HyperComply’s Co-Founder and CEO, Amar Chahal, gave a session at Hyperproof's Hyperconnect earlier this month. Below is a summary.
The first step to trying to deflect security questionnaires is typically getting your SOC 2 or a similar certification or attestation, but for whatever reason, frameworks and standards don’t deflect most security questionnaires. These have become table stakes in deals, and the response is generally ‘Thank you for your SOC 2, now go fill out a longer questionnaire’.
We see this not just in pre-sale, but also as a quarterly or yearly recurring requirement from customers. As one of their main cases of overlap, this can be a point of friction between customer-facing teams, but it doesn’t have to be. Without friction in the operations of this process, both teams can see major benefits. For security, less friction in the vendor assessment process means more free time on your plate and a consistent way to directly point to how your team is influencing revenue. Of course security teams do far more than this for an organization, but we always hear it’s an easy revenue impact reference point. For sales, less friction in this process means faster sales cycles.
This manual security questionnaire workflow might sound familiar:
Prospective customers come to us when they're spending weeks, sometimes months, stuck in the manual workflow. When time kills all deals, there is an obvious need to streamline this process.
The role of the stakeholder who owns this process tends to change by company, and company size, but is one of 3 options: Someone as high up as the CEO/CTO because they have the knowledge in their head; a dedicated SME who is assigned to this as a primary part of their role; or recently we are seeing security-focused pre-sales roles emerge.
We have a lot of data around security questionnaires (a full stat report coming soon!). But one consistent trend is that getting a lot of questionnaires is a good problem to have. How many questionnaires companies are getting is a direct proxy for how many new deals and renewals they have coming in. In this example chart you can see how questionnaire volume directly follows industry trends for sales. It’s also not just software companies anymore.
We’re going to see more legacy businesses come “online” as they begin to be more hands in on managing customer data. Status quo is very manual, and there are better ways to manage how sales and security interact.
Security questionnaires are by no means fun but are essential in the sales process to ensure transparency so you can build trust with your network. We have done a ton of these things, and want to share how the most efficient companies we work with handle these things.
The companies with the most efficient security review processes, when they came to HyperComply they were already churning these back to customers in <5 days, sometimes same day. The two main things these companies do well is eliminate redundant questions quickly and give customer-facing teams the resources they need to own a larger part of the process.
Firstly, they understand what they need to do at every stage of the customer life cycle including what security information needs to be provided and when. Secondly, they curate a central repository of information including commonly asked questions or information that is typically asked for. Finally, they have a standard process for each team, sales and security, for how to find and share this information.
Typically the sales cycle is split up into 3 phases, and each phase requires something different from compliance teams:
Early Pre-Sale. Get your foot in the door with prospects.
Mid-Late Evaluation Stage. Where the security review and security questionnaires really kick off.
Post-Sale and Renewals. The same content required as every mid-late stage deal, but done on a recurring basis.
From an information organization/knowledge base perspective, we see 3 levels of maturity.
HyperComply integrates with the top compliance automation providers to seamlessly pull information from your pre-managed controls and map this information to commonly asked questions. That information is synced regularly as an evergreen source of truth for use i responding to questionnaires, and offers customer-facing teams up-to-date and vetted information.
Book time with our team to learn how HyperComply can fit into your existing compliance management program.