Skip to content

How to Win Sales by Passing Vendor Risk Assessments?

Start with a Sales Security Packet Designed to Win Deals!

Turn your security program into a competitive advantage and set your business apart.


Chances are, you already have extensive security measures in place to protect customer data and to ensure service continuity. But how well is this being communicated to prospective customers through your sales team? In this article, we’ll share simple strategies for maturing your security posture, building a powerful competitive advantage, and optimizing sales.


Businesses are continuously up against new data security regulations and compliance requirements—from GDPR to the latest California Consumer Privacy Act (CCPA). Strong data security not only complies with regulations but helps to avert costly litigation, loss of consumer confidence, and brand damage. With data security being front and center, today’s top brands can no longer conduct business with providers that let security standards fall short.


So there’s never been a more opportune time to use your security program as a unique competitive advantage. Whether a startup with just a few customers or an established global enterprise, it’s essential that today’s businesses demonstrate an even greater commitment to security controls than their competition if they want to win new business and retain customers they already support. You can demonstrate your security posture and better compete within this changing landscape by providing your sales team with a new set of tools.


At Cyber Security Services, we’ve analyzed thousands of vendor risk assessments and have talked with customers of all sizes to develop a few important guidelines for proactively addressing questions all customers are (or should be) asking. By prepping the sales team in advance with a packet presenting security assurance documents, organizations can dramatically improve performance on due diligence reviews and the RFP process for both new and existing customers. Simply having the right documents in place and readily available to distribute in a sales security packet will not only promote a smoother sales process but could also become the deciding factor when customers choose to work with your company.


Nine Customer Security Assurance Documents That Can Win Deals


Set your business apart by presenting a sales security packet during the proposal process. We recommend including in your packet the following nine customer assurance security documents.


  1. The Security Contact for your Organization. Every organization should have at least one individual responsible for information security. This is the contact able to provide reassurance on security controls and the one who manages business processes in the event of an emergency. Your security contact might be the CISO, a virtual CISO, or anyone in-house offering equivalent expertise. Simply showing that you have a CISO or responsible security executive in charge will demonstrate to prospects that your organization takes security seriously. It also demonstrates that you have a program with continuous improvement in place and that you’re able to quickly respond to changes arising on the security landscape.
  2. Your Information Security Policy. If you don’t already have a comprehensive Information Security Policy, develop one and update it minimally once per year. Then share it with prospects to provide that added reassurance. You will want to make sure your employees are up to date on it, and that your organization is actively following the policy.
  3. A third-party audit report. We recommend that organizations undergo routine third-party audit reviews and make those audit results available to both existing and prospective customers minimally once per year. The SOC 2 type 2 audit, which is conducted by an AICPA-authorized firm, is the standard for service organizations. There are many other great 3rd party reviews that you may want to consider outside of the SOC 2 type 2. After the audit is complete, your auditor should provide a report showing all findings. When you share this report with prospects during the sales process, it demonstrates that your company is serious about customer data security, which can give you a strong competitive edge.
  4. Your business continuity plan (BCP). Provide customers with details about your preparations for disaster response and business practice continuity. Sharing this documentation with prospects will offer the reassurance that your operations will continue and that their service won’t be interrupted even in the event of a major incident. It also demonstrates that your business is prepared for any number of scenarios.
  5. Penetration test results. A penetration test (also called “pentest”) will help to ensure hackers and identity thieves cannot easily access customer data. Conducting a pentest annually through a third-party provider is an essential safeguard for all environments including internal, external, and hosted applications. Once conducted, your pentest provider should present a detailed report of findings along with an executive summary. Presenting the executive summary to prospects during the sales cycle, and offering a detailed review upon request, can help in tipping the scale in your favor. An annual penetration test is often part of every mature organization and is often a compliance requirement.
  6. An example vulnerability scan. We recommend that organizations implement vulnerability scanning services using free tools or through one of many leading vulnerability scanning vendors. When you initiate a vulnerability management program with a scanner, this helps to assure customers that your company is able to detect and address security vulnerabilities in a timely manner. Sending an example scan during the sales process will demonstrate that you have no or only low-risk vulnerabilities, which acts as a powerful competitive advantage and helps to win the deal 99.9 percent of the time. If there are critical, high, or medium vulnerabilities you’ll want to make a case for why they are still active.
  7. A network diagram emphasizing security controls. Provide a network diagram that highlights important security controls or tools that you have in place, such as your main network firewall, web application firewall (WAF), Intrusion Prevention System (IPS), Data Loss Prevention Tools, and 24x7 Security Monitoring. Also include documentation to proactively reassure customers who expect real-time alerts or monitoring for applications or systems storing sensitive data.
  8. Your security awareness training records. Conduct security awareness training on an annual basis and include documentation in your sales security packet that details employee training programs and training frequency. Include your employee participation rate, as well, which ideally should be 100 percent. There are great options such as that offer training solutions for minimal costs. The Center for Information Security Awareness (CFISA) in partnership with the FBI’s Infragard is another great option for training. They even offer free courses to individuals.
  9. Your Service Level Agreement (SLA). Your SLA should outline your company’s commitment to service availability. We would recommend that organizations commit to no more than 24 hours for their Recovery Point Objective (RPO) and Recovery Time Objective (RTO). However, this may be shorter depending on the services provided. It is important that if you state your RTO/RPO that you have tested your recovery strategy. CSS recommends at least once a year.


Cyber Security Services assists businesses of all sizes and throughout the United States with vendor risk management. We help our clients assess their security program, design plans, test networks and systems, and conduct routine third-party audits.


We can also provide support in building and maintaining up-to-date documentation provided in your sales security packet to help land highly profitable deals with some of the largest companies in the world—from acting as our client’s virtual CISO and seamlessly managing their entire information security program to offering guidance on critical sections to include in your information security policy. Work with us to develop all of the tools your sales professionals need including your security policy, BCP plan, SOC 2 Type 2 audit, penetration test and vulnerability scan report—even your comprehensive network diagram highlighting security enhancements. Our team of cyber security consultants are here to assist.



Matthew F. Santill, CISSP

Scroll To Top