Given that you use S2Vendor for third-party information security due diligence, third-party objections may still arise, especially if the vendor is unfamiliar with the platform or the process. Here are the most common objections you may encounter and the most appropriate responses using S2Vendor’s strengths as part of your explanation.
Objection 1: “We don’t have time to complete this assessment.”
Why They Object:
They may view the process as time-consuming or resource-intensive.
There may be competing priorities.
They may assume the questionnaire will be complicated.
Best Response:
Emphasize Simplicity: Explain that S2Vendor’s assessment is True/False and designed to be quick and easy to complete.
Highlight Time Savings: If they’ve completed an assessment in S2Vendor before, they can simply reuse the same one, reducing redundancy.
Offer Support: Provide assistance by explaining specific questions or offering guidance.
“We understand your time is valuable. The good news is that S2Vendor uses a streamlined True/False questionnaire that typically takes minimal time to complete. Plus, if you’ve used S2Vendor for other assessments, you may be able to reuse your existing results, saving even more time.”
Objection 2: “We don’t see why this is necessary.”
Why They Object:
They may not understand the relevance of an assessment, especially if they don’t perceive themselves as handling sensitive data.
They may believe compliance with existing regulations is sufficient.
Best Response:
Explain the Purpose: Emphasize that S2Vendor evaluates the inherent risk of the relationship, not just their industry or size.
Clarify the Benefits: Their cooperation helps ensure trust and maintain compliance for both parties.
Offer Transparency: Explain that a fair, objective S2Score will result from the assessment, helping both parties make informed decisions.
“This assessment is part of our standard due diligence process to ensure our partnership remains secure. It helps us identify and manage risks objectively. Using S2Vendor also means your assessment may be reusable with other customers, reducing future requests.”
Objection 3: “We already have certifications like SOC 2 or ISO 27001. Why do we need to complete this?”
Why They Object:
Vendors may feel their certifications cover all necessary security measures.
They might see additional assessments as redundant.
Best Response:
Acknowledge Their Efforts: Recognize that certifications are valuable and demonstrate strong security practices.
Explain the Context: S2Vendor’s assessment complements certifications by applying an inherent risk-based evaluation tailored to your relationship.
Reduce Effort: If certifications are available, explain that certifications may reduce or replace some assessment requirements.
“Your certifications are certainly a strong indicator of your security practices. However, our S2Vendor assessment is relationship-specific, focusing on how your security posture aligns with our particular risk environment. Additionally, having your certification may reduce or simplify the assessment process.”
Objection 4: “We are concerned about how our information will be used or shared.”
Why They Object:
Vendors may fear that sensitive information will be improperly handled.
They may misunderstand how data in S2Vendor is stored or reused.
Best Response:
Reassure Data Security: Explain that S2Vendor follows strict security protocols and stores data securely.
Highlight Control Over Data Sharing: Vendors have the option to approve or decline data reuse with other S2Vendor customers.
Clarify Transparency: Emphasize that the data is solely used for security risk assessments, not for competitive analysis or misuse.
“We take your privacy seriously. S2Vendor ensures your data is secure and only used for security risk management purposes. Additionally, you maintain full control over whether your completed assessment can be reused for other customers, which can save you time in the future.”
Objection 5: “We don’t have a formal security program. How do we answer the questions?”
Why They Object:
Small vendors or startups may lack formal security policies and feel overwhelmed by the assessment.
They may worry about receiving a low S2Score.
Best Response:
Provide Context: Explain that S2Vendor tailors the assessment to match the risk level and vendor size.
Encourage Transparency: It’s okay to report that certain controls aren’t in place — transparency is valued over perfection.
Offer Guidance: Provide examples or clarifications to help them understand how to respond accurately.
“That’s completely understandable. S2Vendor is designed to scale based on the size and complexity of your organization. Just answer as accurately as possible — the goal is to understand the risk, not to punish companies without a formal security program. We’re also here to help if you need clarification.”
Objection 6: “We’ve completed multiple questionnaires this year. Do we really have to do another one?”
Why They Object:
Vendors often experience questionnaire fatigue from numerous customers requesting assessments.
They may see this as redundant.
Best Response:
Leverage S2Vendor’s Strength: Emphasize that if they’ve completed an assessment using S2Vendor for another customer, they can reuse it without additional effort.
Highlight the Efficiency: Point out that the platform is designed to reduce redundancy for vendors.
Save Them Time: If they’re not yet in S2Vendor, suggest they store their completed assessment for reuse with future customers.
“We completely understand questionnaire fatigue. One of the great things about S2Vendor is that once you’ve completed your assessment, you can approve it for reuse with other S2Vendor customers. This means fewer requests and a more efficient process for you.”
Objection 7: “We’re a low-risk vendor. Why are we being asked to complete an assessment?”
Why They Object:
Vendors who perceive themselves as low-risk may feel unnecessary scrutiny.
They may not understand the classification process or the true nature of the relationship.
Best Response:
Explain Risk Classification: Describe how S2Vendor uses an objective method to classify vendors as High, Medium, or Low risk based on inherent risk.
Assure Proportionality: Explain that lower-risk vendors may receive fewer questions or be excluded from further assessments.
Reassure Compliance Needs: Emphasize that this is a standard due diligence requirement to meet legal and regulatory obligations.
“S2Vendor helps us assess vendor risk objectively. While you may not handle sensitive data, factors like access to systems or network connectivity can still present risks. This simple assessment helps us ensure we meet compliance obligations efficiently.”
Objection 8: “We want to charge you for the work required to complete the risk assessment.”
NOTE: If a vendor wants to charge you for the time or resources they will spend completing the S2Vendor risk assessment, it’s not an uncommon objection, especially from larger or highly sought-after vendors. Some may view the effort of completing a questionnaire as a billable service or a cost of doing business.
The appropriate way to handle this objection may require additional consideration; therefore, we’ll provide additional guidance in comparison to other common objections.
Use your best judgement according to your specific circumstance.
Why They Object:
Vendors may see security assessments as time-consuming tasks that pull resources away from their core operations.
They might view completing a risk assessment as a billable service rather than a standard expectation of doing business.
Larger or highly sought-after vendors may believe their size or influence justifies charging for these activities.
They may assume that their certifications or previous assessments exempt them from further evaluation.
They may be trying to discourage the assessment or avoid transparency.
Best Response Approach:
1. Emphasize That This Is a Standard Due Diligence Practice
Explain that completing security assessments is a common and expected part of doing business.
Emphasize that this is part of your regulatory or legal obligations.
Example Response:
“We understand your concern, but this assessment is a standard part of our due diligence process to ensure the safety of our data and systems. Like financial audits or legal reviews, security assessments are an essential requirement for responsible business operations.
2. Highlight S2Vendor’s Efficiency and Reuse Capability
Remind them that S2Vendor uses a simple True/False format that’s much faster than traditional security assessments.
Remind them that S2Vendor allows them to reuse their completed assessment for other customers, reducing their workload significantly. This can be a strong incentive if they expect future assessments from other clients using S2Vendor.
Example Response:
“One of the advantages of S2Vendor is that once you complete the assessment, it can be reused with other customers in the future, with your approval. This means you won’t have to duplicate the effort for every client request.”
3. Offer to Streamline the Process
If they remain resistant, offer to reduce the scope of the assessment (if they qualify as a lower-risk vendor) or accept existing certifications like SOC 2 or ISO 27001 where applicable.
Offer assistance in clarifying or filling out the form.
Example Response:
“If you already have certifications like SOC 2 or ISO 27001, we can use those to reduce the time required to complete the assessment. We are also happy to provide support or clarification to make this process as smooth as possible.”
4. Politely Push Back on Charging Fees
Make it clear that paying for security assessments is not a typical practice. While some vendors may attempt to charge for assessments, most companies do not pay for third-party due diligence assessments.
Reiterate that assessing security risk is part of the partnership’s responsibility — and it benefits both parties.
Example Response:
“We don’t typically compensate vendors for completing security assessments since they are a standard part of responsible third-party risk management. This helps us ensure we’re protecting both our organizations from potential security risks.”
5. Present the Shared Responsibility Angle
Emphasize that security is a shared responsibility and protecting data is beneficial to both companies.
Position security as a business enabler, ensuring both parties can operate safely and without disruption.
Explain that a cyber incident could harm their reputation as well.
Example Response:
“A successful cyberattack can have significant impacts on both of our organizations. By completing this assessment, we are working together to reduce risks and strengthen our overall cybersecurity posture.”
When to Compromise with a Vendor Who Wants to Charge a Fee
If the vendor is critical to your business operations and remains unwilling to comply without a fee, consider these options:
Negotiate a Reduced Assessment Scope: Perform a more limited, high-level risk assessment.
Accept Existing Assessments: Accept recent security certifications, reports, or third-party audits instead of a new assessment.
Prioritize Contractual Security Requirements: If they refuse the assessment, ensure stronger security language is added to the contract (e.g., audit rights, breach notification clauses, indemnity).
Share Assessment Costs in Exceptional Cases: If the vendor is a key strategic partner, you might negotiate a one-time cost-sharing arrangement. This should be rare and well-justified.
In most cases, vendors ultimately understand that completing an assessment is a standard business practice. With S2Vendor’s flexibility and data reuse features, you’re offering them a time-saving opportunity. If necessary, gently remind them that refusal to participate may raise concerns about their security posture and ability to manage data responsibly.
Final Thoughts
Using S2Vendor gives you a significant advantage in responding to third-party objections. The platform’s streamlined approach, objective scoring, and data reuse capabilities are powerful counterpoints to common complaints. Always emphasize the mutual benefits of transparency, efficiency, and reduced effort.
SecurityStudio is here to help! If you encounter other objections not covered here, let us know and ask us for assistance.