What’s your “hot take” when it comes to security questionnaires?

2.1k viewscircle icon1 Upvotecircle icon4 Comments
Sort by:
CISO6 days ago

We know that they are lying, they know that they are lying, they even know that we know they are lying, we also know that they know we know they are lying too, they of course know that we certainly know they know we know they are lying too as well, but they are still lying.

Director of Cyber Engineering in Healthcare and Biotech20 days ago

My "hot take" on security questionnaires is that while they’re a useful starting point, it’s vital not to depend solely on any single document. Always look for certifications, audit reports like SOC2, and other third-party assurances to confirm your security posture. Check if the organization already has a completed questionnaire to avoid duplication and save time. It’s crucial to incorporate your specific security requirements directly into the agreement, especially for non-regulated industries. For regulated industries, ensure you include a formal compliance statement and a requirement for proof of compliance. Ultimately, create a customized set of questionnaires and assessments based on the nature of the services, data sensitivity, and level of access involved—this detailed approach more effectively manages risk and clarifies expectations.

Lightbulb on1
CISO in Insurance (except health)23 days ago

Everyone are utilizing these questionnaires extensively, yet their attention remains largely unengaged unless there is a compelling reason to do so. In my experience, even companies in highly regulated industries have found themselves wasting a significant amount of time completing security questionnaires. A potential improvement involves incorporating these questionnaires into the contract itself. By sending the questionnaire prior to the contract signature, you can clearly state that the questionnaire will become an annex, thereby binding the individual who answers it to the contract.

For instance, despite working in an insurance institution in Europe that is heavily regulated by DORA and EIOPA, we still have clients who request that to complete their security questionnaires. I fail to discern any practical purpose in this request, as we are already subject to the regulations and supervision of the local regulator.

Lightbulb on1
Director of IT in Software24 days ago

To attempt to cover risk security questionnaires often ask for a growing range of security certifications. There does not appear to be a correlation between security breaches and the completion of these certifications. They are more a comfort exercise than a true test. On paper certifications may give a false sense of security with the vendor in question given some of the most high profile security failures have come from what would undoubtedly be some of the most well certified vendors.

Lightbulb on1

Content you might like

What will be the next technology trend in 2024?22%

How a company can attract and retain talents?44%

Make, buy, both? Which is your software strategy?19%

What is your main concern for your business in 2024?6%

Which technology that today is cool but in the next 3 years will be no more useful?9%

Another question (please add it in the comments )1%

View Results

Yes50%

Not yet, but we will40%

No10%

View Results