I recently spoke with a CTO who mentioned that he dedicates over 8 hours to every vendor security assessment they receive. This includes SOC 2 questionnaires, GDPR compliance forms, and other custom security questionnaires, which often ask the same 200 questions in various formats. I'm curious about how your teams handle this process. How many security and compliance questionnaires do you receive monthly? Who usually fills them out—the CTO, a dedicated compliance professional, or is it shared amongst the team? Also, how much of your work is just reusing previous answers versus crafting new ones? Have you ever lost a deal because the questionnaire process took too long? Have you tried automating this process, or is it still all done manually? Looking for insights to see if this is a common challenge across different company sizes.
1 Answer
I hear you on the frustration! The questions can be really convoluted sometimes, and they often reflect whatever buzzword is currently trending in security discussions. I once had to answer, 'How often do you check cybersecurity?' It's like, how do I even quantify that? A straightforward response is tough without context.
If your internal scanner checks every six hours, then that should be your answer. It'll be useful to set a baseline based on what others expect.