Karakor
CYBERSECURITY · POSTURE

Every enterprise client will eventually send a two-hundred-question security questionnaire. The firms that win the work answered it once, in writing, before the question was asked.

A multi-page security questionnaire on a desk, with most boxes pre-filled in brass ink referencing a bound posture document beside it. The document is open to a numbered index; the questionnaire pulls its answers directly from the index rather than being filled out from scratch. Rendered in warm grey and brass on near-black.
Shahed Daoud6 min read

Every firm we have advised in the last three years has the same story. An enterprise client — a Fortune 500, a regulated industry buyer, a private-equity firm in due diligence — sends over a security questionnaire. It has two hundred questions. Three of them require attachments. The procurement team wants it back in five business days.

The first time a firm receives one of these, a senior person spends a week of evenings filling it out. The second time, the same person fills out a slightly different version of the same questionnaire from a different vendor, also in evenings. By the fifth time, the firm has answered the same questions five different ways, in five different documents, none of which agree with the others.

This is the tax you pay for not having answered the questionnaire once, in writing, before anyone asked.

What the questionnaire actually wants

The variations are cosmetic. Strip away the vendor branding and the questions are almost identical across the industry. A serious buyer is asking eight things:

  • Who has access to our data, under what authentication, with what audit?
  • Where does the data live, and who can subpoena it?
  • What encryption is applied, in transit and at rest, with which key management?
  • What happens if you have an incident — who do we hear from, when, and on what evidence?
  • What is your backup and recovery posture, and have you tested it?
  • Which sub-processors touch our data, and what is their security posture?
  • What is your written acceptable-use policy, and who enforces it?
  • What audits or certifications do you hold, and what was their scope?

That is the list. SOC 2 Type 2 reports cover most of it. A written security posture covers all of it. A firm that has produced these answers once, signed and dated, can fill any vendor's questionnaire in half a day by reference.

The posture document

The artifact that compresses the work is a single bound document. Twenty to forty pages. It answers each of the eight questions above, in plain language, with named owners and dated controls. It is not a slide deck. It is not a marketing one-pager. It is the document a senior practitioner can hand to procurement on a Tuesday morning and have the matter close on Friday.

The document is not static. It has a version number, a revision date, and a quarterly review cadence with a named owner. The version that lives on the firm's intranet today may be three iterations ahead of the one shared with a customer last year. That is the point.

The compression is real. Firms we have worked with report the per-questionnaire cost drops from a senior person's week of evenings to a senior person's half-day of cross-referencing. Across ten enterprise prospects in a year, the compounding savings exceed the cost of the engagement that produced the document, usually by an order of magnitude.

What stops firms from doing this

The honest answer is that the work feels like overhead until the moment it is needed, and at the moment it is needed, the deadline is already too short.

We have seen three patterns in firms that have eventually done the work. The first is a near-miss — a deal lost because the questionnaire came back late, or with answers procurement read as evasive. The second is a regulator inquiry that demanded the same documentation under shorter timelines. The third, more rarely, is a partner who arrived from a larger firm where the document existed and refused to operate without one.

None of those are good reasons to wait. The work is roughly four to six weeks for a firm of any size — most of which is documenting decisions that have already been made. The output is operational infrastructure that compresses every future deal cycle.

The deal you do not lose

The argument that finally lands inside a firm is not "what does this cost." It is what an enterprise procurement team does, quietly, when the questionnaire response is late or incomplete. They do not call. They do not escalate. They move to the next vendor on the list, and the firm rarely learns it was even in contention.

The questionnaire you should have already answered is the one you will not get a chance to answer twice.

← All insightsRequest a consultation →
The questionnaire you should have already answered — Karakor Insights