Your Security Questionnaire Problem Isn't a Security Problem

Written By Paolo Carner

A fast-growing B2B SaaS company hired me to answer security questionnaires. They were ISO 27001 certified. SOC 2 certified. Selling to Fortune 500 accounts. Technically strong team. The brief was simple: help us respond faster. What I found when I got there was something different — and more expensive — than slow turnaround times.

The questionnaire arrives

It's a Tuesday. A 150-question security questionnaire lands in the sales rep's inbox from a prospect that could meaningfully change their ARR. She forwards it to the CTO: "Can you handle this? They need it by the end of the week." The CTO has seen this before. He recognizes some of the questions from a questionnaire four months ago. He starts pulling answers from memory, from old emails, from a shared doc he half-remembers. He pulls in the cloud architect for a few questions. He pulls in the platform lead for a few more. Something else catches his eye — two questions he hasn't seen before. They're probing an area of their infrastructure he'd assumed was covered. He answers as best he can and moves on. Nobody flags it. Four days of engineering time later, the questionnaire is submitted. The deal moves forward. Everyone exhales. Nobody writes any of it down.

Six weeks later, another questionnaire arrives

Different prospect. Similar questions. The CTO gets the forward. The cycle begins again. This time, the cloud architect is deep in a product sprint. The platform lead is on leave. The answers exist — somewhere — but not in any form that anyone can quickly find and trust. Two weeks pass. The prospect follows up. The rep sends an apologetic email. The deal doesn't die. But it limps.

What's actually happening

This isn't a security knowledge problem. The team knows their security posture. What they don't have is a system for turning one-time effort into reusable, trustworthy institutional knowledge. Every questionnaire answer that gets written and then discarded is a tax on the next questionnaire. Every time an engineer has to reconstruct a context they already built four months ago, that's engineering time that isn't going into product. And every time a sales rep has to apologize for slow turnaround on a security questionnaire, there's a small but real erosion of commercial momentum. I've seen this pattern at companies that are ISO 27001- and SOC 2-certified and are still selling to Fortune 500 companies. Certification tells you that your controls are in order. It doesn't solve the operational burden of proving it — over and over, to every new enterprise prospect, on their timeline, in their format.

What we built

When I came in, the brief was: help us respond to questionnaires faster. The first thing we did was to start building a response library. Not a document. A structured, maintained system that captured each answer, the reasoning behind it, the evidence that backed it up, and when it was last reviewed. Turnaround went from weeks to three to five days. The second thing was an AMA channel in Slack. Sales could ask a security question and get a vetted answer without blocking engineering. Quick questions got quick answers. Complex ones got flagged for a deeper conversation. The third thing happened on its own: patterns started to emerge. The same questions kept appearing across questionnaires — and some revealed gaps that the certifications hadn't caught. Not because the certifications were wrong, but because enterprise customers ask questions that go beyond their scope. We started closing those gaps proactively. So when the next questionnaire arrived, we were more prepared for questions that hadn't been asked yet.

The questionnaire that changed things

Four months in, a new Fortune 500 prospect asked about a control we'd been working on — one we'd flagged two months earlier because we kept seeing variations of the question. The control wasn't fully in place yet. But we knew exactly where the gap was, how we were closing it, and what timeline we could commit to. The sales rep had a clear, honest answer ready within 24 hours. Not perfect. Credible. The prospect noted it was one of the most thorough questionnaire responses they'd received.

What started as paperwork became something else

By month six, we weren't just answering questionnaires. We were having strategic conversations about which gaps were worth closing, which certifications would open which markets, and how to turn the security program into a commercial asset rather than an operational burden. That's what ongoing compliance actually looks like when it's working. Not a checkbox exercise. Not a one-time certification. A living system that compounds — where each questionnaire makes the next one faster, where each gap you close becomes an advantage, where sales and security stop working against each other. The company hired us to answer forms faster. We became their vCISO.

If your sales team is absorbing the burden of security questionnaires, forwarding them to engineering, chasing for answers, and apologizing to prospects for turnaround times, the question isn't whether you need better security. It's whether you have the system to prove the security you already have.

If this pattern sounds familiar, I'm happy to talk through what this looks like for your team. No deck, no pitch — just a conversation: paolo@bare-consult.nl

Paolo Carner
Next

The Room that mattered