Preparing your company for sales is an exciting milestone to reach. It’s an opportunity for company growth, furthering your product, and ultimately, closing deals.
It’s also the time you’ll run into vendor security questionnaires.
As a B2B company, you will most certainly receive a VSQ that requires you to demonstrate the security of your product and infrastructure (and whatever else your potential client deems necessary). The request may come in the form of a standardized VSQ, like a SIG, CAIQ, or VSA, or one created in-house that may or may not have grown a bit stale.
VSQs are a necessity for sales success, but they come with challenges. They can be hundreds of questions long. Answering them can require input from Sales, Legal, and Infrastructure teams – usually the people with the least amount of time to spare. They often contain ambiguous questions that no one understands, and possibly ask questions that do not apply to either your infrastructure or your product. The list goes on! It takes a certain skill set to handle them successfully. How quickly and accurately you respond to VSQs can determine whether or not your company closes a sale. But have no fear, we are here to provide some pointers!
So, what do you need to be successful with VSQs?
As mentioned, you’ll need input from various teams to complete a VSQ. You’ll quickly learn that vendor security questionnaires ask about more than security!
To ensure success, give VSQ ownership to someone involved. Having one person accountable for everything VSQ-related helps ensure the right stakeholders are involved and that data and processes don’t go stale.
Not just any data but accurate and up-to-date information about technical infrastructure, compliance practices, security controls, business continuity, and much more. VSQs ask for a lot of information so curation is a must. More often than not, you will be asked to provide supplemental documentation:
The VSQ team should gather the above collateral and store it in a shared folder (e.g., Google Drive, Notion). The accountable person for VSQs should maintain this shared space so that only up-to-date documents are available and appropriate people have access.
Have generic VSQs filled out to share preemptively, especially for small deals. The amount of effort your team puts into a VSQ should reflect the deal size. For those smaller deals, sending a completed standardized VSQ should suffice. For example, fill out a Vendor Security Alliance VSQ and share it with your potential clients. It may prevent them from sending you their questionnaire to fill out. Pro-tip 💡 Revisit the standardized VSQ answers twice yearly to ensure accuracy.
You might consider some form of spreadsheet/database of previously used answers or FAQs like a knowledge bank. This can help extend who can support VSQs and may help you get through them faster. Keeping a knowledge bank comes with a caveat: reviewing and curating the information is key - the data will grow stale sooner than you think. We recommend a minimum review of twice a year. We also recommend documenting in the knowledge bank when an answer was given and, if possible, by whom. You can start to see where the overhead grows for the accountable party and their workload.
Once you have the supporting team and data, you can build a process around it! Start with tracking VSQ requests through their lifecycle. This could be in a ticketing system like Jira or in a shared spreadsheet. Some recommendations for relevant information tracking:
There are many more metrics someone can track through this process. If certain VSQ responses are not linking to closed sales, your company can prioritize the improvements needed to provide better responses.
Create a runbook for your team handling VSQs. This runbook should guide the team on the entire VSQ process:
Pro-tip 💡: Include a flowchart or process flow diagram to identify certain paths employees should follow when dealing with a VSQ. For example, when to provide a preemptively filled-out standardized VSQ vs. when to accept a request to fill one out fresh.
Lastly, train everyone who may receive a VSQ, and revisit the training regularly. Remind the team to solicit VSQs early in the procurement process. The more proactive your sales team is with the process, the less likely you’ll get a 300-question VSQ due in two days.
It takes a village to do this successfully. For those interested in the simplified way of dealing with VSQs, contact us! Let us take it all off your plate.
