Ask HN: How small startups deal with long security questionnaires from clients?

I had a great experience with Stacksi, they helped both created the policies and answer the questionaires semi automatically based on the policies.

I ran sales for a start up and as much as I hated these types of questionnaires - it was a huge competitive advantage to have someone who knows their stuff (a founder who wrote most of our code) complete them fast and get them back.

It's competitive out there. Using an advantage to your company's benefit as a founder is your job - not work that is beneath you. Fill it out and bring some money in.

Use them to start to build some standard policies for your company - there are also some certifications that are very light weight and will get you into a shape where you have answers to most of the questions already (e.g. in the UK you can do Cyber Essentials).

Build up a database of the questions and your answers so that you already have most of the answers close at hand.

Unfortunately it's a cost of doing business and as someone else pointed out. If you've reached the stage where IT is sending you questionnaires you are probably very close to closing the deal.

The size of the deal should make filling these things in just an inconvenience.

a) maybe they're not good clients for you, consider taking down their contact info and getting back to them when you're bigger

b) save your answers, make a common security practices document that you provide and ask the clients to get back to you with any gaps or questions

Ok, so I actually had to deal with this.

Pick some sort of standard, for example CAIQ and have an always-up-to-date version of it. You’d be surprised how many customers would accept it if you tell them “hey - we use a standard - is this acceptable?”

After that - figure out what certifications will be advantageous. Then automate, automate, automate with something like Hyperproof/Vanta. You will still need a compliance person or more likely a team at that point, so those certs have to unlock some serious money. Otherwise - just stay on top of VSA’s until running a compliance program makes sense.

Just don’t fall for the baseless “SOC2 equals enterprise customers” spiel. Analyse your pipeline and regulatory environment and make a call based on that. So many startups spend millions running a compliance program that brings in thousands.

I'll throw out a slightly different opinion than I'm seeing so far. As a really small startup, you might not want these types of customers. They're going to want custom contracts that need legal review, things like 24 hour bug fix guarantees, etc. It's certainly worth it at some point for that those big enterprise plans $$$, but you might not be ready to support someone like that until you're a bit larger.

It's important to prioritize security while being efficient. Consider using standardized security frameworks like SOC 2 or ISO 27001 to streamline the process and demonstrate your commitment to data protection.

I work in this space. This is only going to continue this way. Companies are increasingly worried about their data, both from a reputation standpoint and a legal standpoint. Even with a SOC2, many companies will simply issue a questionnaire out of policy. It cost them nothing.

My biased answer is to use one of the SaaS products that automate this (I work for one).

If you don’t want to use a 3rd party, they do become easier over time. They’re still a mental drain to do manually, but you’ll find patterns in the questions that you’ll learn to answer pretty easily.

IMO, if you want to work with these large enterprises, you will need to hire someone that can do this fast, and be ready to answer many and many of their questions and remarks. They do pay well but there is also a lot of work. But I do believe that the better you answer those and the more professionalism you show, would reward tenfold with such companies.

Ignore clients who bring you more worries than money. Hire someone to answer these questions. If the income from such clients does not cover the salary of such a person, ignore such clients. Another approach is to create a template document describing your security practices based on an analysis of such questions, and send it in response to such questionnaires with a cover letter saying that you are very sorry, but answering the questions takes too much of your time and it'll be a pity to lose a client if this PDF is not enough for him. In any case, all that paper exists to cover someone's ass, no one will read your answers.