What’s your “hot take” when it comes to security questionnaires?

I like the idea of a "common" security questionaire so that a company only needs to fill out one and then can share it with anyone asking. Then only deal with anything non-standard. Something like: https://sharedassessments.org/sig/. Next thought is that a service like Blackkite gets you to a very rapid understanding of a vendor's risks without having to do the back and forth on questions.

SOC2 compliance, PCI compliance and Incident Response SLAs

It amazes me that security questionnaires are still seen as a key component of vendor due diligence. Most of the time this is a checkbox compliance exercise. I rarely see meaningful follow-up to responses that are clearly high-risk and I can say that as someone who has sat on both sides.

Companies know how to answer these questionnaires to pass compliance knowing full well that if the requester dug any deeper they would fail.

Do not let this be your own process in checking compliance. Ask for evidence and follow-up on answers. Don't let completing a questionnaires be your only due diligence.

We know that they are lying, they know that they are lying, they even know that we know they are lying, we also know that they know we know they are lying too, they of course know that we certainly know they know we know they are lying too as well, but they are still lying.

My "hot take" on security questionnaires is that while they’re a useful starting point, it’s vital not to depend solely on any single document. Always look for certifications, audit reports like SOC2, and other third-party assurances to confirm your security posture. Check if the organization already has a completed questionnaire to avoid duplication and save time. It’s crucial to incorporate your specific security requirements directly into the agreement, especially for non-regulated industries. For regulated industries, ensure you include a formal compliance statement and a requirement for proof of compliance. Ultimately, create a customized set of questionnaires and assessments based on the nature of the services, data sensitivity, and level of access involved—this detailed approach more effectively manages risk and clarifies expectations.