VSQs 101: How to get started

July 10, 2024

Preparing your company for sales is an exciting milestone to reach. It’s an opportunity for company growth, furthering your product, and ultimately, closing deals.

It’s also the time you’ll run into vendor security questionnaires.

As a B2B company, you will most certainly receive a VSQ that requires you to demonstrate the security of your product and infrastructure (and whatever else your potential client deems necessary). The request may come in the form of a standardized VSQ, like a SIG, CAIQ, or VSA, or one created in-house that may or may not have grown a bit stale.

VSQs are a necessity for sales success, but they come with challenges. They can be hundreds of questions long. Answering them can require input from Sales, Legal, and Infrastructure teams – usually the people with the least amount of time to spare. They often contain ambiguous questions that no one understands, and possibly ask questions that do not apply to either your infrastructure or your product. The list goes on! It takes a certain skill set to handle them successfully. How quickly and accurately you respond to VSQs can determine whether or not your company closes a sale. But have no fear, we are here to provide some pointers!

So, what do you need to be successful with VSQs?

People! — it’s a group effort

As mentioned, you’ll need input from various teams to complete a VSQ. You’ll quickly learn that vendor security questionnaires ask about more than security!

  • Identify the key personnel who will support sales, customer success, security, privacy, compliance, legal, engineering, and leadership related questions.
  • At a minimum, have a team member from operations (Head of Ops, CEO, etc) and from the technical side of the house (DevOps, lead developer, etc) supporting the sales team.
  • Pro-tip 💡 Identify backup personnel for these folks, too, in case someone is out of the office.
  • To ensure success, give VSQ ownership to someone involved. Having one person accountable for everything VSQ-related helps ensure the right stakeholders are involved and that data and processes don’t go stale.

    You will need data

    Not just any data but accurate and up-to-date information about technical infrastructure, compliance practices, security controls, business continuity, and much more. VSQs ask for a lot of information so curation is a must. More often than not, you will be asked to provide supplemental documentation:

    Audit reports (ex. SOC 2 Type II)
    • We recommend executing an NDA with the potential client before sharing any non-public collateral.
    Security assessments/pen test summaries
    • We recommend starting with a Letter of Engagement from the third-party providing the pentest and if more is needed, provide a summary of the pen test upon request.
    Information security policies
    • We recommend not sharing the entire policy packet from the start. Instead, start with a table of contents or executive summary of the policies.
    Cyber insurance
    • We recommend not sharing the exact amount of liability coverage by default unless there’s a specific request for it

    The VSQ team should gather the above collateral and store it in a shared folder (e.g., Google Drive, Notion). The accountable person for VSQs should maintain this shared space so that only up-to-date documents are available and appropriate people have access.

    Have generic VSQs filled out to share preemptively, especially for small deals. The amount of effort your team puts into a VSQ should reflect the deal size. For those smaller deals, sending a completed standardized VSQ should suffice. For example, fill out a Vendor Security Alliance VSQ and share it with your potential clients. It may prevent them from sending you their questionnaire to fill out. Pro-tip 💡 Revisit the standardized VSQ answers twice yearly to ensure accuracy.

    You might consider some form of spreadsheet/database of previously used answers or FAQs like a knowledge bank. This can help extend who can support VSQs and may help you get through them faster. Keeping a knowledge bank comes with a caveat: reviewing and curating the information is key - the data will grow stale sooner than you think. We recommend a minimum review of twice a year. We also recommend documenting in the knowledge bank when an answer was given and, if possible, by whom. You can start to see where the overhead grows for the accountable party and their workload.

    Build a process

    Once you have the supporting team and data, you can build a process around it! Start with tracking VSQ requests through their lifecycle. This could be in a ticketing system like Jira or in a shared spreadsheet. Some recommendations for relevant information tracking:

    • When a VSQ came in
    • The requester
    • Has the requestor signed an NDA? If so, when?
    • Who worked on it
    • Who reviewed it
    • Link to the completed questionnaire if possible
    • Sales outcomes alongside VSQs
    • Indicators that may have impacted the sale

    There are many more metrics someone can track through this process. If certain VSQ responses are not linking to closed sales, your company can prioritize the improvements needed to provide better responses.

    Create a runbook for your team handling VSQs. This runbook should guide the team on the entire VSQ process:

    • What to do when a VSQ comes in
    • Contact info for identified key personnel
    • Links to shared collateral, any knowledge banks
    • Steps to take when review is needed and by whom
    • Where to add metrics for tracking purposes

    Pro-tip 💡: Include a flowchart or process flow diagram to identify certain paths employees should follow when dealing with a VSQ. For example, when to provide a preemptively filled-out standardized VSQ vs. when to accept a request to fill one out fresh.

    Simple VSQ flow diagram example

    Lastly, train everyone who may receive a VSQ, and revisit the training regularly. Remind the team to solicit VSQs early in the procurement process. The more proactive your sales team is with the process, the less likely you’ll get a 300-question VSQ due in two days.

    It takes a village to do this successfully. For those interested in the simplified way of dealing with VSQs, contact us! Let us take it all off your plate.

    Contact us for more information!
    Contact Us


    We'd love to learn more about your business!