editione1.0.0
Updated October 9, 2023It can take a significant amount of time to complete due diligence questionnaires, particularly if they are based on international standards, they have been customized tightly to your customer’s environment or language, or you operate in an environment processing large volumes of personally identifiable, financial, or otherwise sensitive information.
Here are some of the ways you can make this process less time consuming and stressful for everyone involved.
Don’t be afraid to ask for a chat if things are unclear. Due diligence processes can be complicated, and often include questions and considerations framed in the language of regulators or the larger enterprise you are dealing with. This can often mean that questions are confusing or unclear. It’s OK to be unsure and ask questions. If you need clarification or to understand what the risk/concern is related to a particular requirement, ask. You may find that the person who sent you the questionnaire appreciates you taking the time to understand before you submit your responses.
Always link the security control to the risk that is being managed. So your due diligence questionnaire has a question about a specific type of security vendor device and whether you have one in your network. You don’t have much of a network and you certainly don’t have that expensive device.
Before you jump into your answer, consider what risk that device might be trying to reduce. Perhaps you don’t have this specific device or architecture but are you managing the same risk in a different way. It’s OK that your organization does things differently, your job is to help others understand that difference.
Remember, due diligence is about communicating how you reduce risks rather than meeting a checklist of technology implementation requirements.
Save your answers for a later point, both for discussion and for reuse. How many times has someone asked you for an answer to a question and you’ve replied with something clear and to the point, only to then have forgotten what you said just a few moments later?
Don’t let this happen in due diligence. Write down your answers or transcribe them. Not only will this be useful when discussing them during later meetings but it will allow you to refine your answers over time, improving the quality of your due diligence response and speeding up the process.
Remember that this is a collaborative, not hostile, process. It is perfectly natural to feel vulnerable during the due diligence process. You’re discussing your approaches and any risks your organization may carry with someone you would like to impress, that can be an uncomfortable situation. People often have the tendency to become defensive when we feel uncomfortable or vulnerable, a primal instinct to protect ourselves.
Remember, this may feel uncomfortable, but done well, it shouldn’t be a hostile process. Often the people conducting due diligence want you to succeed, as they want what you have to offer. This makes the process more collaborative than adversarial, and this shift in perspective can help reframe the discussions and make for a more productive process.
Answer honestly but be careful with your words. Don’t lie. That probably seems obvious but really, don’t do that. Don’t exaggerate or talk about future ideas as if they were already implemented. These behaviors will always come back to haunt you later on if someone digs deeper or an incident happens. Be concise and explain the risks and your current approaches. If you give plans for future improvements, be sure to explain when they will happen and how they will be resourced.
Collaborate internally with those responsible for each domain/control or area to ensure your answers are accurate. If you are reading this as a CTO or other founder role, you may be used to shielding your team from these sorts of questionnaires. They may prove to be a distraction and you would rather they focus on operations. When we choose to shield our teams and take the weight ourselves, however, we expose ourselves to more risk. This risk comes from two places; firstly, we may not know all the answers and may provide incorrect or incomplete answers. Furthermore, we deny the team exposure to security and why it is important to your company. If they never see this side of the sales process, they will make decisions with incomplete information. By getting the right people to collaborate, security becomes a team endeavor and each person finds they have a role to play—whether it is communicating your processes as part of the answers you provide or understanding and planning the remediation efforts needed to address any gaps.
Translate to their language. Remember that the communication style and conventions we practice in our organizations may not be the same as those within our potential customer organizations, particularly if they are operating at a different scale or in a different geographical region or market. Spend the time to write clearly and concisely, mirroring their communication style if you can. It takes less effort to understand conversations that are in your own language or style, and so meeting your customer where they naturally communicate can make it easier to get the message across.