A Vendor Security Assessment can be a black box for sales teams but it doesn’t need to be. More or less every sales team that I’ve ever been around has feared a security assessment as a potential surefire way to delay or even kill your deal. 

Now that I’m in the belly of the beast, I can confidently say that dealing with Vendor Risk teams can be a smooth process and one that gets your deal closed as quickly as possible.

Vendor Risk teams are not faceless monoliths within the organization. Even the largest enterprises have only 3-10 individuals working on vendor risk assessments. Many mid-sized companies (500-2,000 employees) will only have one person completing assessments. 

In the same way that Sales teams confidently navigate the Legal and Procurement process, they can do the same with Vendor Security Assessments. 

Here are a few things to think about when engaging with your potential customer on Security Assessments, which can help speed up your deal.

 

1. Industry Accepted Documentation: The number one thing a selling organization can do is suggest to your customer to accept a standardized questionnaire that you have pre-filled out.  Occasionally a customer will want you to fill out their proprietary customized questionnaire but 80% of the time, the customer will accept a SIG Questionnaire or some other industry accepted questionnaire. Typically a Sales organization is scared to ask this question because they just want it done however the customer requests. However, in many cases, this will speed up the process for both sides.

 

2. SME to SME: Have your technical Subject Matter Expert (SME) engage with the customer’s Vendor Risk team. In a parallel process during legal review.  Sales organizations often try to have their own lawyers engage with the customer’s lawyers to discuss contract changes (rather than it being passed on through multiple middle layers). This will increase the level of trust between the two teams and usually get to resolution faster.

 

3. Honesty Is The Best Policy: Be honest about your shortcomings as an organization. For instance, if a question is asked: ‘Do you use an electronic key card for access to your office?’ and the answer is ‘No’, don’t answer ‘Yes’.  As simple as this sounds, so many organizations try to obfuscate or hide the state of their security practices. For one, this creates a major liability if there is an incident. Second, if the team reviewing figures this out, that is a lot more damage than if being truthful in the first place. Lastly, many vendor risk teams will agree to accept future changes in your security posture even if you don’t have necessary controls in place prior to your deal being closed.