COMMENTARY: A security professional, bleary-eyed and caffeine-fueled, stares down a 20-page questionnaire packed with hundreds of questions. It’s the all-too-common reality of third-party risk management—a process buried under bureaucracy, where security questionnaires sent to vendors feel long and cumbersome.
Just about everyone in the industry knows these questionnaires no longer work. Despite their ubiquity, most people on both sides of the table—those issuing the questionnaires and those completing them—agree they are far from effective at assessing risk.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Standards like the Consensus Assessment Initiative Questionnaire (CAIQ) and Standardized Information Gathering (SIG) started with good intentions, but they’ve grown into large behemoths. By attempting to cover every possible security control, these questionnaires overwhelm respondents with hundreds of questions spanning countless control families.
In our effort at comprehensive due diligence, security professionals have lost sight of what truly matters: the ability to identify and manag the risks relevant to specific use cases.
Why questionnaires are failing
Security questionnaires have been around for years, but their effectiveness has been rapidly diminishing. They were never designed to handle today’s complexities, and their shortcomings are now all-too-evident. Here are some of the highlights:
- Static data: Security questionnaires offer only a snapshot of a vendor’s security posture at the moment they’re completed. They don’t account for ongoing changes, leaving buyers with outdated or incomplete information by the time a vendor relationship begins.
- Trust issues: Responses are self-reported, leaving buyers to take vendors at their word. Without a way to verify the information, trust becomes a gamble—and research shows that only 34% of third-party risk management professionals trust questionnaire responses.
- Superficial evaluations: Completing a questionnaire often becomes a box-checking exercise. Vendor partners who simply fill out questionnaires are labeled “secure,” with little effort made to verify the responses or request improvements where needed.
- Resource strain: Completing questionnaires presents an enormous burden for security teams. Gathering data, routing approvals, and addressing hundreds of questions for every prospect can take 5-15 hours per questionnaire. Multiply that by dozens—or hundreds—of incoming requests each month, and it’s clear how much time gets being drained from already stretched teams.
Less is more
Here’s an idea that challenges our old ways: focus on what actually matters. Zero-in on the controls that directly impact operations and risk tolerance.
The reality is most organizations don’t need to evaluate hundreds of controls—they care about a select few that are directly relevant to their operations and risk tolerance. Effective due diligence isn’t about covering everything: it’s about covering what counts.
Rather than casting a wide net and assessing every detail of a vendor’s security program, buyers should focus on the essentials such as: Which controls matter most? What systems alert the team to changes in those controls? What’s the worst-case scenario if those controls fail?
An honest, focused conversation about these points yields far more insight than a 20-page questionnaire. It can shift due diligence from a burdensome exercise into a productive dialogue. By narrowing the scope, we can extract meaningful information, minimize noise, and streamline the process for both parties.
Scale with transparency
While personalized conversations are ideal, they’re not always scalable. Buyers and sellers alike juggle resource constraints, other security priorities, and multiple vendor relationships.
Picture a digital ecosystem where sellers proactively showcase their security posture in real-time—eliminating the need for static questionnaires. We need to foster proactive transparency. Sellers should focus on making their security information readily accessible, continuously updated, and easy to consume, allowing buyers to self-serve the details they need, exactly when they need them.
Companies need to establish always-on security verification with continuous controls monitoring. Instead of waiting for a questionnaire to unlock static, point-in-time data, sellers can make dynamic security documentation available in real-time and can monitor the vendor’s security controls regularly. When controls fail, teams can review alerts alongside the other internal alerts that they are already reviewing on a regular basis. For sensitive information, it can still sit behind an NDA, but we have to make it organized, searchable, and constantly updated.
Transparency hubs are an excellent way to centralize and bring all of this to life. By consolidating security documentation in a single source of truth, sellers can share relevant information proactively and allow buyers to self-serve the details they need to evaluate risk.
A win-win for buyers and sellers
A transparency-first approach simplifies due diligence for everyone. Sellers reduce distractions, allowing their security teams to focus on higher-value work. This in turn improves productivity, accelerates deal cycles, and builds stronger trust with buyers. Centralized security information eliminates redundancies and ensures efficiency across the board.
For buyers, continuous monitoring offers real-time access to up-to-date security data, reducing friction and speeding up vendor evaluations. Self-service access to relevant information streamlines the process, while subscription updates ensure buyers stay informed as changes occur. By shifting to a dynamic, transparent model, both buyers and sellers benefit from a faster, more collaborative, and trustworthy system.
Jadee Hanson, chief information security officer, VantaSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
