< Back to Blog
3 Reasons Why Enterprises Hate Security Questionnaires
Security Best Practices & Advice

3 Reasons Why Enterprises Hate Security Questionnaires

By Noam Maman May 08, 20193 min read

It’s not hard to understand why security questionnaires are necessary. Because regulations like GDPR and NYDFS are holding businesses accountable for their third parties’ cybersecurity, it’s important for enterprises to assess and continuously monitor all vendors, suppliers and business partners. And the initial vetting of any third parties typically begins with a comprehensive security questionnaire to evaluate cyber posture.

But this process is far from perfect. Why do so many companies have trouble dealing with security questionnaires? Here are our top three reasons.

1. They are outdated immediately.

Because the digital world is dynamic and the IT of a company changes rapidly, a one-time security questionnaire becomes outdated as soon as the questions are completed. As a result, the questionnaires don’t provide a true picture of the supplier’s security posture.

2. They take a lot of time.

Let’s say a company wishes to work with a supplier. Typically, the company will send the supplier a lengthy security questionnaire, usually on a spreadsheet, which needs to be completed. When this is finished, the spreadsheet is sent back to the company for review. Often there are additional clarification questions. And so the process typically continues for a long time, until security approval is approved or rejected. In fact, companies report that it takes an average of nine weeks to complete a questionnaire.

Ironically, the process that is supposed to help companies grow instead becomes a business inhibitor. Rather than enabling companies to onboard suppliers as quickly as possible, the security vetting stalls the process. In today’s competitive digital world, companies obviously can’t afford this delay.

3. They require resources.

To assess, track, validate and follow up on security questionnaires, enterprises require a team. In many cases, that team is still not able to review all suppliers, so many fall through the cracks. With some questionnaires including as many as 850 questions, many teams do not succeed in adequately reviewing all the answers as well as they should. Bottom line? Security questionnaires demand lots of people, time and money.


How can companies alleviate this arduous security questionnaire process? Using Panorays’ automated security management platform, companies can customize questionnaires, automate standardized ones like the Consensus Assessments Initiative Questionnaire and easily track responses without using even a single spreadsheet. These responses are combined with an outside-in view of a supplier’s attack surface to provide a complete picture of a supplier’s cyber posture.

Panorays’ questionnaires also take business context into consideration, so that irrelevant questions are removed while others receive greater weight. Because the process is automated, customers have seen their security vetting process reduced from months to days.

Want to learn more about how your company can speed up its security questionnaire process? Contact us for more information.

Noam Maman

Noam Maman is VP Product at Panorays. He develops the product roadmap and works closely with platform users. He is also a foodie, photographer, time management enthusiast and keyboard shortcut explorer.

You may also like...
Top 4 Cybersecurity Predictions for 2022
Nov 23, 2021 Top 4 Cybersecurity Predictions for 2022 Aviva Spotts
3 Quick Tips to Implement a TPSRM Process
Nov 15, 2021 3 Quick Tips to Implement a TPSRM Process Aviva Spotts
Why Cyber Risk is Financial Risk
Nov 03, 2021 Why Cyber Risk is Financial Risk Aviva Spotts
We use cookies to ensure you get the best experience on our website. Visit our Cookie Policy for more information.
Get our latest posts straight to your inbox Subscribe