[emremm]

Good question. Short answer is no, we don't insure you in the deal.

I'd be willing to bet (and infosec folks doing assessments should chime in here), but it's rarely, if ever, a binary decision on a single question (unless you have absolutely no encryption on a service that's handling sensitive information). It's a consistent degree of carelessness and lack of attention paid to basic security blocking and tackling.

You'll typically lose deals in security review because you've done no vulnerability scanning, have never done a pen test, are using outdated encryption, don't demonstrate that you properly protect data - and oh, by the way, you want to handle customers' or employees' sensitive personal information. If that's the case, your company should spend a month patching up these basic security gaps and delay on returning the security questionnaire.

Ultimately, we allow companies to edit and change responses (and require approval of any Stacksi-generated ones) to make sure that the responses are an accurate representation of the company's security processes and policies.

That's the purpose of having multiple levels of review.

Things go like this: AI takes first pass / Human on Stacksi team reviews for accuracy and quality / Stacksi Account Manager reviews with the customer.

I think our current customers would attest to the level of quality we're able to attain with this approach.

[newman8r]

Thanks. I think you're probably right about that being relatively rare. I'm curious how often these deals are lost due to the security questionnaire at all.

[joetheone]

I'd love to see stats on that. I'd bet that rather than losing the deal entirely, the more common case is that the deal gets delayed (possibly significantly) if something is flagged in a security review. After all, even standards like PCI & SOC2 include provisions for compensating controls :)

[sverhagen]

I think this is the wrong answer. Of course you aren't liable, your value proposition shouldn't be shifting the liability, it should be just about shifting the bulk of the work. Any company worth their salt doesn't have one person working on RFPs or such, so you can help reduce the team, but your customer should still do a review. That way they still save money on the (more tedious) initial preparation, while still being in charge of the end result.

[joetheone]

What you describe is exactly what we do. Every single answer output by Stacksi is required to be explicitly approved by a member of our client's infosec team before it can be exported and used. Questions that we don't know the answer to or that we have taken an educated guess at are explicitly flagged as such and our reviewed together by our team and the questionnaire reviewer at the client.

I see Stacksi as giving our client's an extra pair of hands on their team to help with this tedious work. We're a jr. team member though, so our work needs to be checked over before being sent :)