How to complete security documentation



Confusion confusion confusion

Security documentation can be an absolute minefield, hard to navigate and even harder to interpret. As a software company you’ll find that the majority of large companies will ask you to complete some sort of security documentation for the procurement process. It’s part of any sales cycle that is selling into large companies and it quite often one of the slowest parts of the procurement process.

Why is it so slow? A lot of change has happened in the software industry in the last ten years and surprise surprise other functions of large enterprise business haven’t kept up with the rate of change. Software as a service is a new concept to a lot of people in these companies and as such completing security documentation can be a bit of a mine field. So with that we’ve prepared a short guide on how to fill out security documentation when you’re looking to close deals.

How do I respond to questions that aren’t applicable to my product?

It’s very common for large enterprise companies to push to use their own documentation for security information and legal agreements. Why? Because they have spent time de-risking their business and they generally have the ability to negotiate due to the large opportunities that their company provides to vendors. The downside of this is that a number of them try to push security documentation on you that just isn’t appropriate for your product, it’s more for a product that you’ll build and give to them, not a software as a service product.

So what do you do when you find questions that just aren’t applicable to you? The simple answer is to just say Not Applicable in the response. The slightly less simple answer is that this security questionnaire is more likely going to someone that doesn’t know what your product is nor how it will be rolled out. In this case it’s very important to arm your sales team with the tools to navigate conversations to get the appropriate audience involved in the conversation early and to make that person aware that you are a software as a service rather than a stand alone software product.