Bridging the Gap Between Reactive & Proactive Security

The feeling of closing a deal in sales is like reaching the peak of a mountain, incredible euphoria after so much hard work and uncertainty! Before that feeling, salespeople encounter countless obstacles. One of the obstacles along the journey to the peak is akin to arriving at a chasm where the bridge is only half built and unstable. I’m talking about the security review. (Queue the dejected sigh.) 

Sales teams and information security teams have been feeling the frustration of security reviews for a long time. As more and more organizations move from on-premise solutions to SaaS and cloud solutions, they realize the importance of managing vendor risk. So the number of security reviews during the sales process keeps rising for many teams. Let’s take a closer look at the half-built bridge a salesperson encounters on their trek up the mountain towards a closed deal. 

The average time spent on a security questionnaire is 5 hours. 40% of companies Whistic surveyed, said they respond to about 12-15 questionnaires per month. 20% of companies said their average was between 50-100 questionnaires per month. If we do a little arithmetic, the least amount of time spent responding to questionnaires per month could be 60-75 hours, but for some as much as 500 hours. That’s too much time for the information security team to dedicate to responding to repetitive questionnaires, not to mention the time it adds to the sales cycle. (Poof! That’s the sound of the sale slowly evaporating.)

The bridge’s construction and maintenance is typically monitored by a team who tries to stay on top of security reviews for the sales team, but is usually understaffed and has additional responsibilities. Whistic’s State of Vendor Security survey found that 71% of the time, in an effort to speed up the response, a salesman/woman will spend time contributing to security questionnaires. After the salesperson, 97% of the time, the review still requires additional people to assist with the completion. While the sales team tries to help at the bridge and the security team knows they need help, both are often at a loss on how to better span the chasm.

Oftentimes, the information security team adds extra slats and support ropes to the bridge. After manually responding to many questionnaires; the team creates a knowledge base of common questions and answers, a folder of documents, and audit certifications. These methods provide a more efficient way to respond, but only to a certain degree. These efforts are often stored in multiple programs, are difficult to manage, and the team has no formal way to keep everything updated and accurate. Answering more efficiently helps, but there is still the matter of answering every single security questionnaire and request. 

In an effort to finish the bridge, many forward thinking companies build out security portals and additions to their websites. These security pages are an excellent attempt at trying to get ahead of security reviews. Unfortunately the future customer still has to request documents and ask for more information, so they give up quickly and send their own questionnaire and security requests. Despite the security information on their websites, the reviews and questionnaires keep coming.

The common thread through all the above efforts has been reacting to security reviews, but that’s about to change. Instead of reacting, let’s imagine you’re taking a proactive approach with a Whistic Security Profile. You just crushed a demo, the interest is high, and you’re scheduling next steps on the call. Before you hop off the call, you bring up the inevitable security review before they do, and confidently cross a different bridge made of concrete and steel to avoid the bottleneck you’ve been encountering. “I know you’re going to want to do a security review of our company during your evaluation! So I’ll send you and your team our Security Profile that includes all our documentation, pre-completed security questionnaires, and any audits or certifications our security team has completed.” (Prospective customer’s jaw hits the floor.) 

As a result, you stand out against your competition who is also looking to get the sale. You establish trust early in the sales cycle, by providing more than enough information, before they ask for it. Now your security posture can be used as a selling advantage, a differentiator, and aid your future customer in their assessment of your product and company. You and your company have taken a proactive approach, which provided everything your future customer would typically ask for, plus more! 

Reacting to security reviews is frustrating and needlessly adds time to the sales cycle. In comparison, the proactive approach facilitates trust with the customer, frees up internal resources for higher priority items, and empowers sales to give the customer everything they need (security documentation), while simultaneously reducing the average sales cycle. Whistic Security Profile bridges the gap between buyers and sellers, making security reviews easier on both parties. 

If you’re interested in learning more, visit Whistic.com!