Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: How small startups deal with long security questionnaires from clients?
22 points by make_it_sure on June 27, 2023 | hide | past | favorite | 20 comments
Whenever we get a client with around 100+ head count, they ask to fill their own security assessment. It takes a lot of time as it has sometimes 100+ questions.

We can't also deny them, but we're getting tired. We're too small to hire someone for this and as a founder, my time can surely be used better somewhere else.

How do small startups handle this without getting SOC2?




I ran sales for a start up and as much as I hated these types of questionnaires - it was a huge competitive advantage to have someone who knows their stuff (a founder who wrote most of our code) complete them fast and get them back.

It's competitive out there. Using an advantage to your company's benefit as a founder is your job - not work that is beneath you. Fill it out and bring some money in.


Yeah I agree with this. Dedicate 1 to 2 hours of focused work, fill it out, and move on.

This assumes that you're far enough along in the sales process that there's a high likelihood of close (you've already negotiated price and timeline), and the deal value should generally be five figures or above. This means it's worth your time.

Slightly risky hack: you can buy yourself some additional time by answering some questions with "Documentation will provided separately", and often times clients don't follow up to ask for it.


Ok, so I actually had to deal with this.

Pick some sort of standard, for example CAIQ and have an always-up-to-date version of it. You’d be surprised how many customers would accept it if you tell them “hey - we use a standard - is this acceptable?”

After that - figure out what certifications will be advantageous. Then automate, automate, automate with something like Hyperproof/Vanta. You will still need a compliance person or more likely a team at that point, so those certs have to unlock some serious money. Otherwise - just stay on top of VSA’s until running a compliance program makes sense.

Just don’t fall for the baseless “SOC2 equals enterprise customers” spiel. Analyse your pipeline and regulatory environment and make a call based on that. So many startups spend millions running a compliance program that brings in thousands.


I'll throw out a slightly different opinion than I'm seeing so far. As a really small startup, you might not want these types of customers. They're going to want custom contracts that need legal review, things like 24 hour bug fix guarantees, etc. It's certainly worth it at some point for that those big enterprise plans $$$, but you might not be ready to support someone like that until you're a bit larger.


Use them to start to build some standard policies for your company - there are also some certifications that are very light weight and will get you into a shape where you have answers to most of the questions already (e.g. in the UK you can do Cyber Essentials).

Build up a database of the questions and your answers so that you already have most of the answers close at hand.

Unfortunately it's a cost of doing business and as someone else pointed out. If you've reached the stage where IT is sending you questionnaires you are probably very close to closing the deal.

The size of the deal should make filling these things in just an inconvenience.


We just did the Cyber Essentials as we have no certifications and a customer in UK required this. Then we thought we could go ahead to get the Cyber Essentials Plus as well. At least we can now say we have had a cybersecurity audit from an external party - hopefully it will put some more trust to these endless questionnaires.


It's important to prioritize security while being efficient. Consider using standardized security frameworks like SOC 2 or ISO 27001 to streamline the process and demonstrate your commitment to data protection.


I work in this space. This is only going to continue this way. Companies are increasingly worried about their data, both from a reputation standpoint and a legal standpoint. Even with a SOC2, many companies will simply issue a questionnaire out of policy. It cost them nothing.

My biased answer is to use one of the SaaS products that automate this (I work for one).

If you don’t want to use a 3rd party, they do become easier over time. They’re still a mental drain to do manually, but you’ll find patterns in the questions that you’ll learn to answer pretty easily.


IMO, if you want to work with these large enterprises, you will need to hire someone that can do this fast, and be ready to answer many and many of their questions and remarks. They do pay well but there is also a lot of work. But I do believe that the better you answer those and the more professionalism you show, would reward tenfold with such companies.


I had a great experience with Stacksi, they helped both created the policies and answer the questionaires semi automatically based on the policies.


oh, that looks great. What's their pricing? I don't like they ask for a demo just to get more details.

OMG, $400/month lowest plan.


Build it into the cost of your product for these customers. Are you charging enough? Consider charging more! What’s your cost per hour of the person filling these out?


Ah their pricing was different when I was using them, but I recommend reaching out, they were very flexible and easy to work with they might do something custom for you.


If only half of their landing page is true about time saving, then it earns this price back already if you do only 1 assessment per month. Every further one is bonus...


Seems like their business will take a severe hit from a GPT4 derived solution.


RFP answering is ripe for being handled by generative AI trained on your product documentation.

Unfortunately, so is the production of the RFP in the first place. So we will end up with machines talking to machines.


I’ve already tried this - it worked great!

Copy/paste my library of security questions and answers into GPT-4, copy paste the customer question, answers were as accurate as a human doing it!


a) maybe they're not good clients for you, consider taking down their contact info and getting back to them when you're bigger

b) save your answers, make a common security practices document that you provide and ask the clients to get back to you with any gaps or questions


I think this is the right answer, and I especially want to call out the second part, because it can be a bit counterintuitive.

The reason for having security documentation isnt so that it can answer the questions the client has. No one will actually read it. The thing is, people have an unlimited appetite for wasting your time if it's free for them to do so. By pointing them at documentation and having them get back to you with questions, you're now making it their problem instead of yours. Some clients will say no, fill out the questionnaire. You can politely bow out with those clients. Others will glance at your docs and decided it's not worth it to them to figure out if you actually answer all their questions, so they'll just check the "security review complete" box in their buying process.


Ignore clients who bring you more worries than money. Hire someone to answer these questions. If the income from such clients does not cover the salary of such a person, ignore such clients. Another approach is to create a template document describing your security practices based on an analysis of such questions, and send it in response to such questionnaires with a cover letter saying that you are very sorry, but answering the questions takes too much of your time and it'll be a pity to lose a client if this PDF is not enough for him. In any case, all that paper exists to cover someone's ass, no one will read your answers.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: