editione1.0.0
Updated October 9, 2023Maybe you’ve completed the really long questionnaire and there are questions you couldn’t answer. Or perhaps you have submitted your responses and received feedback, identifying some gaps in your approach.
First, take a breath. This is normal.
Failing to meet the requirements in a due diligence questionnaire can be normal in these early stages. To be clear, failing due diligence isn’t a good thing, it’s just that it’s a normal thing and doesn’t necessarily mean the end of your sale or a failure to proceed.
If it’s normal and it’s not the end then we have a chance to address it. In this section we will give you some strategies for approaching failed due diligence and addressing the gaps identified.
This is a contentious question to start with but it’s an important one. If the deal will generate $100 of revenue but the security requirements will cost $10K to remedy, then you have a business decision to make before you get into the business of remediating risks. While the dollar value to the sale or engagement won’t be the only driver, it’s always important to keep this in mind when planning to address gaps, deal with customer requests, or change your operating model.
Questions to consider when deciding how to respond to failed due diligence include:
How much is this deal worth compared to the cost required to respond to the gaps?
How much is this customer worth to me outside of straight revenue? (For example, signing a large, recognized brand may be a great asset to your sales and marketing strategy and could offset some of the cost/revenue ratio.)
The other factor to consider at this stage is what the impact will be on your sale. Will the customer proceed anyway and expect remediation along the way or is the sale paused until remediation is accepted?
If the process is now stalled, look at the impact this will have on your operations and sales forecasts.
Most due diligence processes are based around questionnaires. While some of these will provide detailed feedback when they identify gaps in your security maturity, some will not. When faced with a simple “the computer says no” response to your answers, you may need more information before you can assess and plan for remediation.
Schedule a call with your contact in the organization and their security person. Be clear about your intentions and that you aim to understand their requirements more clearly before you plan your next steps.
Most organizations will be happy to oblige and set up a call, particularly if they really like your product or service.
Use this time to listen to their concerns and ask for examples of suitable solutions or controls if they have some to share. While you may not follow their preferred approach, the more you learn at this stage, the better you will be able to explain your chosen solution when presenting your remediation plan.
It’s natural to feel a little bit sore if you fail due diligence. We even often avoid using the word “fail” in this space as it feels final. If you know your response is likely to be defensive, take a breath and pause before you respond.
Your aim in this phase is to understand and plan remediation, not to justify your approaches and argue. While there may be a chance something has been misunderstood, most of the time our focus needs to be on constructively accepting the feedback and responding.
Remember, you don’t own their risk. If you fail due diligence, it means that they are not happy with the risk they inherit from using your product or solution. Aim to understand the risk posed to them and what this means in their context before you try to challenge their assessment.
Once you have all the information you need about the risks that were identified and the work you need to carry out to progress, it’s time to make a remediation plan. This plan is split into two distinct phases:
The technical (internal) implementation plan that your team will use to understand and track the work needed. This could be a task tracking board, to-do list, or project plan, depending on your internal working practices.
The executive implementation plan that you will communicate to your executive team, board, and the customer. This high-level plan will communicate your proposed actions and timelines, and any associated challenges, and lets these high-level stakeholders know what to expect. This communication is important not only because it shows direction and leadership, but also because it manages expectations regarding timelines and next steps. In brief, it is saying, “We understand what we need to do, this is how we are going to do it and this is how you will know we have succeeded.” This is likely to be a short report or presentation.
Both the technical and executive implementation plans will require you to estimate the time and resources required to meet the requirements. As members of younger companies, particularly those in engineering roles, we often underestimate the complexity and time required to remedy issues.
In this case it is important to add some buffer into your time estimates and not to promise too much, too soon. It is better to spend 90 days on remediation and do an amazing job than it is to spend seven days on this work and have it rejected multiple times.
If you aren’t sure how much buffer to add, double your first estimate and then double-check that number with someone objective and experienced that you trust. If there is any doubt, increase it some more.
This is particularly important if any of your remediation activities require procurement of tools or services, or if you have to interact with third parties. As you cannot control their operating speed, you must allow some room in your estimation process (and list this as a risk on your implementation plans).
Definition A compensating control is a security measure that you implement when you are unable to take the typical or suggested approach. It is a different way of reducing the same risk when you face operational, contextual, or unusual constraints.
For example, if your system integrates with a third party and, as part of this relationship, you have to login to their systems. Unfortunately, they don’t allow you to use your single sign-on provider or have separate accounts for each user.
This situation isn’t ideal and most security frameworks prohibit the use of shared accounts or promote the use of single sign-on at all times. This isn’t your system, however, so you can’t take action. You can’t change the authentication type or enforce individual accounts per user.
Instead you may choose to implement a compensating control to address the risk, in this case that activity cannot be attributed to a person, making incident investigation hard and increasing the chance of account compromise.
Our proposed compensating controls could be as follows:
Enforce a long password stored in the company’s password manager.
Turn on 2FA where possible.
Create alerts that notify your team (via chat or email) when the account is accessed. This might be via your network logs or be something you can configure in your systems.
Enforce a policy that requires team members to centrally log when they use these credentials.
There is no exact science for compensating controls. The trick to making the most of them is to:
understand the risk that needs to be addressed
understand the preferred approach and articulate why it can’t be done
plan alternative strategies that address the same risk and submit them for approval or assessment.
When you are satisfied with your remediation efforts and have worked internally to validate that they have been met, it’s time to resubmit your assessment.
Some organizations will only reassess the remediated areas and conduct a partial assessment, others will insist on completing the entire assessment from start to finish again (sometimes even using a different assessor).
Find out what the process is for reassessment before you submit, and be prepared. If you passed some other areas of the assessment but you know your answers were weak, spend some time to reinforce these before you go back. It could save you some issues later if the full assessment is conducted again.
It can take a significant amount of time to complete due diligence questionnaires, particularly if they are based on international standards, they have been customized tightly to your customer’s environment or language, or you operate in an environment processing large volumes of personally identifiable, financial, or otherwise sensitive information.
Here are some of the ways you can make this process less time consuming and stressful for everyone involved.
Don’t be afraid to ask for a chat if things are unclear. Due diligence processes can be complicated, and often include questions and considerations framed in the language of regulators or the larger enterprise you are dealing with. This can often mean that questions are confusing or unclear. It’s OK to be unsure and ask questions. If you need clarification or to understand what the risk/concern is related to a particular requirement, ask. You may find that the person who sent you the questionnaire appreciates you taking the time to understand before you submit your responses.