Ask HN: How do you deal with security questionnaires?

4 points by lbriner ↗ HN
We are constantly bothered by buying departments doing what they think is "due diligence" by asking a tonne of abstract open-ended questions about security with no context, like,

"How do you manage security keys?"

"What encryption do you use?"

Unless you are self-employed, they are massive questions full of nuance and probably have 50 different answers on 50 different systems but these companies believe they have the right to ask.

I know we can use a Security-as-a-service company to answer these on our behalf but I wondered what more established companies do? Do you just say, "here is the standard security page and that's all you're getting", or do you also spend many hours answering "what backups do you take?"

3 comments

[ 3.4 ms ] story [ 20.7 ms ] thread
Train up a SecOps team
Is that value-for-money for customers who are only paying $5K per year? I would be interested in what other larger businesses do. Is anything big enough to just refuse to do the questionnaires?
If it were me, I would deal with the questionnaires with pricing. It-provides-responses-to-secuirty-questionnaires is just another feature of the product...at least to the degree that support should be considered part of the product (which it should).

Pricing should reflect both the cost of providing responses to security questionnaires and a healthy profit from doing so. And it can. Even if it costs you customers because that's part of the base cost in your pricing.

And it probably won't cost many customers because anyone asking you to fill out a security questionnaire is price insensitive enough to pay salaries (or consultants) to do all the dull work of creating questionnaires, figuring out who to send them to, sending-receiving-pestering-etc., and maybe even doing something with the results. And that person has a manager.

There's a river of money there to grow a questionnaire response profit center.

good luck.