October 24, 2019

Last Updated on June 17, 2024

In our practice we’re seeing a big uptick in client stress levels with respect to security questionnaires, especially among software-as-a-service (SaaS) providers. Three trends are driving this:

  1. A growing percentage of prospects are mandating security questionnaires
  2. The length and complexity of the questionnaires is increasing, so they take longer to complete
  3. Almost 100% of organizations now use cloud services, which (hopefully) means business growth for SaaS providers, with more questionnaires being a side effect

According to a 2018 survey by Gemalto, 61% of organizations say they evaluate the security capabilities of SaaS providers before deploying their services. More than half of these (34% of those surveyed) require the completion of a security questionnaire—and that number is undoubtedly rising as regulatory mandates and headlines about third-party security breaches intensify vendor scrutiny.
Questionnaires are also getting longer in an effort to make them more comprehensive. In particular, Shared Assessments’ popular SIG Questionnaire was greatly expanded for 2019 (to something like 900 questions), and many organizations prefer to use this and similar tools as-is.

“Security questionnaires are a cost of doing business in today’s information economy…”

When individuals in key positions, such as CISOs or Information Security Managers, have the responsibility to reply to more and bigger questionnaires, the time demands eventually exceed what they can manage. The process can’t scale and becomes a hindrance to closing sales and growing the business.
If you find yourself in this position, you can find help here (no need to bore you with a sales pitch).
Security questionnaires are a cost of doing business in today’s information economy but if handled well, they can be leveraged to separate you from the pack.