Originally published by Vanta.

Written by Chase Lee.

‍Security questionnaires are a standard part of almost every due diligence process before companies sign on to work with a new third party.

By asking detailed questions via questionnaires, organizations learn about a seller’s security controls and compliance with relevant standards. With that information, they determine how and if a partnership with that third party will expand their attack surface and increase risk—and ultimately decide if the increased risk is acceptable. 

‍In theory, this process sounds great. But in practice, security questionnaires are an imperfect solution to truly assess third-party risk.

‍For the issuing party, questionnaires only provide a point-in-time snapshot of an organization’s security posture and—unfortunately—are rarely evaluated in the way they should be. For sellers, questionnaires present a huge burden that often gets in the way of high-value security tasks that really move the needle.

‍ 

A brief history of security questionnaires

Before diving deeper into the issues around security questionnaires, it’s important to acknowledge how we got here. At one point in time, security questionnaires really were the best option to assess third-party risk. 

‍Questionnaires—or some form of them—were used throughout the late 1990s and early 2000s and really gained traction when the Shared Assessments organization developed the Standardized Information Gathering (SIG) Questionnaire in 2005. The SIG streamlined the questionnaire process and provided an industry standard that offered guidance for vendor evaluation—a significant step toward broader adoption of TPRM best practices.

‍As data breaches became more prevalent—and third-party ecosystems expanded and became increasingly interdependent—the use of security questionnaires continued to rise. New questions were developed alongside technological advancements, covering topics like multi-factor authentication, secure development practices, and new compliance frameworks. At the same time, old questions with outdated and irrelevant assumptions outlived their welcome. 

‍Today, questionnaires are still the norm, and industry-standard versions like the SIG, and the more recently-introduced CAIQ, include hundreds of questions about topics like endpoint security, compliance, operational resilience, and more.

‍

Why the system is broken

Questionnaires have been around for a long time, but that doesn’t necessarily mean that they continue to be the best option for assessing risk. There are a lot of well-documented issues with questionnaires, including:

• Questionnaire responses only represent a single point in time: Questionnaires have a limited shelf-life. They inherently focus on an organization’s current security practices and compliance posture—but don’t necessarily account for continuous monitoring or tracking and communicating important updates. Responses that are passable at the time the questionnaire is issued may change by the time an organization onboards with a vendor—rendering the entire process useless for organizations trying to truly assess the risk of working with a third party.
• It’s hard to verify the accuracy of questionnaire responses: With questionnaires, organizations need to take vendors at their word. There is little opportunity and ability to investigate the information included within questionnaire responses, so it’s hard to know what information you can even trust. Alarmingly, reports indicate that only 34% of TPRM professionals believe the information included in security questionnaire responses. 
• Questionnaires are rarely evaluated: Questionnaires are somewhat of a formality. Often, issuing parties will consider a vendor “secure” if they simply complete and return the questionnaire. There isn’t always a thorough evaluation of the actual information included in the questionnaire—or an effective way for issuing parties to request remediations for unsatisfactory responses.  
• Questionnaires are a massive burden on security teams: Organizations tasked with completing questionnaires for prospects are left with a heavy burden. It’s difficult to gather all the necessary information, route through approvals, and complete extensive and in-depth questionnaires for each prospect relationship. Questionnaires can take anywhere from 5-15 hours to complete. Consider that against the volume of incoming questionnaires from prospects—which could amount to hundreds each month for larger companies. The time spent on security questionnaires takes resource-strained teams away from the high-value security work they really need to focus on to secure their systems, products, and data. 

‍At the end of the day, questionnaires check a box and provide a basic solution for buyers to assess risk. They’ve stood the test of time not because of efficacy but because there simply hasn’t been a better and more effective solution. 

‍

The future of verification

A one-to-one approach made sense when third-party ecosystems were smaller and less complex, and the amount of documents and information to share was more limited. 

But today, the pace of innovation is significantly faster and the threat landscape is larger. Organizations move quickly, rely on an ever-growing ecosystem of third-party partners, and need to monitor security on an ongoing basis. 

‍With all these changes in mind, forward-thinking organizations view the security verification process differently. They see verification as something that emerges from building mutual trust and promoting ongoing transparency versus something that’s earned by passing a test in the final stages of a deal cycle.

‍Instead of issuing questionnaires, the future of verification is about promoting continuous visibility to answer questions about an organization’s security posture—at any point in time—before they even need to be asked.

‍And those answers shouldn’t be restricted to a single recipient. Organizations across industries must commit to a baseline of public transparency, allowing us to create a network of public information where buyers and sellers can both prove their own security and verify the security of any potential partner they consider adding to their ecosystem instantly. This will foster better collaboration, a faster pace of innovation, and broad accountability for the security of all systems. 

‍Thinking about verification in this way opens the door for new solutions that accomplish the goals of security questionnaires without the persistent issues related to timeliness, trust, and usefulness.