What Is a Secure Data Repository?


A secure data repository is a central storage space where data is separated for analytical or reporting purposes. There are a variety of different types of data repositories are computervirusnow.com/installing-avast-cleanup-mac-important-information/ available that include data warehouses lakes, and marts, each with its particular advantages and difficulties.

Data is typically collected and analyzed using information from different systems like ERP and point-of-sale systems. This can help companies manage large amounts of data and ensure the information is accurate. But, when the volume of data increases security risks can increase as well. To reduce the risk, it is important to implement safe practices for managing data that are based on a multi-faceted, secure approach to protecting data.

For instance a secure data repository should have comprehensive access rules that allow only authorized users who have an actual business need to modify or transmit information. These rules should also address retention requirements and other key issues with managing data. Additionally, a secure repository should have a digital signature approach or any other method of confirming the authenticity of information.

Other important considerations for the security of a data repository include ensuring that the software used can be scalable to handle the increasing volume of data, and also ensuring that the system is properly protected and backed up against malicious attacks. Without these security features an unintentional system crash or hacking attack could ruin the entire data that is stored in the database.

Ask the Experts (Part 2) – The Most Important GRC Trends of 2023


When it comes to Governance, Risk, and Compliance, vigilance is everything.

GRC managers need to stay on the ball, which means being alert to any emerging developments and trends.

And being a bunch of curious compliance professionals ourselves, we thought it’d be an awesome idea to put together insights from some of the most talented folks in the GRC space today.

So here you have it. Straight from the sources. The most important GRC trends to look out for in 2023 (Part 2).

Sushim Roy, GRC Expert at Big 4 Accounting Firm

Your biggest GRC challenge isn’t finding the right tools; it’s maintaining accountability within your team.”

Many voices in the GRC space focus on identifying new capabilities to improve their frameworks. 

While I agree that GRC managers always need to optimize their tools, I don’t think this is the main challenge facing GRC leaders today. There are a lot of great platforms out there. With a little research and testing, managers can find the ones that are right for them.

From my perspective, the biggest challenge is from the organizational perspective. 

I’ve headed GRC efforts in many large organizations, and the consistent issues are always related to the role setup, communication, and most importantly, designing the framework so that the company management can follow the processes and decision-making. 

In any organization, there are a range of compliance and security risks. The most important question GRC managers need to be able to answer is this: “Who owns each particular risk?” or, in other words, who is responsible for addressing this particular GRC need, and who is responsible for following up when there is an issue? What allows you to answer this question is clear visibility. If you’re taking on a new leadership role in GRC, I strongly recommend: this should be your first priority. Divide the organization into sections so you can delineate responsibilities and better quantify risks and requirements. 

The manager then needs to make sure that executives know who holds each of these roles so that coordination can take place between all the relevant parties: the executive overseeing the domain, the GRC manager, and the GRC analyst responsible for the specific task. Conversely, the individual analyst needs to know which executives to reach out to when there is a need to make a change, introduce something new to the framework, or report an incident.

Once the GRC manager has this clarity,  the entire job will go much more smoothly—and effectively. 

Debra Baker, CEO of TrustedCISO 

“The hackers also know the rules, so protecting the network will mean going above and beyond.”

I think there are a few points to watch out for.

One important trend we’re seeing is a really strong emphasis on privacy controls. Regulators are starting to put more emphasis on this. For example, we saw recent changes to NIST 853b bring in more recommendations on that topic. Ultimately, this means that potential clients and buyers will pay attention to these controls in order to have confidence in the product or service they’re acquiring.

To get a handle on this, GRC managers will want to look more closely at automation techs to make these controls work more efficiently. 

Another welcome change we’re seeing is a shift in perspective on security risk management. At the end of the day, network security needs to be viewed within the overall risk management of the enterprise as a whole, and that’s increasingly how executives are looking at it. This is in stark contrast to how many GRC experts have viewed (and continue to view) security and compliance—basically, follow the rules in the best way you can and as efficiently as you can. Now, that’s great if your only goal is to stay compliant. But not if you’re trying to stay ahead of the risk factors in the real world. Think of it this way: cybercriminals know the rules, too. So they know what’s likely to be protected and what vulnerabilities exist. 

Having an outward-looking approach to quantify what are the real-world challenges and adversaries is really the only way to go. 

Merav Vered – VP GRC & Strategic Initiatives at Vendict 

“In 2023, the trend that started five years ago with GDPR will hit a new height.”

This year will be a game-changer as far as GRC is concerned. 

What we’re seeing now is the escalation of a trend that began in 2018 with GDPR. 

The shift has been from perceiving cybersecurity as a mere burden that in most organizations went unnoticed, to a business vector that should be carefully analyzed, planned, monitored, and, above all, receive managerial attention and resources. This process has been gradual. And despite the impact of GDPR, many organizations are still lagging behind. The main reason for this was that many sectors were still able to avoid the huge weight of regulations since they weren’t really regulated too intensely. 

Well, by the time 2023 is over, there’ll be far fewer organizations that have merely a handful of regulations to follow. This will create a sense of urgency to quickly adapt or risk security breaches or being shut out of business opportunities due to cybersecurity implementation gaps.

Some examples of what I’m talking about: 

The European Parliament has introduced two new regulations, the Digital Services Act (DSA) and the Digital Markets Act (DMA), which will be enforced to achieve reliable digital usage while protecting customers and companies in business competition. Heavy fines will be imposed on violations. These regulations will force any company with business in the EU to seriously prepare and commit to cybersecurity and privacy frameworks, or else.

In addition to these, it is apparent that cybersecurity has been escalating. In the US, we’re watching a similar trend, but at the local level. State governments are no longer waiting for a unified federal framework, but are adopting their own laws. Companies are now examining legislation like the Virginia Consumer Data Protection Act which has been effective since January; the Colorado Privacy Act, which will come into force in July; and the Utah Consumer Privacy Act, which will take effect in December.

So we are all experiencing this global trend where regulators all over the world are trying to create common cybersecurity landscapes. 2023 is a major milestone in this journey.

Ask the Experts: (Part 1) The Most Important GRC Trends of 2023

When it comes to Governance, Risk, and Compliance, vigilance is everything.

GRC managers need to stay on the ball, which means being alert to any emerging developments and trends.

And being a bunch of curious compliance professionals ourselves, we thought it’d be an awesome idea to put together insights from some of the most talented folks in the GRC space today.

So here you have it. Straight from the sources. The most important GRC trends you should be on the lookout for in 2023.

Kevin Thomson – GRC Manager at Cognizant

Smart systems powered by AI will bring a new level of accuracy and efficiency to GRC controls and metrics.”

The biggest trend we’ll see in the coming year will be smart systems that help make GRC more accurate and efficient.

In the GRC space, everything kinda falls into the realm of controls, policies, or metrics.  

You wanna have better controls—you know, firewalls, authentication tools, that sort of thing—better policies on how those controls are used, and super accurate metrics on how those policies are actually being implemented and how effective they are.

Collecting evidence across your controls and policies can be tedious, to say the least, especially when you’re dealing with a large organization. But once we have smart systems powered by AI to collect all this info, getting a better read on how well our GRC framework is doing will be much—and I mean much—easier.  

To prepare for audits, all GRC managers will need to do is print out a report based on all the data collected across the organization. What’s even better is that since the report is being generated by a computer, it can frame the compliance status in hard numbers instead of talking in highly technical details pertaining to a given department, system, or regulation. Here’s a pretty straightforward example: Let’s say you have 20 employees in a specific department, but only 10 have completed the required training to be in compliance with personnel regulations. The AI will recognize that and interpret it as 50 percent compliance. 

This is extremely important when it comes to communicating numbers to the board and CEO, who are likely not that familiar with the compliance jargon. What they want to know is how close they are to the goal, and what resources they need to invest in order to get there. 

Sumitra Lohiya – GRC Manager at Wipro UK

“Cloud systems will be vital for robust GRC frameworks.”

Integrating cloud systems and their security controls will be an important measure for GRC in the future.

Cloud-based systems offer vital benefits for creating robust GRC frameworks. Centralizing identity management helps make sure access controls are being applied uniformly and makes them easier to revoke when needed. The cloud also enables an organization to scale up or down resources as needed, making it easier to accommodate changes in their risk profile. 

Finally, there’s the cost factor. Cloud systems can dramatically lower the costs associated with GRC, as organizations don’t need to invest in expensive hardware and software to support their GRC initiatives.

Amiran Sapir – GRC SAP Manager, Big Four Consulting Firm 

“Growing dependence on third parties and the increase in third-party hacks means more pressure to tighten vendor policies.” 

I’ve been keeping an eye on several important developments in GRC. 

From my vantage point, I can see two truly game-changing trends emerging.

First on the list is an increased focus on Third-Party Risk Management (TPRM). Driving this is the growing dependence on third-party relationships in the digital era and the noticeable increase in third-party hacks affecting the digital sphere. This means that GRC managers will be under more pressure to secure their organizations’ vendor policies, either by the board or by new laws mandating it. 

Second is the heightened emphasis on cybersecurity risk management. C-level execs now understand that information security is not a static thing. The “buy the best platforms, set and forget” approach is no longer enough. The threats are constantly evolving. Furthermore, an organization can only dedicate a limited number of resources to cyberspace. So organizations are going to start looking for a more strategic approach to cyber defense: quantifying risk, figuring out real ROI on cyber investment, and creating a strategy based on these metrics. GRC managers will ultimately build their frameworks in the future based on these measurements. 

Nick Dolinich – GRC Analyst at Johnson & Johnson 

“From a security perspective, the golden standard is secure by design. This means development teams want to get GRC guys involved in the early stages.”

From my perspective, one of the most important developments in GRC is the approach to product development. 

Everyone knows that from a security perspective—and therefore from a compliance perspective—the golden standard is “secure by design.” This means that development teams want to get GRC guys involved in the early stages of the product development. This is really a win-win since whenever security is a focus from the start of development, it ends up making the job of GRC analysts and managers a hell of a lot easier. 

What’s pushed more organizations to adopt the GRC-development partnership is the growing complexity of regulation. Here in the US, many states are adopting their own data security laws. So you end up having one standard for California, another for Colorado, and another for New York. So it gets pretty complicated pretty quickly. If you can know your compliance requirements from the get-go, it makes everyone’s lives a lot easier. This will probably require some organizational changes in some companies—for some it’s a foreign concept for GRC and product guys to collaborate in this way. But I definitely think the GRC industry is moving in that direction.

And so, to sum it all up, we’re looking at four super impactful changes coming down the pipe for enterprise compliance: 

#1 – First, the use of AI-powered smart tech to improve metrics and controls—elements that lie at the heart of any GRC strategy. 

#2 – Next is the opportunity to scale GRC implementations smoothly and effectively by adopting cloud capabilities. 

#3 – GRC managers will focus more and more on third-party risk management and ensuring their vendors are secure.

#4 – In order to optimize compliance input for their products, companies will begin to integrate GRC at the development level, which will likely bring about changes in the workflows and processes businesses are currently using.   

Thanks to our experts for the amazing, value-added insights. 

Keep an eye out for Part 2 of our “Ask the Experts” series.

Bye for now. 

The Numbers: How Third-Party Risk is Actually Affecting You

One of the greatest parts about my job is being able to get a global perspective on the state of infosec. 

I’ve the opportunity to talk to amazingly talented people, get their opinions on important trends, and hear their real-world experiences. 

Vendict is, at the end of the day, a platform dealing with third-party risk. TPRM is what we’re trying to deliver to customers, and it’s the risk we’re ultimately trying to mitigate.

Unfortunately, the risk associated with third parties has really gotten out of control. 

Day after day, we see in the headlines that even big companies that have the resources to address this problem are falling victim to third-party hacks.

One of the symptoms of this situation is that it’s really hard to get a quantifiable picture of how TPRM is affecting organizations. 

So at Vendict, we decided to do a deep dive.

To unpack what we discovered, we divided the data into three categories:

Let’s jump in:  

Actual Risk

You don’t have to rely on anecdotes. 

The best data we have confirms that third-party hacks are on the rise, and have been for a while. 

The first thing to consider is that these hacks constitute a larger portion of all security breaches. In fact, they’re now the most common vulnerability behind all data incidents. Experts estimate that today, about 60 percent of all data breaches today occur via third-party vendors.

The second factor to keep in mind is the damage being inflicted by these hacks. In research put out by the Ponemon Institute, the researchers found that the average cost of a data breach caused by a third party has increased from $370,000 to $4.29 million in just three years.  

So yes, third-party hacks are much more common today than they were just a few years ago, and they also have much greater impact.  

The last point in terms of quantifying the general threat of third-party hacks is that not all industries share the same level of risk. For example, the healthcare industry is being hit much harder than other sectors. In 2021, 33% of all attacks involving third parties targeted hospitals and other healthcare organizations. That’s really quite remarkable when you think about it. 

The discrepancy in risk levels is hugely important for GRC managers and CISOs who are trying to develop frameworks for their respective organizations.

Operational Burden

Beyond the actual risk of third-party attacks, there is the burden that businesses must bear in addressing that risk.

And here’s where the problem gets bad. 

You see, TPRM is actually a complicated thing, and it’s only getting more complicated as more and more IT services are being outsourced and the digital supply chain becomes more nebulous. This means staying on top of third-party risks requires a lot of work—more work than many companies are able to put in.   

Today, over 50% of companies across all industries say that managing third-party security is too overwhelming and stressful. Surveys across industries show that more than half of companies say about themselves that they do not thoroughly review each third-party’s security and privacy procedures before integrating them into their network. By the same token, 65% of firms report they have not even identified all their third parties that have access to their most sensitive data, and 54% of organizations do not have a complete list of the third parties that can access their network. 

With the burden of TPRM increasing rapidly, it’s no wonder that 48% of organizations already deem third-party relationship complexity as their main problem from a business flow perspective.

Reputational Burden

I know we are painting a pretty bleak picture here. But stay tuned, because there is a silver lining.

The last factor we considered in exploring TPRM is the reputational factor, which is to say, how third-party risk affects a company’s ability to close deals. 

There’s more awareness of third-party hacks today than ever before. Surveys of IT executives revealed that the vast majority (over 79%) have experienced a third-party hack on their watch in recent years. This trend led Gartner to predict that nearly half of all organizations in the world will have experienced a third-party hack by 2025. What this means is that security teams and their bosses are being more selective about services that have a higher prevalence of third-party incidents. 

Here as well, industry-to-industry differences matter. For instance, third-party security breaches are much more common among software publishers than in other service providers. A recent report by security firm Black Kite shows that software publishers are involved in 23% of all third-party incidents. 2022 was the third consecutive year that software publishers were the most common industry connected to third-party breaches. 

An Opportunity in Disguise

So here’s the good news I promised. 

You don’t have to approach these numbers with a fatalistic outlook. On the contrary, the state of TPRM today offers companies a huge opportunity to grab the third-party challenge by the horns.

At Vendict, we like to say: “We’re not here to solve compliance problems. We’re here to turn compliance into an asset.”

That’s exactly what can be done with regard to TPRM. 

Companies that take responsibility, and go out of their way to show their client base that they take third-party risks seriously, automatically give themselves a huge competitive edge. 

This, in my humble opinion, is the real takeaway from the current state of third-party risk management: The chance to turn risk into an added value for the business is right in front of us. 

We, at Vendict, will harness the power of linguistic-generative AI to help with security and privacy compliance and risk management.

What Everyone’s Missing When Tackling Security Questionnaires


I’ve spent countless hours talking with CISOs and sales managers across every industry, learning about their challenges with compliance processes.

From all of these conversations, I can tell you that there are some points that everyone seems to miss—and that end up costing both resources and potential sales.

Remember, the questionnaire is not just a formality.

Your potential client wants to know if you’re (A) trustworthy and responsive, and (B) if you know what you’re talking about when it comes to the safety of your company and product.

So first things first: Accurate and complete information is key.

For all the sales reps out there desperately trying to cross these tedious assessments off their to-do lists, keep in mind that every follow-up question adds ON AVERAGE four days to the sales cycle.

Number 2: Relevance.

Someone on the other side of this deal will read the questionnaire once you send it back. You don’t want to bother them with facts that have nothing to do with their questions.

Next: Specificity.

It can be very tempting to answer a question in a general way, which is technically correct but lacking in details. If a client asks you, for example, if you have certain security protocols in place, answering “Yes” isn’t enough. Responding “We implement the above protocols in the following way…” is an answer a client can smile about 😉

Number 4: Up-to-date.

This means coordination between sales, the compliance team, and the security people. If key security features change, make sure everyone who needs to know actually does. If you have the same answers on reserve without ensuring they’re up-to-date, that’s an embarrassment waiting to happen.

Last but not least: Consistency.

This means providing consistent answers across all sections of the questionnaire. If there are overlapping questions in a questionnaire (and I assure you there will be), it’s vital that there are no discrepancies between them. Even if all the answers are correct on their own, the fact that different answers are given on the same topics will set off a red flag in the client’s mind.

So there you have it. The five pro tips everyone seems to be missing when it comes to tackling security questionnaires.

Remember, questionnaires, as annoying as they can be, are an important opportunity to show the client your expertise, professionalism, and ability to address their concerns. Keeping the questionnaires sharp and on point is one of your biggest assets.

Tips for Efficiently Responding to Security Questionnaires


If you are a vendor, you are a part of a supply chain and your operations might greatly impact your customers, since you probably store or process sensitive data (personal or business information). Therefore, you are probably familiar with security questionnaires that are sent by your clients. Despite the significance of these questionnaires to your customers, many vendors conceive them as an organizational nuisance which is a challenge to handle.

Fortunately, there are several ways to optimize this process. In this article, we’ll explore some strategies that will help you respond to security questionnaires in a timely and efficient manner.

Photo source: Pexels

Why Are Security Questionnaires Such a Burden on Vendors?

Security questionnaires can be lengthy and very time-consuming for the vendor. Some can reach hundreds of questions and since there is no one standard version, vendors will get questionnaires in multiple formats and contents, deriving mundane and repetitive manual replies. In addition, adequate and prompt responses are often crucial for winning a business engagement, since the vendor’s competitors are also in this race and might beat the vendor to it. 

Another hindering factor causing an organizational burden on the vendors is the contents of these questionnaires, which pertain to various security and privacy domains, such as:

    • Organization of information security     

    • Asset management

    • Human Resource Security

    • Physical and environmental security

    • Communications and operations management    

    • Access control

    • Information systems acquisition, development, and maintenance

    • Information security incident management

    • Business continuity management

    • Security and privacy compliance

    • Documented policies and procedures

In many vendor companies, this diversity of topics would require the involvement of multiple entities in order to gather the responses. This would not only delay the prompt response but also demand many entities to put aside their routine tasks and concentrate on these questions. Many vendors find going through a security questionnaire so challenging, that in many cases they decide to abort the business opportunity, to begin with. In fact, research shows that over 15,000 hours are spent by vendors on completing such questionnaires each year.

Photo source: Freepik

Why and to Whom are Security Questionnaires Important?

Before diving into the best ways to optimize the security assessment process, let’s make sure that you understand why security questionnaires are so important and to whom. These questionnaires are an essential part of the vendor risk assessment process, as they have become the most common tools for clients to identify potential security gaps, assess any potential vulnerabilities which might impact the client itself, and verify that the vendor follows all the required cybersecurity compliance frameworks. Third-party security risks are considered the leading source of vulnerabilities for a customer, and these are handled with the utmost client concern prior to approving any vendor onboarding. Gartner estimates that by 2025, 60% of organizations will use cybersecurity risk as a primary determinant when conducting third-party transactions and business engagements.

Why and to Whom are Security Questionnaires Important

Photo source: Pexels

However, if treated thoroughly, security questionnaires can also play an important role for the vendor.

To begin with, security compliance is essential nowadays more than ever, as it helps companies avoid the risks associated with data breaches which greatly influence operations, financial sustainability, client trust, business reputations, etc. 

Secondly, when a security incident occurs, it might cost companies millions of dollars to recover. According to Statista, in 2022, the global average cost of a security breach hits $4.35 million.

Also, security questionnaires are often required by security standards such as NIST or ISO, and even in most large tenders, RFIs and RFPs, so companies have no choice but to comply with these frameworks. 

In security-mature companies, this burden may even seem like an “order generating tool”, which assists the organization in validating its security mechanisms and processes.

5 Tips for Responding to Security Questionnaires More Efficiently

Photo source: Freepik

One thing is for sure — whether we like them or not, security questionnaires are here to stay. So, the best we can do is find a way to optimize the process of completing them.

Therefore, let’s take a look at a few tips on how to make this process more efficient, and how to take this burden off your teams and allow them to focus on their routine and ongoing tasks.

Define a Clear Process

What do you do once you receive a security questionnaire?

It’s essential that you define clear guidelines on how to complete this process and not leave this task to chance. You might have to deal with multiple questionnaires at once, and you don’t want to delay your sales process because of them.

Start by deciding which members of your team or teams are responsible for this task. Make sure they have the necessary information and skills for answering a security questionnaire. This often involves senior members of your team/s or outsourced security consultants.

Then, define a workflow and ensure that all team members involved in this process have access to your plan. Include information about the people responsible for this task, the process of handling questions, the available documentation and evidence, and any other resources.

Also, make a plan on how to interact with the clients. Think about every possible scenario. What should happen in case of a delay from your side? What should your team members do if the clients require additional information once you’ve already sent them the security questionnaire? What is the procedure for receiving and submitting a security questionnaire? Documenting the answer to all these questions will be extremely useful for everyone involved in this process.

Keep It Simple

People tend to overcomplicate things when dealing with something as complex as a security questionnaire. Don’t be one of them. On the other hand, do not overlook, delay or undermine the questionnaire. Both approaches will only make the process more difficult and longer.

Instead, try to keep it simple. Pay attention to each question, and provide detailed answers but try not to offer more information than required. Many questions can be answered in one or two sentences. Avoid overloading clients with unnecessary information, especially on issues or question intentions that you are not completely certain about since imprecise information might harm you.

Also, make sure your questionnaire responses are clear. The information you offer to clients should only include sincere, accurate, and relevant answers. Avoid elaborations using non-existing processes or solutions, since a client might later ask for evidence or even hold you responsible for a security incident.

Plus, it’s important to also add evidence where available and possible. This will help you establish a trusting relationship with the client right from the start. If you stumble upon ambiguous questions, don’t hesitate to reach out for more information.

Create a Knowledge Base

One of the most efficient ways to optimize the completion of security questionnaires is by creating a knowledge base.

What does it take?

A knowledge base or a response repository contains the security questionnaire responses you used in the past. As stated before, while security questionnaires might differ from one to another, many questions remain the same. Therefore, having your answers documented can save you a lot of time and frustration.

You can use a spreadsheet or any other format that allows you to easily add and search for information.

Start by creating a knowledge base with answers to the standard questionnaires that you usually encounter or on the commonly repetitive topics. Then, add more specific information for different topics, industries, and regions.

Once you have created a response repository, make sure you update it every time you encounter a new type of security questionnaire or any additional questions. Also updating your answers and evidence is even more important, as they change with time.

Having a solid and up-to-date knowledge base will save you a lot of trouble in the future, and it will make your team’s work faster and more efficient.

Automate the Process

What if there was a way to complete a security questionnaire much faster?

Fortunately, there is. By using an automation tool, you can take this burden off your chest and let the technology do the work for you. Even to the extent of over 90%.

How does it work?

An automation tool can help you provide accurate answers to all questions using your evolving knowledge base. It does more than copy and paste your predefined answers. It provides the best answer for any type of security questionnaire, and it makes sure your answers are compliant with cybersecurity frameworks.

At Vendict, we have developed an automation tool that uses Natural Language Processing (NLP) to hyper-accelerate your sales process by completing security questionnaires 50x times faster than it would take to do it manually.

Our solution is able to cut even through the most complex questionnaires and provide technically and methodologically accurate and on-point answers to all the questions.

Final Thoughts

Final Thoughts

Photo source: Freepik

Security questionnaires have become a necessity for ensuring data security, and they are a common part of risk management strategies. It’s important to understand that in a business world where cyber threats are more common than ever, organizations need to do their best to protect customer data and ensure they have efficient security mechanisms, processes, controls, and procedures in place.

Considering that security assessment questionnaires are here to stay, it’s time to find a way to save time and make your work more efficient, both in responding to those questionnaires and in leaving your hands free to handle the routine tasks and targets which you are intended to fulfill.

So, what are you waiting for? Book a call with one of our experts, and say goodbye to manual, mundane, and frustrating work!

50 Tech Professionals Reveal: The Top 3 Time-Wasters and Productivity Boosters in Compliance Management


One of the most important things for me as a CEO is to get a full understanding of our clients’ business challenges around data and compliance.

A big part of my job in leading Vendict is to listen carefully to the customers, understand their problems, and act on their feedback..

A few months ago, the Vendict team decided to pose some questions to tech and compliance professionals to get their take on how compliance affects their jobs.

Well, the results are in. And I’ve got to say, they’re pretty revealing.

During the survey, we interviewed over 50 individuals, including account managers, sales professionals, and SDRs working in the SaaS, PaaS, IoT, and other tech areas. Each of them has years of experience dealing with security compliance in a business context. We asked each of them three questions:

1. What would you say is the biggest time-waster in your job?

I knew from the start that it was a risk to ask such a general question.. 

We didn’t offer multiple-choice answers. We just asked participants to write freely. The answers could have been very different, and it wouldn’t have been possible to pinpoint the problems I want to solve as a compliance expert..

But in the end, it was worth asking the questions.

Of the non-administrative challenges that respondents listed, the top three time-wasters they described were:

a) Lack of technology to hasten various tasks

b) Technical data not organized or readily available

c) Compliance documentation


This speaks volumes about the challenges companies are facing. It also demonstrates how simple technological tool integrations can make a significant difference in a team’s efficiency and overall productivity..  The third response on the list (compliance documentation) is essentially a combination of the first two problems—menial task overload and lack of data organization.

Lesson learned:

Adopting technological platforms that can automate menial tasks and help organize critical information are the investments with the biggest ROI.

2. What routine or process has been implemented in your workplace that has made the biggest difference in your productivity?

We’re all about efficiency at Vendict.

So naturally, I wanted to know what my target audience is up to when it comes to increasing efficiency in the workplace.

By far, the most common response to this question involved integrating technology to better manage information and databases (post-sales call meetings being the distant second).


Getting all these similar answers from such a wide array of participants lends a lot of support to the lessons drawn from the first survey question, namely that keeping information organized is a huge driver of company performance. Remarkably, many participants (without us asking, of course) described in more detail why these integrations made their lives easier. The common thread came down to this: They had all this information just sitting there, in their own network, with no way of accessing it—until they brought on the appropriate platform.

3. Do you feel that customers’ security and compliance requirements are making your job more difficult? If so, in what ways?

Understanding the relationship between compliance and business is at the core of my company.

I’ve spent countless hours discussing this topic with clients. But I wanted to hear from a broader set of people in the field..

Now to be 100% honest, to my surprise, I’ve received a few sporadic “no” responses to this question. All I can say to that fortunate handful is: “Heaven has clearly smiled upon you.”

But the rest of the participants, as I’d anticipated, had a different story to tell.

The most common descriptions of how compliance made the job harder were:

a) numerous security inquiries that essentially all contained the same question.
b) time spent filling out security questionnaires, which delays sales cycles..
c) back-and-forth communication between the vendor and buyer holding up the deal from closing.


I think the most important thing to take away from the responses to this last question is how disruptive compliance can be for an enterprise.

It becomes a task with such high resource demands that it can hurt the company’s profitability and put a real dent in its ability to function.

What these responses, and indeed the whole survey, reaffirmed to me was that making compliance easier and more efficient for enterprises is not just a compliance issue—it’s also a business efficacy issue.

Unless an enterprise is able to achieve compliance in a smooth and simplified manner, it is essentially handicapped as a business..

That’s why empowering companies with compliance technology transforms compliance from a liability into one of their biggest assets.

Special thanks to the amazing participants who helped make this expert survey a reality: