When your prospect or customer gives you a 900-questions to assess your information security stance, and it seems like an uphill task, do not panic. Take advice from an experienced Sherpa.

Typical Scenario.

You are a startup growth company. You have had a hard journey of designing and developing a cutting-edge offering that market really needs. You have a few early adopters with proven proof of concept (POCs.)

 You have reached a point of growth now, where a large corporation is interested in your offering and showed interest in doing a pilot with you. So far so good. The business team you are dealing with refers you to their department of vendor management. They ask you to qualify their TPRM (third-party risk mitigation) process Upfront of TPRM process is a rather large self-assessment questionnaire waiting for you to fill-up.

How large could be the questionnaire? In our experience on both sides of the fence, as the manager running TPRM programs for large global corporations, as well as consultant helping clients to go through the TPRM gates, we have seen anywhere from 500 to 900 questions long questionnaires.

The quesionnaire could be a questionnaire based on Standardized Information Gathering (https://sharedassessments.org/sig/ ), Cloud Security Alliance Questionnaire (https://cloudsecurityalliance.org/) or a leading industry standards, such as NIST, CIS Control framework etc.

So, what is our advice to deal with the large questionnaire?

We have developed a seven-point advisory for the startup growth companies, who are going through the third-party risk management (TPRM) process:

1.      Do not panic.

Do not panic just looking at the questionnaire. Remember the old saying “how do you eat an elephant?” Well, the answer is, “piece by piece.” Not laterally, but figuratively. Nobody really eats an elephant. What it really means is to start by doing what is necessary, then do what is possible, and slowly doing the seemingly impossible.

However, before you start eating your elephant piece by piece, do read the advice #2.

2.      Do not start with answering the questionnaire straight away.

Before you have an urge to answer the obvious or trivial questions in the questionnaire, please stop, and do your prep-work instead. Think from your prospect’s perspective, "What risks are they trying to mitigate through their TPRM program?" If you cannot figure out all by yourself, ask your prospect. They should be willing to share this information with you. When you have that information, you'll have a good starting point to evaluate what do you have against what is required by your prospect. You are in a much better position now.

Go to advice #3.

3.      Focus on what you have

Focus on the security controls in your organization and in your offering. An example of an organizational control may be your HR policy that requires background check for all potential employees and contractors. Another example of a security control built in your offering may be multi-factor authentication for all users.

Collect all your security controls, top-down:

a.      Security charter

b.      Security policies, procedures, roles, and standard operating procedures

c.      Summary report of any vulnerability or penetration testing

d.      Evidence of control effectiveness, such as metric or benchmark report, prior audits/ screening or a third-party attestation or certification

e.      Any other information that can be used as a support of your response to the questionnaire.

4.      Focus on the main sections of the questionnaire

Now, check the organization of the questionnaire. What are the major sections of the questionnaire. Usually, these are about 15-20 major security domains or towers in which the questionnaire is organized. Your prospect intend to assess the strength of the security controls of your offering in these domains. If they find you have adequate controls in a domain and there is enough evidence for them to believe in your assertions, they will move ahead to the next domain. It is important you organize your thoughts around the central theme of the domain, rather than answering questions in sequential order.

5.      Provide evidence. Do not assume anything.

Do provide documentation/link/metric to support your assertion in each domain. If you say not applicable (N/A) as a response to a particular question, please state why you think it is so. It is always good to provide a context diagram, network topology and/or data flow diagrams to support your response.

6.      Answer what you must and relevant, N/A the rest

The good news is you do not have to answer each and every question. Chances are, if you state N/A to a root question, all sub-questions of the root question may go away or become irrelevant. Thus, the material questions may be much less than the original set of questions that looked daunting at first. finding relief in this information already?

7.      Hire a Sherpa

TPRM process is hard. If not planned properly, this may put delays in your sales-cycle and is demotivating your sales staff. It is almost like climbing Mount Everest. You know how to climb, and have adequate gear and equipment, yet to conquer the submit you may need help from a Sherpa, a local guide and a companion, who is well-versed with the terrain, and helps you in heavy lifting. There are many good Sherpas available in the market, including us, the Frictionless Security. The only difference is Frictionless Security has a proven framework for TPRM, relevant skills and experience in helping organizations succeed in crossing the TPRM-gates several times over. So, you do not have to go far to find your Sherpa if you really need one.

Finally, the four take-aways from this advisory:

1.      Do not panic and find a Sherpa (local guide)

2.      Know your prospect’s third-party risks

3.      Organize your security controls around thequestionnaire

4.      Provide convincing evidence to your assertions

Best of luck with TPRM process.