CG - Escape the Questionnaire Quagmire: Addressing Security Inquiries From Customers and Prospects -

um good morning welcome to besides Las Vegas common ground this talk is escape the questionnaire quagmire by ke ladoo who works for rapid7 a few announcements before we begin we'd like to thank our sponsors especially our inner circle sponsors critical stack and valley mantle and our stellar sponsors blackberry the National Security Agency and secure code warrior among other sponsors it is their support along with our other sponsors donors and volunteers that make this event possible these talks are being streamed live except for in underground as a courtesy to our speakers and audience we ask that you check to make sure your cell phones are set to silent and if you have a question we will have you use the

audience microphone which I am holding so YouTube can hear you please raise your hand and I'll bring it over for this talk we'll do you want to out there you are you want to do questions at the end or questions in line okay so questions during it are fine if you have one raise your hand and I'll bring the mic over and with that let's get started welcome Katie good okay let me know because I can yell of a lot too so I am Katie I do I am the senior manager of trust and security governance at rapid7 and we are all here today because of a fun thing called information security questionnaires we know them we love them and for anyone

who is not familiar with what I'm talking about at all third party security risk management requires collecting a ton of information from vendors so if for example you want to buy a rapid7 solution you very reasonably might want to know how we might be protecting any of your data that we are storing but how do you or your risk management team collect enough information to make that call to really know can I give this vendor the green light or are they you know are we taking on too much risk by working with them today the way a lot of these companies go about collecting that information is they send a giant infoset questionnaire to the security team at the vendor

company and like everything we do at rapid7 we want to address these questionnaires in the way that we think is best for our customers and intuitively we might think doing what's best for our customers is the same as doing exactly what our customers are asking us to do so in this case that would mean following their request to a tea they send us a questionnaire ask the security team to fill it out we fill it out they say Jim we say how high but I want to dig into whether that approach actually is what is best for our customers because there are some consequences to taking this approach so one of those consequences is slowed security maturity these

questionnaires are very time-consuming I actually am just wondering who has done no security questionnaire who's worked ok ok so you know the problem with statement it was everyone YouTube so these are very very time-consuming as you know and while you are working on them there is a ton of work in your backlog that you are not touching so is d prioritizing meaningful security work doing what's best for customers meeting snot problem number two our team is not engaged by this work this is a team of security professionals filling out spreadsheets is really not fulfilling to them so is letting some of our most talented security professionals leave our company doing what's best for our customers again I do not think it is and

thirdly there's some quality control concerns here so human error happens and I know from experience it's very likely to happen when you're three quarters of the way into an 800 question questionnaire so in addition to you the fact that it's just kind of it's it's grueling you can make mistakes some of these questions are really ambiguous and vague you know a lot of these companies are sending the same questionnaire to every company so if there's just a generic question about what are your password complexity requirements one analyst might read that to be our corporate environment past four complexity requirements another analyst might think that means what are the password complexity requirements for a user who's logging into our solutions

and there's just it's too subjective there's too much opportunity for misinformation to get in there so again I it's another way that I don't think this approach is really what's doing best for our customers we don't want to be giving them misleading or confusing information so with all those things in mind we thought that there might be a better way to handle these inquiries something that was both better for us and also most importantly better for our customers so we started down a new path this is also the only meme in my entire presentation I am a grown adult woman now I used to use exclusively memes now I'm on to stock for this so we invested

a significant amount of time creating documents that address our security a fake use the stuff that you see over and over and over and all of these questionnaires and we had a plan when a customer asked us to fill out their questionnaire we would send them our documentation and we would ask them to review that first and then let us know if they had any remaining questions the documentation that we included in this sort of you know like security packages of Docs first an overview of the solution some information about the product you have to remember that the team that is doing the risk assessment is probably not the same team that is buying your solution so giving them some

context is great and also remembering you don't just sell them on the business value the risk management team is not the one probably deciding which vendor to use but they can stop you from using an offender that's very risky so information that is relevant to them is not really the business value but more what data types are being collected what's the data flow if you can do data flow diagrams those are huge required integrations and permissions also someone who does vendor assessments these are always impossible to find Slyke my third email to some random person there where I finally find out what permissions this solution needs and any security features built into the product does it integrate with the

single sign-on solution fire they use or there are back features in there that sort of stuff of course secondly overview of the InfoSec program and controls so white papers are my favorite way to just give a big-picture overview of the program it gives you information in a much more digestible content than like a bajillion ly and sig questionnaire we have a white paper for our corporate environment and for our product environment which is a helpful breakdown for customers Sandra's questionnaires if you have had to fill one of these out for a customer and you actually feel really good about the content in there like it's been reviewed adequately there's nothing wrong with just proactively sending that

to more customers they might take that instead of their their custom one we also send an overview of our business continuity plan our full set of InfoSec policies and our data retention schedule because it does make sense your customers want to know how long are you keeping our data how are you destroying it mean you don't need it anymore how could I get an exception to that process if I wanted to speed it up for example so that's what we include and then lastly obviously third-party attestations yield pen test letters of attestation stock to report it's one thing for us to say oh we've got so many great security controls in our environment everything looks great just checked it out this

morning it's another thing to have a third party come in and test that those controls are in fact working as designed so X key on our plan it is its q3 2017 at this point when we make the decision we're gonna stop just filling these out and we're gonna push back with all of those documents and in our first quarter of doing that 50% of these assessments are closed out with Docs alone and I am simultaneously incredibly relieved about how much work we are saving ourselves and so angry at myself for not doing this sooner because that is so much work so even even just with this first group that we're sending the documentation they have no follow-up

questions it's totally done we've cut our work in a half second group of people and this is my favorite group they accept the documentation they look through it and then they have a few targeted follow-up questions like really thoughtful questions about how it could impact their unique environment and actually this this group is great too because they ask questions about things we didn't include in the Docs and then we can add them and make the docs better so obviously loved this group because they're not doing like a check the Box activity they're like actually assessing the risk so yeah but but of course five questions five follow-up questions different than an 800 question questionnaire so much better so much

less time and about 15% of our customers still required we complete their security questionnaire from scratch and a lot of times that was because their offender management solutions would only accept info in a certain format which I have strong opinions about because I don't think that approach works but we're also a smaller company compared to a lot of our customers so the amount of vendors that our team is managing is really different than you know some of our fortune 50 companies so I do feel their pain in that respect but we still got this 15 we're filling them out from scratch so they're getting the accurate information they need to do their assessments well we are getting so much

time back to actually do security work and another plus for everyone is the process of doing the security assessment is actually going much much faster now so this is 2017 this green line here is the number of tickets so you can see as we're getting into the end of the quarter not surprising we're getting more and more tickets more and more deals and in q3 when we start pushing back with documents we are despite the fact that we're getting more tickets we are still cutting the amount of time it takes us to close out those tickets by more than fifty percent so that's great for customers I know from experience doing vendor assessments I don't want to be a blocker I want to get

the assessment done as quickly as I can to enable the business and obviously sales loves us because cutting five days out of the sales cycle can be the difference between a deal getting done in q4 or getting pushed into q1 so everyone is very pleased with this amazing progress but there is still more that can be done we are riding the high of the success and we're still wanting to make improvements on it so up next we make a little change in our workflow initially our our these questionnaires were coming to us through sales and through customer success whoever's customer facing and going directly to InfoSec we are adding a new team into this workflow the content strategy team

rapid7 does a lot of sales documentation so they fill out RFPs scope of work documents they are documentation professionals so questionnaire comes in three sales goes to content strategy they push back with the documents 50% of time we never deal with it again love it the other 50% of the time if they have a few follow-up questions or used to do the whole questionnaire the content strategy team takes a first pass at filling that out and they are able to do that because we have put all of our information from our documents and from our FAQ use into their knowledge base they use a solution called on bud OMB ud but there's tons of these knowledge

bases out there and I mean there might be one that is in use at your company today that you just don't do anything with now so it might not even involve bring in a new solution it might just involve you putting your information into a solution that's already being used by a team that already exists so I mean say for the first two years I worked in rapid7 I did not know that a content strategy team existed and this has turned into one of the most effective partnerships I have experienced in my four years there so this is a the same chart that we looked at before but now instead of just 2017 we're going out into 2019 this is that

same line we looked at when we started pushing back the docks and over here I have a mic I can walk around right okay so over here we we kind of started experimenting with that that new workflow over here but we didn't want to force a cut over in q4 because q4 is crazy so this is when we started forcing sales to use the new workflow and as you can see we have gone from taking nine days to close out these assessments to getting them closed out in less than one day so that is delightful for everyone involved also just quick pro tip if you do track us at your company I would strongly recommend using the median

because initially I was using the average and it was I did not see at rent and then I used the median and I was like ah yes there it is because you know you always have that one random ticket that's like open for three quarters that screws everything up so tips for doing this effectively something that I could have done better there was a lot of friction initially with sales because of that problem we talked about before where it's it's very counterintuitive to do something that is different than the customer is asking you to do so we did eventually meet with sales leadership we had some great stats on how this actually reduced friction in

the sales cycle it it shortens the deal cycle and we got their buy-in so that if someone in sales was like hey the security team says they won't fill this out but I'm not sending over this documentation they told us to fill it out someone needs to fill this out and that gets escalated too and also I totally get where they're coming from like I I know the person who has to tell the customer it didn't fill it out that's someone in sales and that's a that can be an uncomfortable experience for them when they don't have this big picture context so once we got that leadership that buy-in from sales leadership everyone was on the same page

about like oh no we know why you said the documentation like actually customers left the documentation you should do that first that's the process we know it works but we did that pretty reactively whereas if we have thought upfront about what teams need to have buy-in in this new workflow for it to actually work we probably would have done that a lot earlier on obviously partner is marketing you're making documents make the documents look nice make the content digestible you know our whole the point here is to make our customers feel confident working with us so having nice-looking documents helps obviously automate we do this a security professionals forever we can because we're very busy we had a nice

macro in our ticketing system that would just automatically attach all the docs so we could customize it based on what type of a customer they are lots of opportunities to automate this workflow you're gonna want to assign owners to every single piece of content whether it is in your knowledge base or it's a white paper or something else your security program is changing all the time and you want to keep this information up to date and it's really a lot of work to do that so it really needs to be someone's actual job look at an actual responsibility and lastly make the content self-serve wherever you can why not if someone can complete their entire vendor assessment just by looking

at stuff on your website and you never engage with them great like that's better for everyone you can do security work they can get their whole vendors has been done without having to you know go through sales and then security and then like that's wonderful so we have trust out rapid7 calm everything that is from that security documentation that is available without an NDA is on this website and we also if you need the sock too or you need some other piece of documentation the NDA is also self-serve on the website so that keeps things moving in terms of what's next most important thing that we're gonna be focusing on next and there's actually two enablement sessions are the

canto strategy team that sells documentation team is like very yeah we work in a security company so this might be unique but they are really into learning more about security and active products we have going on so we're doing enablement sessions with them so they can answer questions in a really thoughtful way and reduce the amount of questions that are trickling through to the security team and I'm very excited about enablement sessions with sales so what we're working they're totally bought in on the documentation by the way we just had a like a quarterly business review with the content strategy team and they said that when sales comes to them now they're not saying hey will you fill out this

questionnaire they're saying hey can you send over the docs so like they get it but what we want to do now is work with them to move the vendor assessment process earlier in the deal cycle so instead of waiting for you the deal is about to close and the customer just found out that this is part of their procurement process and there's a rush to do it right at the end of like right before the deal is supposed to close bring it up really really early on in the deal cycle and and also you know if your security posture is really good if your documentation is really good use that to your advantage you just use that

as a competitive thing that you have that your customers don't so also I don't have a bullet for this but there has been a lots of chatter about and also just as I've been talking to other people about this at other companies whether it might make sense to come up with a cut-off at which a deal size cutoff at which you would say hey if you're not spending a certain amount of money with us we are not going to fill out your questionnaire this is not something we have in place right now I know it's very controversial because the amount of risk you are introducing to a company has nothing to do with how much

money they're spending on your solutions my thought on that is I think that it is okay as long as you have a really thoughtful exception process to that rule you know if if if they maybe are doing some sort of a unique implementation or using a different solution than the rest of your customers may be something like really niche that you offer and you don't have proper documentation on that it's really not fair to say okay well then you just have to trust me because I'm I'm just not going to tell you about our security controls but if you do have the documentation and you know you have to scale right like if you have a very very

very small services engagement or something and a customer wants to spend 40 hours talking through security controls with you that you have already written down somewhere it might make sense to have some sort of a process in place to draw the line again not something we have in place today but I know it's a lot of people who something a lot of people in this space have been talking about so it is what I would call a spicy meatball so I'm the owner and let's talk more about this but also I would love questions yes oh wait I figured to give you a microphone I did I save five minutes for questions but have you done any mapping to different

regulation standards controls and questionnaires so that if they feel like it wasn't answered in your documents you say yes actually it maps directly to this one that's a good question we so I mean we do have a full sake filled out for our bigger products and we haven't mapped like our cig questions - yeah we haven't mapped our state questions to like a what is it like a CIA IQ or whatever that one is hot scary Alliance one we haven't done that so much is like if we have it completed we will give it to you but you know it is weird i I feel like if they're being specific enough to say you didn't that rarely happens to me

like if they're being specific enough to say oh you didn't answer that question and I can say oh I did like if they're actually reading the documentation the follow-up questions are generally like oh wow we didn't cover that like yeah I could definitely talk to you about that specific thing I tend to get either I want you to fill out the whole thing from scratch or the follow-up question like I don't yeah we haven't done that because I don't I don't think we have that that problem too often but it isn't interesting I think for for various compliance framers to be interesting we definitely map how our tools help our customers meet different compliance framework requirements so it'd be

interesting to see if we could do that for our internal security program so when you're answering questionnaires great shirt by the way which I get bombarded with questionnaires from from major companies how do you draw the line with what is too much information to to tell the vendor that sent you the questionnaire like I can tell them well oh my oh my oh s is our how many servers I've got a real specific data but I feel that they don't need to know this information please and do you decide that information yourself or do some other security team decide what is actually a proper to be shared out versus not yeah I mean I would say that

you know we have our sweet sweet NDA's in place and we are we err on the side of sharing more information than less we definitely have situations where we questions where our response is to explain why that that information and again same same questionnaire to every single vendor if we can explain hey the answer to that question actually does not help you understand the risk of working with our company that is generally how we would go about not we don't want to share more information we need you we want them to have every single piece of information that they need to actually calculate the risk but no more than that and we do all the time

say like hey it just seems like based on the scope of work this isn't relevant but like let us know if you have if you want to talk more about that and we don't get pushback on that very much yesterday at the besides Sisu event this issue came up and what one of the CEOs recommended is that the companies charge a fee for non-standard questionnaires was that my Caesar at my back no it wasn't but this is a problem that's endemic yes that actually so that's another another thing I've heard discussed a lot is will we say we won't do it under a certain like deal size or will we charge to complete them I would

say at this point we have definitely talked about that the logistics of that seem pretty challenging for us specifically I know of other companies - where they specifically will actually say anything beyond this many engineering hours we will start charging for whether that is like support beyond the regular support amount or or something else like it is it is a framework that that companies use we don't use it yet okay I think we have time for just one more question and everybody can feel free to catch up with Katie afterwards hey just choose if you considered as you have to scale more any of the like maturity models that are kind of for highly regulated industries like DOD

is kind of trying to push one through this year it's just rather than you know do this hand combat which it seems like you've sliced sometimes very well getting that that cert and you can just show your merit badge it is actually I am talking to customers all the time about if we if we do this cert than what like what what do we unlock with this cert it is interesting to me you know we have a shock to I think next on our roadmap would probably be ISO 27001 it is really interesting to me that we're talking to peers how four how many people that does not seem to reduce especially that 15 percent who says okay

great that you have that certification but there's only one way for me to import information into my risk management system and it's with this questionnaire but I do think honestly like a company that I think does this really well is Atlassian they will not they will not answer your question err they do not care how much money you have and they also have like every certification there's like okay yeah what control hasn't been tested by a third-party like I have starts on certs on certs so I think they can really get away with that like if if you can't accept those and you really need like a junior security analyst to write down they asked her to believe it like I think

that's a you problem and Atlassian is still thriving I would say maturity wise for our internal security team we aren't like at their level yet like we don't have starts on starts on certs so I'm still gonna keep answering these until we have those but like when our trust page looks like Atlassian this trust page I'm never gonna answer another questionnaire again oh that's actually on but the the the knowledge based solution that our content strategy team uses like does like predictive answering so like they're like not even coffee and pasting they are thriving they're just like auto-populate gonna go sit in a hammock now everyone's living their best life it's great I should be sponsored by Tom

bud if anyone knows anyone there get them in touch all right Thank You Katie very much for your great talk