaires.
When you’re searching for an RFP response solution to help you streamline the security questionnaire process, having a few key features will make a difference in productivity improvements.
“Our immediate instinct with Security Questionnaires was that the Excels were too macro-heavy. It was going to be a huge challenge for us to solve. But, like so many of our clients, we’ve gone through this pain enough and we figured we might as well solve it. RFPIO’s advanced security questionnaire functionality makes the response process much easier for teams.” – A.J. Sunder, CIO at RFPIO
Security questionnaire features to look for in RFP software
As with any solution you add to your growing technology stack, you want to make sure the investment is worth it. What are your pain points? What are your aspirations and objectives? The needs of your organization always come first, which is good to remember when you’re hunting for a solution.
If you’re answering security questionnaires regularly, you need RFP software with built-in features to support that effort. These are specific RFPIO features that help you take control…
Security Questionnaire Import
An RFP security questionnaire project can start off on the right foot…or the wrong one. With RFP software, the import should be painless for your team—it doesn’t matter if it’s a macro-heavy Excel with 799 security questions.
Even some of the most sizable Standardized Information Gathering (Security Questionnaires) can be imported into RFPIO with a single click. You upload the right template for the job (CAIQ, Security Questionnaires– Core, Full, or Lite) and import directly from your local computer or cloud storage provider.
Have a wealth of historical responses from previous security questionnaires? Rather than being lost in a maze of online folders, all of your content is centralized in an Content Library. Easily accessible content means a proposal manager or proposal management team can take the vendor assessment to a certain level of completion before calling in the security SMEs.
This way SMEs can focus on reviewing and revising specific questions or sections, versus answering hundreds of repetitive questions they’ve seen before. Over time, as your team responds to more security questionnaires within the solution, the Content Library will continue to expand. If cared for properly, this knowledge repository will flourish.
Being that your Content Library is the heart and soul of your RFP response solution, managing this content well is a must. From encryption technology to infrastructure, security controls and standards change often. As long as that information is current, security SMEs will not need to do as much heavy lifting with responding. Content audits should be routine at your organization.
From this expansive knowledge base, an auto-response feature brings up relevant responses to answer the majority of the questions for you. Proper algorithms find the best match, so your auto-response needs to be reliable.
Auto-response cuts down completion time dramatically from the first RFP security questionnaire project—and efficiency levels increase with consistent use. Essentially, the solution does a majority of the responding for you.
Strong collaboration is behind every great RFP response process. Your RFP response solution must have communication features that promote a collaborative environment. Proposal managers should be able to reach out to security SMEs in a low-touch manner, and vice versa.
Team members should be able to easily leave comments and @-mention for clarification as needed. Built-in chat features and Slack integration are additional ways to help teams work together easily, with less emails and fewer meetings.
At the end of the RFP security questionnaire, every team wants to finish up and move on with their lives. However, like the import, the export can really be a time-consuming challenge with large spreadsheets. Being able to easily export back into the original source with clean data is a necessary feature of RFP software, especially with security questionnaires.
“We appreciate the lengths RFPIO has taken to accommodate the Standardized Information Gathering (Security Questionnaires) tool. They have been incredible in their help addressing the Security Questionnaires’s imbedded scoping and automation abilities within the spreadsheet to preserve the purpose of the document. RFPIO’s efforts to research and develop a new upload specific to the Security Questionnaireshas been invaluable to MGIC.” – Vickie Kusch, Vendor Due Diligence Liaison at Mortgage Guaranty Insurance Corporation
Repetitive questions are the name of the game with security and compliance questionnaires. Bulk answering does exactly what you think it does…answers in bulk! (Didn’t see that coming, did you?)
As you respond to a Security Questionnaires, a solution like RFPIO understands how the macro is programmed and aligns with your selection process. If you answer “yes,” it knows the dependencies and presents those 300ish questions to you. If you answer “no,” it knows not to show irrelevant questions.
Sometimes security questions aren’t black and white. Teams must use their best judgement and answer only what they can backup. An audit history shows who answered the question, so they can “backup” or explain their response if a situation should arise with the issuer.
Sometimes an issuer will add a clause in the contract that mentions their right to audit in fine print. You want to be ready for this, and an audit trail will help you tremendously.
Time is on your side now, responder
The dark days of losing hours and sleep are all over. The next security questionnaire that lands in your inbox will be a piece of cake—er—okay, it will certainly be easier than before when you didn’t have your trusty automated technology friend.
Ask someone who responds to security questionnaires how many questions they see, and they’ll casually reveal a number that’s somewhere in the realm of well over a thousand questions. Any vendor offering a SaaS solution will face the Standardized Information Gathering (Security Questionnaires) at some point. Depending on the version of the Security Questionnaires, it typically clocks in around a few hundred questions.
We speak from personal experience, because we are a SaaS vendor who has been in your shoes. We too must respond to security questionnaires constantly. In our world, a smaller security assessment will usually contain 250 questions, a mid-sized questionnaire will have 650, and the largest assessments have about 2500 questions.
The advantage for us—and for our clients—is that we leverage RFP software to overcome inefficiencies. Everyday we talk to organizations who struggle with a manual RFP response process when they can greatly improve productivity with an automated solution.
This month we released an exciting new feature that allows you to import Standardized Information Gathering (Security Questionnaires) with one click. Here is some information about RFPIO’s Security Questionnaires template import and how it will solve inefficiencies to help you win back time.
The first critical step in every RFP project is the import
A Security Questionnaires is a massive security and compliance questionnaire—figuring out where to begin can be an overwhelming task. When using RFP software, importing is the first and arguably most critical step, because it sets the tone for the entire project. If the import causes any friction, teams will spend time they don’t have to spare.
With intelligent RFP technology, an import is actually a time-savings opportunity for teams. That even applies to spreadsheets with thousands of questions. Based on your personal history with large scale vendor assessments, it’s likely difficult to imagine importing such a sizable spreadsheet into your RFP response automation solution quickly.
After enduring our own inefficiencies over the years, we found a way to load the information in one click with the Security Questionnaires template import. Long days in the office spent responding to our most recent Security Questionnaires pushed us over the edge, and inspired us to do something about it.
How the security questionnaire template solves inefficiencies
A Security Questionnaires is a very macro-heavy Excel, and traditionally it’s been a challenge to bring it into any automated RFP response solution. Excel macros are built into how the dependent questions come up and how the completion metric is calculated. Because you’re working with a standard template, you as the responder must answer the same questions repeatedly.
In other cases, standard questions might be seen as a good thing—but not with a Standardized Information Gathering Questionnaire. These security assessments are clearly exhausting for anyone tackling thousands of questions. No other RFP automation solution is currently in place that can solve this Security Questionnaires situation, and that leaves you searching for alternatives that are less than desirable.
One option is to hire interns as users to do a comparison and transpose the answers. Another option is to submit a previous version of a Security Questionnaires that you responded to, and see if the issuer will accept it. However, typically issuers add their own questions, and you might lose the deal because your responses aren’t up to snuff.
As you respond to a Security Questionnaires, RFPIO understands how the macro is programmed and works with your selection process. If you answer “yes,” it knows the dependencies and presents those 150 or so questions to you. If you answer “no,” it knows not to show irrelevant questions.
RFPIO goes through the Security Questionnaires on its own, to learn which questions need to come after which answers. RFPIO helps you take control of the most complex security assessments, because the technology is able to handle multiple levels of dependencies and then translate and automate that for you. The key is then being able to export your responses back into the original format, so you’re not having to do any work when you’re done in the application.
“Completing security questionnaires used to be an extremely time-consuming process for our team. RFPIO offers a one-click Security Questionnaires template import, in addition to auto-response and bulk answering features that promote speed and accuracy. What used to take days—or even weeks—now only takes us a couple of hours.” – Mandana Salehi, Director of Sales at Zapproved
Standardized information gathering questionnaires in one click
Now for the moment you’ve been waiting for…Standardized Information Gathering questionnaires can be imported into RFPIO with a single click. You upload the appropriate template (CAIQ, Security Questionnaires – Core, full, or lite). You can import directly from your local computer or cloud storage, such as: Google Drive, Dropbox, OneDrive, or Box.
From here, you can move on with your day, since the project’s primary contact receives an email notification once the import process is completed. Meanwhile, RFPIO configures questions, sections, and subsections on your behalf. Once the import is finished, it’s time for you to jump back into the project to review questions and sections.
This is where auto-response works its magic to populate your Security Questionnaires with the most relevant matches from your Content Library. The standardized nature of these questionnaires makes this response process very efficient through automation. You then customize as needed to ensure accuracy, or to add any necessary flourishes to wow that particular issuer.
Last, but certainly not least, you export everything back into the template of your choosing and send off to the issuer. Overall, less time will be spent on sizable vendor assessments so you can focus on other priorities.
There really is no need to dread the next massive Security Questionnaires that comes your way. With RFPIO’s Security Questionnaires template import, you and your team can use speed and accuracy to compete thousands of questions to land the deal.
If you take a good look at your SaaS vendor selection process today, is cloud security on your checklist? Or, does your checklist consist of all the shiny features you’d like to have?
The SaaS model makes it easy to sign up and get going—with free trials and integrations with your favorite applications. While it is important to evaluate if the solution solves your business problem, it is just as important to look beyond the core features.
SaaS vendors range from a couple of guys operating out of a garage to full blown enterprises. During the startup phase, the focus is on getting a workable product out to the market with the intent to “shore up” the product when they have a few customers that have kicked the tires.
Unfortunately security ends up taking a backseat. Failure to evaluate security features with these vendors can mean major trouble for businesses, both short term and long term.
As just one example, we’ll use cloud-based RFP software solutions.
Say your SaaS provider has an outage when you have a request for proposal deadline looming. You have no way of retrieving that data, and you don’t have it backed up, because you entrusted your SaaS vendor with everything.
By the time your vendor is up and running again, it’s too late. You missed out on submitting your RFP responses and lost millions of dollars in potential revenue.
Focusing on a tool’s exciting features during SaaS vendor selection is alarmingly common. Enterprise companies will typically bring in their IT department when choosing a SaaS solution, but frequently companies operating with smaller teams miss this important step.
It’s never too late to optimize your vendor selection approach, whether you’re just establishing security measures, or strengthening existing processes.
Here are a few cloud security questions worth asking when you’re evaluating SaaS vendors.
Most SaaS vendors have a disaster recovery plan, but not all plans are created equal. Some mistakenly believe taking regular backups constitutes disaster recovery.
Make sure your SaaS vendor has a solid plan that covers a recovery timeline, routine testing, and geographic isolation. In other words, if there is a tsunami, is that going to wipe out all of your centers?
#2 What if you go out of business?
Often we think of catastrophic events in the form of natural disasters, but a vendor going out of business can do just as much damage. When comparison shopping, look into business viability and don’t be afraid to ask some tough questions.
If I invest all of my work, data, history into your solution, is that safe? What is your fallback plan? Having access to that data is non-negotiable no matter what happens outside your control.
Okay, you don’t have to frame the question that way—instead you can ask if they have a proper security plan. Be careful when a vendor sidesteps security to focus on the shiny features. You don’t ever want security to be an afterthought.
If you find it difficult to know which security features are most important, bring in your IT department for guidance.
Accountability is a big one, because you want to know who you are dealing with when a support request spirals into a data mess. Many vendors depend on others, and the finger-pointing can escalate quickly. This is the last thing any business wants to experience when there’s a problem, so be upfront to avoid a surprise down the road.
A storage solution managed entirely by the SaaS vendor is preferable, as mom and pop cloud storage companies can be unreliable. The accountability factor can speed up your selection process in a jiffy if a vendor fumbles over roles and responsibilities.
#5 How scalable is your product?
It is one thing to watch a flawless demo, or run through a proof of concept without a glitch. But can the application withstand what the real world throws at it? Unfortunately, it is tough to know the answer to this until the real world happens.
For example, if one of the other clients of the service provider executes a huge project, is that going to negatively impact security? It is smart—and absolutely appropriate—to inquire about how well the vendor can scale their product to meet demands, and how quickly those demand will be met.
Finding the right SaaS vendor should never be taken lightly, so always think of it as a collaborative decision.
While these questions will cover your cloud security bases, if you can, get your IT person involved in the process too. If you are unable to engage your IT department in vendor selection, you can still take these steps to ensure the vendor has a solid security footing.
What cloud security questions do you ask when you’re selecting a SaaS vendor?
Why do 250,000+ users streamline their response process with RFPIO? Schedule a demo to find out.