Acing the Dreaded RFP Security Questionnaire

Acing the Dreaded RFP Security Questionnaire

Over 20 years in enterprise software sales and technology has taught me that the organization looking to take on your product or service has more to lose than you do by adopting your technology. Remember, your champion will take on reputational risk when they select your company. And if you fail to meet expectations, they could be out of a job.

In the sales process, the legal and procurement diligence procedure typically falls outside your control. This is where you stop selling your product and start selling your reputation and credibility. It’s also where nearly one third of all deals fall through, are downsized to a trial/evaluation license from a production license or lost to a competitor. I’ve seen all three scenarios over the course of a deal.

The legal and procurement process for most larger organizations, particularly in regulated industries like financial services, involves the following steps:

  • Vendor documentation
  • License agreement (sometimes prescribed by the customer and not you!)
  • Compliance verification
  • Non-disclosure agreement
  • Corporate declarations (insurance, governance, anti-bribery, anti-money laundering, etc)
  • The “dreaded” Security and IT Compliance Questionnaire!

What Is an RFP Security Questionnaire?

This document is often a spreadsheet with anywhere from 50 to 500 questions. It requests documentation on your IT security program and certifications. Fear not—while the security questionnaire is meant to look intimidating, it’s the only way your buyer can obtain a written record of your commitments, mitigate risk, and frankly, save their jobs if your company fails.

Once you recognize that a client’s questionnaire is largely a risk-mitigation document, you should embrace it with honesty, competence and confidence. To begin, one of the best ways to approach this step is to come prepared. Tugboat Logic’s RFP Response Management Solution provides two different exportable reports that can help you head off a compliance or security questionnaire from the outset.

How to Answer an RFP Security Questionnaire

Creating one of the above reports is easy. To start, build your information security program and document it. You can use tools like Tugboat Logic’s Turnkey InfoSec Program. Alternatively, have your CTO or engineering lead document your security policies, procedures and controls in a concise, well-written document.

Another tip to lessen the stress of answering all those questions is to be thorough and accurate in your responses. You can’t just answer yes or no, since most large organizations will reject your responses if they are incomplete. Worse, they’ll follow up with in-person interviews or audits of your actual security controls with your IT staff. You need to respond with accuracy and completeness. Tugboat Logic’s RFP Response Management System makes this easy by auto-answering security questionnaires with content from your active InfoSec program.

The final recommendation is to head off any difficult situations directly with the team that authored the RFP. While it may extend the sales cycle somewhat, holding a conference call to discuss either the relevance of certain questions or whether questions are too far reaching will make things much easier in the long run. In the latter case, the client may be seeking a “compensating control” to anticipate all forms of data loss risk, but it may not be practical given the solution’s architecture or client use case. Have the conversation to discuss risk. Your customer will appreciate you did and will see it as a sign of competence and strength.

Final Thoughts

Completing an RFP security questionnaire should enable your company to shine and put its best foot forward. Learn how to automate the process for faster and more consistent responses in our step-by-step guide to acing RFP security questionnaires.

The more proactive you are in offering proof points about your security program, the more you’ll instil confidence in your client, which makes it easier for them to purchase your solution.