GRC Destroyer #6: Hacking Security Questionnaires for the Low ($$$)
Quick 3 step game plan about modern day "trust" strategy for the low ($$$). Hot take at the end. Can't wait for the impending DM's on this one - I'm not going to buy anything you savages.
This is not professional advice (even though it’ll probably work). Just my thoughts not my employers.
I believe that most TPRM is not going to solve anything. To me “trust” is a documentation game - grown ass adults doing a never ending homework assignment. “Trust” is a RevOps game. I could write 10 blogs about how broken TPRM is, how we need better audits or standardization, etc.. but who cares.
STEP 1: Get Your Ammo
Basic Audits ($10k-$15k a pop)
You’re going to need at least need a SOC 2 Type 2 and/or an ISO27001 audit under your belt for this strategy to work. I use Anecdotes (although all the compliance tools probably have this), so I can export a more detailed version of a SOC 2 report internally. You want to know why? A SOC 2 report looks like this:
All it shows is your high level control description.
The deliverable I’ll produce in Anecdotes has the control description and the control implementation which is the description of how we actually perform the control. Since I’m already doing this for the audit, might as well leverage it elsewhere because specifically these control implementation blurbs answer a lot of questions on the questionnaires.
Once the audit is done I’m putting the full report on a trust center and feeding into a knowledge base LLM (more on that below) and I’m putting my internally exported version in my knowledge base LLM.
CAIQ FULL (Free)
Basically you’re going to fill out a full CAIQ questionnaire from the CSA website. It’s around 300 questions and some of them are pretty difficult to answer. The move here is to only provide responses to the questions you can answer well - you want solid responses that speak to what you’re doing. Forego putting a bullshit answer because that’s going to poison the LLM down the road (MORE ON THAT LATER)
SIG FULL (Free or $6.5k)
I think they charge $6,500 a year to officially use their questionnaire. If you’re still reading this blog, you’re probably getting enough questionnaires from customers that you might be able to get your hands on this full assessment from them. Otherwise there are other products that will allow you to fill a full assessment out without the need to sign up for SIG directly.
Previously Answered Questionnaires
You may or may not have these. If you’ve answered a questionnaire well, export it, and feed that into your knowledge base.
PRODUCT SECURITY WHITEPAPER
A robust product security whitepaper that answers everything about passwords, authentication, access control, etc.. It’s crazy how easy this one is.
Creative Documents
I’ve noticed that traditional policies don’t really answer questions the prospects are asking in security questionnaires. One alternative is to create a commitments Q&A for specific things like access control, disaster recovery, etc... Just maintain a “policy” that answers 20 important questions about your access controls and update it on an annual basis.
Another thing is to list all compliance related activity you’ve done that year with a two sentence write up. For instance, “we tested our incident response plan in November 2023 and this was the result”. Just make a table that has it all - BC/DR, internal audit, pen tests, whatever you want.
STEP 2: Get you’s an LLM ($5k - $15k)
Play stupid games win stupid prizes - well it’s 2024 and we answering a shit load of questions so we gonna need some AI FOR THAT - and the prize we will win is not stupid - it’s DEALS BABY. I LIKE some products out there right now for this. Shot out to Whistic for building a knowledge base LLM into their platform. I also love a newer company called IRIS that’s thinking about the knowledge base LLM idea in a really cool way. IRIS is by far the most intentional product I’ve seen thus far - although this is gonna be an AI arms race. It’s pretty logical to use AI for this problem - AI is good for solving bullshit problems like this. I’m assuming there’s at least 10-20 companies that already do what I’m talking about.
The idea is the LLM is going to ingest everything and then answer the new questionnaires for you. It does work, I’ve seen it work well, it works a lot better than legacy text recognition based tools. You have to get your ammo right though - it’s the classic problem of bad data coming in means bad data coming out.
STEP 3: Be somebody, try and dodge the questionnaire all together (FREE)
Probably the most legit hack in this blog. Forcing to jump on a call with every TPRM team and asking why they need the questionnaire, what else can I do instead, how is your life going?? Do you like doing this?? Hitting a human chord with these teams goes a long way. It’s obviously thankless work. Getting on the call has saved me several times more than any tech solution out there tbh.