Enterprise Security Questionnaires Posts

Cyber SecurityEnterprise Security QuestionnairesRemote WorkSOC 2Vendor OnboardingWFH Cybersecurity

9 Small Business Cybersecurity Wakeup Calls for Founders

Every day we talk with startup founders about small business cybersecurity. Although we'd love to speak with founders that spontaneously decided to "do more" about cybersecurity, our conversations usually start very differently than that.

Most often, there is a very specific and urgent cybersecurity-related need at hand. And an urgent call to our team for help thinking it through. We're happy to help -- not a problem! However, for the benefit of founders that haven't yet hit one of those moments, here's what folks a few steps ahead of you are running into. We're glad to help with these more proactively if you'd like, to save a hectic scramble later.

9 Small Business Cybersecurity Wakeup Calls Founders Do Not Want
Enterprise Security QuestionnairesSOC 2

SOC 2 Compliance Checklist: Pre-Audit Steps

Thinking of engaging a SOC 2 auditor? Good thinking. Successful completion of a SOC 2 audit carries a great deal of credibility, especially for small organizations seeking to do business with large enterprises.  Heading into your SOC 2 audit (and in fact, before you engage an auditor) you should have a SOC 2 compliance checklist in mind.  That checklist should contain the things that you believe you will need to demonstrate to the auditor.

A common misperception is that the SOC 2 process is designed to help you implement additional controls and processes.  Not so.  The SOC 2 audit is designed to evaluate your organization's practices, on the premise that you already have the controls and processes in place.

SOC 2 Compliance Checklist Pre-Audit Steps
Enterprise Security QuestionnairesInfosec Policies

Uncovering Hidden Annual Security Requirements

As the end of the year approaches, hidden annual security requirements tend to pop up at the least convenient time.  Although we're glad to spring into action to help bail out companies that have some last-minute cybersecurity obligation that needs "doing" before December 31st, we'd rather help you avoid that type of scramble altogether in the future.  Here are the top ways that you can sniff out hidden annual security requirements well in advance, to avoid a scramble.

Uncovering Hidden Annual Security Requirements
Enterprise Security QuestionnairesSOC 2

5 Easy Shortcuts on Enterprise Security Questionnaires

Every day we talk with small businesses struggling with enterprise security questionnaires.  And every day we hear some of the same underlying anxieties...  What if I don't have everything the enterprise asked for?  What if I don't have SOC 2?  Should I elaborate on this answer?  Should I attach supporting evidence for that question?  For ventures that haven't been through the enterprise security questionnaire process before, the process can feel arbitrary, cumbersome, and ambiguous.  This article has five of our top "easy wins" for saving time and frustration when filling out an enterprise security questionnaire.

5 Easy Shortcuts on Enterprise Security Questionnaires
Cyber SecurityEnterprise Security QuestionnairesSOC 2

Getting by Without SOC 2 Type II

There are two things we need to say right away: (1) we are believers in SOC 2 Type II - we think it's driven positive change in cybersecurity and beyond, and (2) it sure is a pain when someone asks you if you are SOC 2 Type II compliant and you don't have a good answer for them. In this post, we'll explore what to do when you are asked (perhaps by an enterprise customer) if you have an unqualified SOC 2 Type II audit report.

Getting by Without SOC 2 Type II
Enterprise Security QuestionnairesVendor Onboarding

Compensating Controls and Campfires

Far too many vendor onboarding processes -- especially those that don't leave room for compensating controls -- feel like they are destined to be combative from the start.  In the typical storyline, a tiny company is working feverishly to sell its products or services to an enterprise, and after gaining support of the "sponsor" (business decision maker), the vendor onboarding process kicks into action.  The only problem?  It often involves dozens-to-hundreds of nuanced cybersecurity questions that the tiny company is ill equipped to answer.  And that puts in jeopardy all of the good work that the small business and the enterprise can do together -- because the path to collaboration starts by running the gauntlet through the vendor onboarding process.  And that process is far from guaranteed to lead to approval.

Cyber SecurityEnterprise Security QuestionnairesVendor Onboarding

6 Key Vendor Risk Assessment Conversations

When a new vendor (maybe a small business) begins working with an enterprise, you can bet that there will be a vendor risk assessment of some form.  Format-wise, it might be an Excel-based security questionnaire, a web portal, or a repurposed survey tool with customized questions.   It will almost certainly involve a few clarifying conversations, revisions, evaluations, and (here's hoping) approval.

Let's zoom out one level above the nitty gritty of the questions that are deep in the assessment.  What are the key vendor risk assessment topics that both sides should expect to discuss at some point in the process? 

6 Key Vendor Risk Assessment Conversations
Cyber SecurityEnterprise Security QuestionnairesVendor Onboarding

What’s Broken about Enterprise Security Questions

Normally we put all of our focus on helping small businesses with cybersecurity, but today we're here to talk with enterprise compliance teams about their enterprise security questions.  Bad news: almost all of the questions we've seen are broken.  Good news: they are fixable.  Let's explore.

When a small business is on the cusp of closing out an enterprise sale, that is a big deal to the whole small business.  It's high stakes for them.  They'd be willing to hop over just about any hurdle you ask them to.  But what if there are 200 different hurdles, some of which matter a ton, others don't matter much at all, and all of the hurdle heights are obscured.  Sound hard?  It is.  Here's what's broken about enterprise security questions.

Whats Broken about Enterprise Security Questions
Cyber SecurityEnterprise Security QuestionnairesImplementationVendor Onboarding

Risk Grading for Enterprise Compliance Directors

This blog is usually written with the small business audience in mind.  We usually post about cybersecurity topics that we believe will be useful to small business owners, small business CTOs, small business IT directors, etc.  Today is different.  Today, we'd like to speak to the Enterprise Compliance Director audience -- about their relationship with small businesses.

Enterprise Compliance Risk Grading