Back to Blogs

How Information Security Teams Can Be a Strategic Business Partner


Information security’s never had such a big influence on the sales cycle. Data privacy and cybersecurity have become big drivers of B2B purchase decisions thanks to frequent high-profile data breaches. So, for cloud-based or online services providers, the information security (infosec) team has suddenly become a very valuable sales resource. When prospects are preoccupied with data and cybersecurity concerns, infosec teams' expertise offers a strategic value-add that can help sales close more deals faster, particularly when it comes to responding to security questionnaires.

What Data and Regulations Like GDPR Mean for Sales

Procurement teams have good reason to tread carefully. Sixty-one percent of U.S. companies surveyed for the Ponemon Institute’s 2018 Data Risk in the Third Part Ecosystem Study said they’d experienced a data breach caused by one of their vendors or a third party. And those breaches are really expensive. Data breaches cost American companies $8.19 million USD each. There are also hefty fines involved with breaking from data protection regulations like GDPR, the California Consumer Privacy Act, and PCI DSS. Non-compliance with GDPR, for example, can cost companies up to €20 million or 4% of a company’s worldwide annual revenue of the prior financial year (whichever is highest).

To mitigate risk, procurement teams are putting a much greater onus on vendors to prove that they don’t pose a security risk, especially when it comes to data protection, before doing business with them. According to Cisco’s 2019 Data Privacy Benchmark Study, 87% of organizations (up from 66% the previous year) have delays in selling to prospects while they look to make sure their vendors and partners have adequate answers to their privacy concerns. So, if your company is experiencing delays in its sales cycle due to data privacy, it’s not alone.

“Security questionnaires are getting deeper and deeper. It’s not enough to give these high-level answers anymore or you will get kicked out. Anytime you can get security or IT people involved to help with this process, that’s huge.”

Why Security Questionnaires Matter More Than Ever

Security questionnaires have become a more common part of that lengthier sales process as buyers look to dig more deeply into technical security details when vetting vendors. They can be quite long – it’s not unusual to see 1,200-plus questions – but each and every question matters because the quality of the responses could very well determine whether or not a deal closes. So, it’s really important to make sure that responses are detailed and well thought out. That’s where infosec teams come in.

Learn how Bugcrowd cut down its security questionnaire response time by 50%

“Security questionnaires are getting deeper and deeper. It’s not enough to give these high-level answers anymore or you will get kicked out,” says Linda White, Director of Cybersecurity at New York-based software company UiPath. “Anytime you can get security or IT people involved to help with this process, that’s huge.”

Check out this presentation Linda gave at Loopicon19, Loopio’s first-ever customer conference, on why Security questionnaires should be a part of your sales strategy.

As the foremost subject matter experts (SMEs) on cyber and information security, infosec teams can be an effective business partner to sales and proposal teams by making sure the content they’re using to respond to security questionnaires is always up-to-date, accurate, and trustworthy. But they need some help to do it effectively.

How Infosec Teams Can Be Enabled as SMEs

1. Centralize Security Knowledge. Putting security content into a single location is important, especially when dealing with a high volume of security questionnaires. If your company uses a software solution to store your content, it should be intuitive and easy to use. Whether a platform is used or not, the goal is to make finding your content effortless.

2. Make Content Easily Navigable. The content library should be structured with simple, easily navigable categories. For example, categories might be created for customer-facing documentation like white papers, SOC reports, MPT, summary reports, etc. The key here is to make content maintenance as easy as possible.

3. Create workflows including review processes. Infosec teams, especially the chief information security officer (CISO), likely have many demands on their time. So, to ensure they’re as effective a resource as possible for sales and proposal teams, regular review cycles should be established for updating security content, and approval chains applied to the process to keep everyone involved honest.   

Having information security teams take complete ownership of curating security questionnaire content is key. And by observing the above, they’ll be able to avoid issues around content discovery, duplication, and maintenance. That is particularly important as your company continues to build out its security content by responding to more security questionnaires over time. Remember, security questionnaires will always be different based on who is delivering them. 

“If you’re working in a fast-paced, chaotic environment, which most of us are, garbage in, garbage out,” says Linda. “If you don’t have a content curator, or if you don’t have someone to manage this data, it’s not going to work.” 

Download Resource

Recommended Reading
Back to Blog