Enterprise Security Questionnaires Posts

Enterprise Security QuestionnairesVendor Onboarding

The Questions that 96% of Enterprise Security Questionnaires Ask

We've talked frequently about what to expect on enterprise security questionnaires. When founders know what to anticipate on those types of questionnaires, they get a head start on preparing proactively. That preparation can make all the difference when it comes to persuading a large enterprise that a startup is mature enough to be relied upon for business critical operations.

But, a sticking point in those conversations between founders and enterprise compliance teams can be... well... compliance. Some compliance obligations are not ones that can be satisfied overnight; some take weeks or months (and occasionally years) to get right.

So, founders are especially wise to try to anticipate what compliance questions they might face in enterprise security questionnaires. With that information in hand, founders are equipped to go on the dual track that we most frequently recommend: preparing compensating controls until compliance can be fully achieved, while also beginning to pursue formal compliance (even if that takes awhile).  We see this very frequently with SOC 2: we often find that our clients are able to satisfy an IT compliance team by demonstrating sophistication on the types of controls that are often relevant to SOC 2, even if they don't yet officially have a clean SOC 2 report supplied by an auditor. When they do finally obtain the report, it further cements their credibility with the enterprise they are doing business with.

Enterprise Security Questionnaires ask about Compliance and Regulation
Enterprise Security QuestionnairesVendor Onboarding

4 Common Tests Requested in a Vendor Security Assessment

When a founder-led business gets their first Vendor Security Assessment, it's a bittersweet moment. On the positive side, it usually means that the startup is being taken seriously by an enterprise -- often a prospective customer. On the negative side, a tough vendor security assessment often puts a startup on its heels as far as figuring out a way to acceptably answer the difficult questions therein.

One topic that comes up frequently, is testing. Enterprises know that early-stage companies are often highly resource-constrained, and it begs the question of whether the product/solution has been tested in a way that gives confidence that the startup can deliver way they say they'll deliver. From the enterprise's perspective, probing on testing practices is just a "common sense" way to get a sense for the maturity of the small business that they are considering working with.

But, what types of tests are startups being asked about, in a typical Vendor Security Assessment? We set out to answer precisely that question, by analyzing our internal archive of vendor security assessments, and here's what we found.

Vendor Security Assessment - 4 Most Common Tests
Enterprise Security QuestionnairesVendor Onboarding

6 Old Fashioned Questions in Vendor Security Assessments

Vendor Security Assessments are slooooow to change. If there is one part of a large enterprise that has a thankless job, it's the IT compliance team that is charged with creating, revising, and reviewing vendor security assessment processes and forms. Make it too difficult, and business sponsors (buyers) across the company get upset that it takes too long to onboard their favorite new vendor. Make it too easy, and the enterprise takes on headline-grabbing cybersecurity risk that has wide-reaching regulatory and reputational impact.

So, in the face of these opposing pressures, what happens to an enterprise's vendor security assessment forms / questionnaires over time? In our observation, almost nothing. You heard that correctly: the vendor security assessments that a particular enterprise had in place 12 months ago, are almost certainly what they have in place currently.

Vendor Security Assessments - Legacy Questions
Enterprise Security QuestionnairesInfosec TrainingVendor Onboarding

Vendor Risk Assessments & Security Awareness Training

Before we get into the interplay between vendor risk assessment and security awareness training, let's get one thing out of the way right here at the top. There are bona fide, important, practical reasons why you absolutely should be doing security awareness training for your team regardless of whether a vendor risk assessment ever asks you to do so. It's a smart move either way.

However, as a company that specializes in working with founding teams, we know that sometimes an early-stage venture hits a growth stride so quickly that the forcing function (a vendor risk assessment) arrives faster than the intuitive thought of "we should probably be doing some security awareness training" -- and we certainly empathize with founders in that situation.

Security Awareness Training and Vendor Risk Assessments
Cyber SecurityEnterprise Security QuestionnairesVendor Onboarding

Vendor Risk Assessments & Hidden Recurring Commitments

When founding teams find a way to survive their first vendor risk assessment -- usually on the tail end of making their first enterprise sale -- it's a moment that calls for celebration. At Havoc Shield, one of the absolute best moments for us is when a client calls us back and says "with your help, we made it through that security questionnaire" -- it's a celebration on our end too! But, is the end of a vendor risk assessment the final chapter in the vetting that the startup will face from their new enterprise customer? In a word, no. We'll explore below.

When Vendor Risk Assessments Trigger Recurring Security Requirements
Cyber SecurityEnterprise Security QuestionnairesRemote WorkSOC 2Vendor OnboardingWFH Cybersecurity

9 Small Business Cybersecurity Wakeup Calls for Founders

Every day we talk with startup founders about small business cybersecurity. Although we'd love to speak with founders that spontaneously decided to "do more" about cybersecurity, our conversations usually start very differently than that.

Most often, there is a very specific and urgent cybersecurity-related need at hand. And an urgent call to our team for help thinking it through. We're happy to help -- not a problem! However, for the benefit of founders that haven't yet hit one of those moments, here's what folks a few steps ahead of you are running into. We're glad to help with these more proactively if you'd like, to save a hectic scramble later.

9 Small Business Cybersecurity Wakeup Calls Founders Do Not Want
Enterprise Security QuestionnairesSOC 2

SOC 2 Compliance Checklist: Pre-Audit Steps

Thinking of engaging a SOC 2 auditor? Good thinking. Successful completion of a SOC 2 audit carries a great deal of credibility, especially for small organizations seeking to do business with large enterprises.  Heading into your SOC 2 audit (and in fact, before you engage an auditor) you should have a SOC 2 compliance checklist in mind.  That checklist should contain the things that you believe you will need to demonstrate to the auditor.

A common misperception is that the SOC 2 process is designed to help you implement additional controls and processes.  Not so.  The SOC 2 audit is designed to evaluate your organization's practices, on the premise that you already have the controls and processes in place.

SOC 2 Compliance Checklist Pre-Audit Steps
Enterprise Security QuestionnairesInfosec Policies

Uncovering Hidden Annual Security Requirements

As the end of the year approaches, hidden annual security requirements tend to pop up at the least convenient time.  Although we're glad to spring into action to help bail out companies that have some last-minute cybersecurity obligation that needs "doing" before December 31st, we'd rather help you avoid that type of scramble altogether in the future.  Here are the top ways that you can sniff out hidden annual security requirements well in advance, to avoid a scramble.

Uncovering Hidden Annual Security Requirements
Enterprise Security QuestionnairesSOC 2

5 Easy Shortcuts on Enterprise Security Questionnaires

Every day we talk with small businesses struggling with enterprise security questionnaires.  And every day we hear some of the same underlying anxieties...  What if I don't have everything the enterprise asked for?  What if I don't have SOC 2?  Should I elaborate on this answer?  Should I attach supporting evidence for that question?  For ventures that haven't been through the enterprise security questionnaire process before, the process can feel arbitrary, cumbersome, and ambiguous.  This article has five of our top "easy wins" for saving time and frustration when filling out an enterprise security questionnaire.

5 Easy Shortcuts on Enterprise Security Questionnaires
Cyber SecurityEnterprise Security QuestionnairesSOC 2

Getting by Without SOC 2 Type II

There are two things we need to say right away: (1) we are believers in SOC 2 Type II - we think it's driven positive change in cybersecurity and beyond, and (2) it sure is a pain when someone asks you if you are SOC 2 Type II compliant and you don't have a good answer for them. In this post, we'll explore what to do when you are asked (perhaps by an enterprise customer) if you have an unqualified SOC 2 Type II audit report.

Getting by Without SOC 2 Type II