How Proposal Managers Should Handle Security Questionnaires and Infosec Due Diligence

Proposal managers take on bits and pieces of many different roles across our organizations. We’re writers and project managers first, but we’re also part-time graphic designers, product marketers, pricing experts, competitive intelligence sleuths, and data analysts.

One function in parallel orbit to proposal management is answering information security (infosec) questionnaires. Some proposal managers get pulled into infosec exercises occasionally as part of RFx responses, and some handle these as a core part of their responsibilities. Proposal managers aren’t necessarily expert programmers, database engineers, or cloud technology architects, but the general skillset — managing a questionnaire-centered project with lots of SME input — translates well between RFPs and infosec tasks.

Infosec questionnaires can be very long and demanding exercises. Using proposal tools and skillsets can make this process much less painful (with the convenient benefit of boosting the proposal manager’s reputation and importance in the organization as well). Certain deviations from generally accepted proposal management best practices can help reduce the strain of this work while keeping your organization compliant with customer and regulatory requirements.

Use AI to skip review cycles

The current generation of AI-driven proposal software makes building and maintaining a content library much easier than previous tools, and the straightforward nature of infosec questionnaires makes maintaining this library faster:

• Skip the onerous manual review / approval cadences and simply feed your AI proposal tool updated documentation when you get it. Your SMEs can point you to the right documentation, or a dedicated content management solution can keep the latest versions front and center and synchronize them automatically.

• In the proposal world, new features or offers might necessitate new product descriptors, competitive differentiation, executive summary content, pricing language, etc. Infosec responses don’t require this sort of second-order writing and analysis beyond the base facts. This lets you and your teams work quickly without needing to constantly write new content or reformulate existing answers.

But make sure the different segments of your response library / AI database are partitioned properly. Your proposal tool needs to be able to clearly differentiate between what you say about your product/company/client in the market vs. your internal infosec posture. This is especially important in the software industry: Your product brochure might say 'AES-256 encryption protects all customer data,' but your infosec questionnaire response needs to describe your internal network encryption, which may be completely different.

Keep it simple

A valued skill as a proposal manager is the ability to understand and address the “why” of a question — beyond the stated ask, what business pain or issue is driving a particular question or request, and how does our solution address that?

Infosec questionnaires — whether you're completing a SIG, a CAIQ, a VSAQ, or a bespoke vendor security assessment — are a refreshingly direct contrast from the sales/marketing-infused world of RFP responses. The questions and responses are mostly straight to the point, with little room for variation or trying to ‘sell’ to a buyer. Short, blunt responses are allowed and often encouraged. The “why” in the infosec world is not that deep — typically, it’s just a core requirement from an infosec standard.

So avoid the temptation to dive too deep in your responses. In infosec exercises, vendors are being scored on compliance rather than creativity. Flowery language or embellishment could cause more trouble and create extra work for you and your organization. Layering in extra information about related infosec practices might sound like a good idea to reassure the buyer that your practices are robust. But you risk opening the door to additional questions, and if you’re not an infosec expert, you might undermine your organization’s credibility by introducing an unrelated topic.

There are always exceptions, gray areas, and times to elaborate, but let those stand out rather than providing too much detail for every response. (Your SMEs should be able to guide you here.)

Meet tech-savvy infosec SMEs where they are

Your infosec SMEs are more likely to be competent tech leaders and shouldn’t be the types calling to ask how to save a PDF. So treat them like it:

• Find the right collaboration tool. Do your SMEs work best in Teams/Slack? Notion? A ticketing tool like Jira/Confluence? Centralize questions there. Ideally make that channel searchable (including by AI tools) so you don’t have to ask the same question twice. Use a shared calendar or ticketing tool if that’s how they organize their work.

• Understand their ecosystem of internal tools so you know where information sits — as you get better acquainted with the information, SMEs can likely help you self-serve or facilitate an integration with your AI knowledge/proposal tool.

• Maybe you don’t trust your sales team to use your proposal management tool, but there’s probably a designated SME or two in the infosec organization who could manage. Over time, more of the workload can be shifted back to the infosec function if you can provide a solid, proven framework for knowledge management and questionnaire automation.

And be sure to make the effort with your SMEs. When you’re unsure of an answer, try to come to your SMEs with an educated guess about what a question is asking for, and/or a suggested response and reasoning. Even if you’ve missed the mark, SMEs appreciate the effort over and above simply throwing questions over the fence. (Web searches and AI queries are your friend. Most acronyms and standards are universal, and even without subject matter expertise, you may be able to understand the requirement. Is the standard being requested even relevant to your organization? Is it perhaps something that your organization does under a slightly different name, or equivalent regional practice, etc.?)

Complete and make available standard assessments

Your eyelids are getting heavy filling out one lengthy infosec questionnaire. So imagine the person on the other end whose job is reading and scoring these things for their company’s full roster of vendors. If you can make their job easier and get your organization approved more quickly, do it!

Most sales organizations would cringe at a one-size-fits-all list of boilerplate attachments for RFP responses, but making standard materials available to infosec reviewers can speed review cycles. Do you have a SOC 2 report? A completed SIG / CAIQ / VASQ questionnaire? ISO certifications? Penetration tests? Get these organized, understand their review cycle, and find a way to get these to your buyer’s information security reviewer proactively.

And if your team doesn’t have these materials prepared already, you might be able to facilitate the process. With a healthy repository of infosec knowledge, completing a standard questionnaire template like the SIG could be a minimal investment of time that enables your organization to avoid some assessments or requirements. 

Consider a 'Trust Center' approach

With SaaS becoming a standard and AI use cases on the rise, the volume of infosec / compliance review cycles is increasing. Rather than manually sharing infosec documentation in response to each request, many organizations are adopting a Trust Center approach, where standard infosec documentation can be accessed by customers and prospects given permission to do so.

Dedicated third-party risk management tools like Whistic and Panorays and digital sales room tools like Allego and Trumpet can host this information in a secure environment to provide limited access to these materials without exposing your organization to privacy risks.

Even if a full Trust Center approach is not feasible for the organization, any public-facing summary (e.g., page on corporate website, Privacy Policy, sub-processor list, etc.) can help to stave off some requests and questions and built confidence in the organizations' infosec practices. Many proposal managers already maintain static content in the form of a library of standard RFx appendices; managing infosec under this same process is a natural fit if this function is not already owned elsewhere.