Every company targeting mid-size or larger companies is bound to experience the joys of the formal security questionnaire. It can range from a simple bulleted list of questions to multiple spreadsheet tabs with dozens of detailed requests for information. It’s a common method larger organizations use to vet technology vendors while covering the needs and concerns of many of their of stakeholders and decision-makers. And as security becomes more top of mind across every company, these security questionnaires will likely become more popular and more involved...
But for technology vendors on the other side of these security questionnaires, particularly startups strapped for time and people, their mere presence can stop deals dead in their tracks. Some startups might not have a formal security program, may be inward looking or compliance driven, or may not even have some of the components required by a prospect.
Small startup teams then scramble to deftly wordsmith answers and even put new, customer-specific security practices into place. Worse yet, the effort required to complete these questionnaires can derail an entire startup for days or weeks. And that’s just for one potential customer.
There is another approach, however, that starts with the deployment of a thoughtful, risk-reducing, compliant security program. Startups do have budget and resource constraints, which makes hacker-powered security an attractive option. But from there, startups can elevate a deal beyond the security questionnaire and into a meaningful conversation with the prospect about their risk and security concerns.
As @magoo pointed out in a Medium post, Understanding the Security Questionnaire, the driver behind most security questionnaires “appeals to the perceptions of risk by your customers, not your actual risks.” Those developing a security questionnaire are typically focused on their own risks. Their questions tend to approach security from their own perspective, leaving many gaps they might not have considered. A proactive conversation about a prospect’s security needs and concerns could offer valuable outcomes for both sides.
Startups facing more and more security questionnaires in their sales process can keep deals moving forward while using the questionnaire to start a frank discussion of security. But, ultimately, a formal security program needs to be in place for credibility in how a startup approaches security. That means putting proven security practices in place that fit the budget and resource constraints of the typical early stage company while also addressing the real security risks of concern to prospects.
As @magoo mentions, “You might not need to fill out this questionnaire.” Another approach mentioned is to engage the prospect using the results of a security audit, metrics from a bug bounty program, details of a vulnerability disclosure program, an overview of an incident response process, and much more.
Hacker-powered security can help here as well. Rote penetration tests, for example, are a typical expectation. But applying a hacker-powered approach to pen tests shows prospects how 24x7 coverage, skills variability, and pay-for-results provides real risk reductions for smaller startups operating on a tight budget. Having a formal vulnerability disclosure policy (VDP) that makes it easy for researchers, white-hat hackers, and anyone else to report potential security vulnerabilities is also a near-zero cost tactic that delivers proven, measurable benefits. These types of programs can help prospects focus on overall security and risk reduction.
It’s important to internally justify the budget and resource requirements of any security measures, especially for startups. Being able to bypass or at least effectively answer prospect’s security questionnaires provides some justification. But if deals have been lost due to unacceptable answers or immature security efforts, the justification for a proactive security program becomes even more powerful.
Hacker-powered security provides fast, easy to deploy security programs that deliver proven, tangible, and compliant results. What’s more, security teams only pay for results, which keeps budgets under control and ensures engineering teams are focused on real issues instead of false positives and an overload of reports.
Best of all, hacker-powered security offers a nearly unlimited and continuous team of skilled hackers and a model where costs are directly tied to real results. VDPs provides a mechanism for anyone to report a potential vulnerability, short-term bug bounty programs replace or augment penetration tests, and continuous bug bounty programs provide 24x7 security coverage.