What’s your “hot take” when it comes to security questionnaires?

We know that they are lying, they know that they are lying, they even know that we know they are lying, we also know that they know we know they are lying too, they of course know that we certainly know they know we know they are lying too as well, but they are still lying.

My "hot take" on security questionnaires is that while they’re a useful starting point, it’s vital not to depend solely on any single document. Always look for certifications, audit reports like SOC2, and other third-party assurances to confirm your security posture. Check if the organization already has a completed questionnaire to avoid duplication and save time. It’s crucial to incorporate your specific security requirements directly into the agreement, especially for non-regulated industries. For regulated industries, ensure you include a formal compliance statement and a requirement for proof of compliance. Ultimately, create a customized set of questionnaires and assessments based on the nature of the services, data sensitivity, and level of access involved—this detailed approach more effectively manages risk and clarifies expectations.

Everyone are utilizing these questionnaires extensively, yet their attention remains largely unengaged unless there is a compelling reason to do so. In my experience, even companies in highly regulated industries have found themselves wasting a significant amount of time completing security questionnaires. A potential improvement involves incorporating these questionnaires into the contract itself. By sending the questionnaire prior to the contract signature, you can clearly state that the questionnaire will become an annex, thereby binding the individual who answers it to the contract.

For instance, despite working in an insurance institution in Europe that is heavily regulated by DORA and EIOPA, we still have clients who request that to complete their security questionnaires. I fail to discern any practical purpose in this request, as we are already subject to the regulations and supervision of the local regulator.

To attempt to cover risk security questionnaires often ask for a growing range of security certifications. There does not appear to be a correlation between security breaches and the completion of these certifications. They are more a comfort exercise than a true test. On paper certifications may give a false sense of security with the vendor in question given some of the most high profile security failures have come from what would undoubtedly be some of the most well certified vendors.