At our last company, we were the ones who filled these things out. We hated doing it, but got them done because we had to in order to close deals that could meaningfully impact the trajectory of the company.
If you’ve had to deal with these, you understand that they’re the worst way of broadly assessing a company’s security with a reasonable time / cost tradeoff…except for every other method that we currently have at our disposal.
Problem is, that they’re often 200+ questions sent to salespeople and forwarded ASAP to some other poor soul (often some sort of engineer). The questions asked (e.g. what is your company’s encryption standard? or “what events do your logs capture?“) - assuming that they’re even correctly phrased - touch sufficiently detailed aspects of a company’s security practices that make it difficult for someone who doesn’t have at least some security / compliance background (e.g. a salesperson) to answer properly. All of this means that high-capability individuals (CTOs in earlier-stage companies, Solutions and Security Engineers in later-stage ones) end up spending significant amounts of time answering the same questions that they answered a few days ago, just phrased sufficiently differently that rote copy-paste isn’t a viable solution.
This is what we’re trying to fix.
We do it, in a nutshell, by taking two things: 1) a company’s security docs (e.g. policies, diagrams, vuln scans) and 2) the questionnaire in whatever format it’s in (GRC portals, web forms, excel, word, PDF, tea leaves). Putting those two things together, we get the questionnaire done accurately and quickly using a human-in-the-loop model. (We combine a tuned BERT model searching on the company’s docs with manual review by a human on our team).
The product works something like this: Upload your docs; Upload the file, schedule 15 minutes to review with us in the next couple days, then forget about the questionnaire until the review call and do other work. In the background, we index all of your documentation and run a search for each question to find the most relevant sections of your documentation. Once that process is complete, a human on our team reviews what the system has output to make sure that answers are accurate and high quality. We then mark it as reviewed and you receive notification.
When Stacksi’s internal review is done, our team takes a few minutes to review it with you (usually within ~48 hours so we have enough time to ensure quality across many questionnaires), and then you send it back to the company that asked for the assessment.
In instances where your docs don’t touch on specific information (often comes up with questions around app-specific authentication options like “Does your application support SSO with our Identity Provider, [INSERT IdP here]?”), our software also has collaboration features to make it easy for teams to work together to get the questions answered without pulling out all their hair deciphering asinine questions or nagging teammates for answers. It then uses those answers to inform future questionnaires.
We currently charge for questionnaires per-question ($2), so companies don’t have to pay through the nose to get help or commit to a subscription. We’ve gotten some feedback that we are under-pricing right now (maybe too much), but our goal right now is to grow the number of customers we’re working with rather than trying to squeeze every penny out of every customer. The more customers we have, the better our product gets for everyone, since (quality) data is the biggest driver of a good vs garbage model. For that reason we want to make it as much of a no-brainer as possible for people to sign up and get started. We're super focused on making sure the NLP handles the majority of the work and not making this a business that relies on having a bunch of questionnaire savants reviewing questionnaires all day every day.
Our goal is for a human to spend <15 seconds per question in review and thus, we're pricing this as a software product, not a services product. We also hope that pricing this way puts us in better alignment with our customers’ success (the more time we save them, the more we earn, without locking them into a contract that forces them to pay whether they get questionnaires or not). Some bigger customers actually want the subscription for financial predictability reasons, so we’ve started supporting that, too. Finally, for companies that don’t yet have policies written, we help customers create and manage them, and charge separately (kind of like Clerky, but for security policies).
We want to support builders in growing their companies (in our own small way) and allow talented people to put their skills to more productive use than filling forms.
We would love feedback from the community, and we’re happy to answer any questions that come up!
by Andrey
Azimov