Using Security to Unblock Sales: Collaboration techniques for sales and security

By Amar Chahal
October 30, 2023
In this article:

HyperComply’s Co-Founder and CEO, Amar Chahal, gave a session at Hyperproof's Hyperconnect earlier this month. Below is a summary. 

Security Questionnaires: past/present/future

Security Questionnaires 101

The first step to trying to deflect security questionnaires is typically getting your SOC 2 or a similar certification or attestation, but for whatever reason, frameworks and standards don’t deflect most security questionnaires. These have become table stakes in deals, and the response is generally ‘Thank you for your SOC 2, now go fill out a longer questionnaire’. 

We see this not just in pre-sale, but also as a quarterly or yearly recurring requirement from customers. As one of their main cases of overlap, this can be a point of friction between customer-facing teams, but it doesn’t have to be. Without friction in the operations of this process, both teams can see major benefits. For security, less friction in the vendor assessment process means more free time on your plate and a consistent way to directly point to how your team is influencing revenue. Of course security teams do far more than this for an organization, but we always hear it’s an easy revenue impact reference point. For sales, less friction in this process means faster sales cycles. 

Typical Workflow

This manual security questionnaire workflow might sound familiar:  

  1. It comes in to someone in a customer-facing role (sits in their inbox for a few days)
  2. Gets sent to the relevant stakeholder
  3. They loop in all the subject matter experts and coordinate the effort to put these answers together
  4. They send it back to the customer

Prospective customers come to us when they're spending weeks, sometimes months, stuck in the manual workflow. When time kills all deals, there is an obvious need to streamline this process. 

The role of the stakeholder who owns this process tends to change by company, and company size, but is one of 3 options: Someone as high up as the CEO/CTO because they have the knowledge in their head; a dedicated SME who is assigned to this as a primary part of their role; or recently we are seeing security-focused pre-sales roles emerge. 

Lessons learned from >100,000 questionnaires

Looking forward

We have a lot of data around security questionnaires (a full stat report coming soon!). But one consistent trend is that getting a lot of questionnaires is a good problem to have. How many questionnaires companies are getting is a direct proxy for how many new deals and renewals they have coming in. In this example chart you can see how questionnaire volume directly follows industry trends for sales. It’s also not just software companies anymore. 

We’re going to see more legacy businesses come “online” as they begin to be more hands in on managing customer data. Status quo is very manual, and there are better ways to manage how sales and security interact.

Using compliance as a competitive advantage throughout the customer lifecycle

Security questionnaires are by no means fun but are essential in the sales process to ensure transparency so you can build trust with your network. We have done a ton of these things, and want to share how the most efficient companies we work with handle these things.

What does ‘good’ look like?

The companies with the most efficient security review processes, when they came to HyperComply they were already churning these back to customers in <5 days, sometimes same day. The two main things these companies do well is eliminate redundant questions quickly and give customer-facing teams the resources they need to own a larger part of the process. 

How do they do it?

Firstly, they understand what they need to do at every stage of the customer life cycle including what security information needs to be provided and when. Secondly, they curate a central repository of information including commonly asked questions or information that is typically asked for. Finally, they have a standard process for each team, sales and security, for how to find and share this information. 

Mapping out the customer + compliance touchpoint stages

Typically the sales cycle is split up into 3 phases, and each phase requires something different from compliance teams:

Early Pre-Sale. Get your foot in the door with prospects.

  • Make it easy for potential customers to check boxes and understand your security/compliance program. 
  • It’s in this stage customers will simply say “if you can’t do this, we won’t do business with you”. 
HyperComply offers a Trust Page tool where customers can proactively display security and compliance achievements and share information. Learn more

Mid-Late Evaluation Stage. Where the security review and security questionnaires really kick off. 

  • Requests to share your documentation and evidence start coming in, and teams need a way to share approved content securely.  
  • Security questionnaires are coming from prospects and customers. You need a consistent submission, completion, and review process in place for formal questionnaires.
  • Get customer-facing teams in the habit of asking about the security review process early. Asking about the security review portion can also act as some kind of filter for sales forecasting. If the prospect shows no indication of doing any security review, the deal might be farther out from closing than previously thought, or it could be in danger.

Post-Sale and Renewals. The same content required as every mid-late stage deal, but done on a recurring basis.

  • Customers will ask for updated evidence.
  • Re-assessment (more questionnaires!)
  • Push your latest security updates to them proactively vs. responding to requests ad-hoc. 
HyperComply offers secure document-sharing spaces called Data Rooms and a security questionnaire response automation tool called HyperComply Respond.  

Curating a Knowledge Base

From an information organization/knowledge base perspective, we see 3 levels of maturity. 

  1. Basic. Companies maintaining a FAQ spreadsheet or keep evidence in a shared folder and share information with customer-facing teams ad-hoc and on a need-to-know basis. 
  1. Advanced. Companies with a database of historical responses to questions made easily searchable for a customer-facing team. They also typically have a central location of controlled evidence that can be referenced as need be.
  1. Expert. These companies give numerous different teams the ability to search for question responses and pull structured evidence in real-time directly from whatever GRC management source they use. These teams fine-tune access controls and segment information by product or team, to be able to give each team the information they need while still putting up the appropriate guardrails. 

Learn how a global 22k employee company manages 200 security questionnaires a year with HyperComply.  

HyperComply + Compliance Automation 

HyperComply integrates with the top compliance automation providers to seamlessly pull information from your pre-managed controls and map this information to commonly asked questions. That information is synced regularly as an evergreen source of truth for use i responding to questionnaires, and offers customer-facing teams up-to-date and vetted information. 

Book time with our team to learn how HyperComply can fit into your existing compliance management program.