Zero to Compliance: What to do When a Customer Gives You a Cybersecurity Questionnaire and You’re Not Ready

The challenge

It’s a big day. Your company is about to sign with its biggest customer yet: a Fortune 500 (F500) multi-million dollar deal. You’re beyond excited as this will set your company up for the big leagues. Then, during procurement, your heart sinks as the customer hands over a daunting list of cybersecurity requirements to sign the contract.  

Stepping back, you think, “No big deal, we’ve filled these questionnaires out before and figured it out along the way.” Two key problems with this:

 (1) Your legal counsel tells you the contract also states that the F500 company can, and many times will, validate your responses with an audit.  

(2) Your current company doesn’t have a cyber team or a cyber strategy.  

Now you’re in a bind. Fortunately, this is where cybersecurity service providers can have a demonstrable ROI to help you go from zero to compliance quickly. 

At Cyber Defense Group (CDG) this is a scenario that we often see, where our client is not prepared to meet the cybersecurity requirements of a larger customer or cyber insurance coverage. A few years ago, one could download some policy templates, answer a cyber questionnaire without verification, and consider themselves “secure” for the purposes of a contract. Those days are thankfully gone as we now live in a world where everyone is aware of the hazards of third-party risk, and it’s necessary to be able to demonstrate your cybersecurity posture meets the standards of enterprise customers, who will verify your answers. And if you lie on the application for cyber insurance you’re giving them a huge reason to deny any future claims. Implementing technical security controls without an overarching security program or addressing ongoing risk does not constitute a “reasonable security program.”

Of course, the best way to do this is to have a solid security program in place BEFORE you are asked to outline the details of the program in a customer questionnaire. But if you haven’t had the opportunity to implement security measures yet, or are only somewhat or partly there, then the next best way to answer these questionnaires is to work with a cybersecurity-as-a-service company like ours to set up a program that will answer the questionnaire while also meeting the goals underneath the questionnaire – of validating that you, the vendor, are in fact secure.

What to do?

If you’re in the predicament outlined above, the good news is that you can recover, and possibly save the revenue, by following some simple steps:

1. Outsource your cyber program

This is essential because it is highly unlikely that you will be able to hire the right people on your own team to get a program in place in such a short period. As noted, the good news is that cybersecurity consultancies (like CDG!) exist for exactly this reason. Whether you’re starting from nothing (no cybersecurity measures, no in-house security team), have a program that just meets the industry standards for compliance like ISO 27001 or SOC 2, or perhaps you are exceeding industry standards, but don’t feel up to the rigor of an F500 client audit,  an external resource is necessary to get you up and running in the shortest amount of time. 

Don’t forget that your F500 customer wants to ensure that you, as their potential vendor, will keep your systems and software secure so that any data they share with you, and any systems of theirs that are connected to yours, also remain secure. We’ve all heard about SolarWinds, and the downstream clients who were impacted by that breach – nobody wants to see that happen to their organization , especially a publicly-traded F500 company that is already a big target to attackers by the very nature of their size and financial capital. It’s up to you to find the right resource to ensure you (and they!) feel confident you meet this need as expressed in the security questionnaire. 

2. Stall

You can likely stall a bit while this is happening, depending on how early you are in your cybersecurity program. Even if it is truly at “zero” you can ask for contract language to be added that states that you will be compliant by “X” date. Request as much time as you can. 12 months is our recommendation for going from zero to compliant, but if that is not feasible, try to ask for at least six months if possible. Note that the absolute minimum it would likely take to get enough controls in place for a baseline security program is three months. 

The reason we recommend more time: the faster you go, the more expensive it will be in terms of vendor resources, but a condensed program will also ask more of your own team’s time and resources. This is another reason why we recommend committing to these programs PROACTIVELY to avoid exactly this type of problem, to protect your company for security, not just compliance reasons, and to avoid the mad scramble.

3. Choose the right resource

Now you’ve decided to outsource and bought some time, it’s critical to ensure your outsourced cyber team actually has the resources to implement the program rapidly. We find that there are a several things to note: 

1. Keep in mind that compliance is NOT security. It’s possible to  just implement a program for the purpose of compliance with a  third-party or insurance questionnaire. This is the approach that many sub-par consultants will take, especially if they don’t actually  know how to set up a security program, but can set up just enough to make you compliant. They might recommend that you just tick off a list of compliance actions under a framework like NIST and be done. However, that won’t make you secure or address true data protection. Remember: at the end of the day, what the customer is looking for is assurance that your business is secure. Many of the hacks that you read about have occurred because those organizations, large and small, have chased compliance over security.  
2. Use cybersecurity experts. Just like you wouldn’t go to your general practitioner for a nuanced problem with your brain, and instead you’d want to consult a neurologist, don’t rely on general IT technicians or consultants that do not specialize in cybersecurity for help with meeting the requirements of a cybersecurity questionnaire. This is one of those times you’ll want an expert, one who knows how to implement the necessary controls without slowing the business down, and who knows what F500 companies are looking for. 
3. Make sure your provider won’t be relying 100% on your team to do the work, while just doing a “paper-based” exercise themselves. Be especially wary of offers from IT firms that might have a cyber practice leader and IT security engineering resources, but don’t have real, demonstrable cybersecurity expertise. IT providers typically will recommend just tools and technology. If they don’t have access to a team of cybersecurity experts who have worked on the cyber teams of F500 companies and done this before, then you won’t be able to get a program implemented quickly or effectively, especially if you’re starting from scratch. Technical controls are important, but you’ll need to demonstrate adequate people and processes as well to pass muster.
4. Look for a hands-on approach. An F500 company will often try to poke holes in your answers; make sure your provider can handle any pushback. Look for a resource that will be there when it’s time for the audit: ready, willing, and experienced at assuring the F500 security team that their data and systems are in good, secure hands and that your processes and procedures can fully, and defensibly, meet any standards set forth on the questionnaire. Note: If working with insurance, you want a team that will answer the questionnaire to maximize your chance of having a claim paid. When there is an incident, many insurers will reject a claim by using their own IR firm to find evidence that you did not implement “reasonable security” as you said you had in the initial questionnaire. Your outsourced cyber team should be able to come to your aid to combat that by showing they had a full security team, with policies and procedures, and a list of everything they are and have been doing – leaving the insurer with no legal reason to deny a claim.

4. Get assessed

Now that you’ve hired a consultant, the first step they will recommend for your external cyber engagement should be an assessment. During this assessment they will gap against the questions you need to answer to close the pending deal. They will also point out weaknesses in your current people, processes and technology that might lead to a data breach, and prioritize the remediation of those weaknesses. The assessment determines where your program is starting from and where you need to go to meet your obligations under the security questionnaire. 

Generally we recommend using CIS’s 18 critical security controls to set up a secure program that will meet insurance and customer requirements. Once you have these controls in place, then you should be able to answer customer questionnaires with flying colors.

5. Implement rapidly

Most likely you weren’t able to stall enough to get 12 months to set up your program. That being the case, once you’ve got the right resources, bought yourself at least three months (hopefully!), and gotten assessed, now it’s time to work with your outsourced cybersecurity team and get that program implemented quickly. No delays. 

With that, you’ll have gone from zero to security. But it doesn’t end there; it’s important to maintain your program. Cybersecurity isn’t a straight line, but a circle, and continuous improvements are vital to staying secure. Additionally, and more tactically, if you don’t maintain your security program, then it may degrade, and while you may get through the first year of that F500 contract, what happens if it has a clause requiring you to recommit every year or two? What if as part of this, they also have a new audit? The last place you want to be is staring down the pike of your customers’ third party security team notifying you that a year on they’ve noticed your policies haven’t been updated and that an external scan found a bunch of open ports. 

Periodic renewals of customer requirements are much easier to meet if you keep your security tight. That’s why we recommend you help get security the visibility and traction across the organization it needs to be a highly functioning part of the business by doing the following:

6. Embed security

Once the initial program is implemented rapidly, it’s now time to really drive cybersecurity as a culture around the whole organization. This means continuous improvement, and concentration on the areas of highest risk. At this stage you may start to look for an internal resource solely dedicated to cybersecurity, who will work with your outsourced cyber team.

7. Gain visibility

You need to have monthly visibility of your cybersecurity program at the C-suite and board of directors so they are aware of how your security program is functioning. Metrics such as security posture improvements and remediated risks (or change in threat/risk profile) need to be tracked.

8. Tie cybersecurity program goals to the business goals

Make sure what is driving the cyber program forward has a direct correlation with what the business is trying to achieve. You’re already in a good position on this since you just saved a multi-million dollar contract with a proper cybersecurity strategy.

Conclusion

Cybersecurity experts at Cyber Defense Group

The best time to invest in your cybersecurity program is now, proactively, before you need it. That way you can avoid downtime due to an adverse event, respond to external scrutiny of your cybersecurity program quickly and easily, and ensure you don’t sacrifice revenue. But even if you just got served that questionnaire and are starting from zero, there are solutions. Contact us and see how we can help.