The Compliance Circus: Why Customer Security Questionnaires Are Broken

Every week brings another “mandatory” security assessment with contradictory demands. Here’s why the system is broken ; and how CISOs can bring sanity back to third-party assurance.

Christophe MazzolaChristophe Mazzola· Practicing CISO · Founder of Cyber Academy3 min read
The Compliance Circus: Why Customer Security Questionnaires Are Broken

Another day, another sixty-page spreadsheet. Another “urgent” security questionnaire. Another list of non-negotiable requirements written by someone who has never run a real security program.

If you work in SaaS, this is your life now ; a constant parade of buyers inventing custom security demands as if compliance were a menu.

And every year, the circus grows.

Let’s state the obvious: It’s impossible to meet the expectations of 100, 1,000, or 10,000 customers when every single one thinks they’re your personal auditor.

Each buyer adds a new requirement. Each procurement team has its own “framework.” Each compliance officer has their own interpretation of risk. And sales teams happily promise that “we can comply with anything.”

The result? Security teams end up drowning in bespoke demands that don’t improve security ; they just multiply paperwork.

This isn’t customer assurance. It’s chaos.

1. The Real Problem: Nobody Trusts Baselines Anymore

Shared frameworks were supposed to fix this. ISO 27001. SOC 2. GDPR. NIS2. Pick one, comply, demonstrate maturity ; done.

Except buyers don’t trust them. Everyone believes their organisation is “special” and needs custom rules.

So instead of a unified standard, we have:

  • PDF scavenger hunts
  • ad-hoc questionnaires
  • irrelevant controls
  • contradictory requirements
  • procurement checklists written 10 years ago

The system isn’t overloaded ; it’s architected incorrectly.

2. Sales Overpromises, Security Overreacts, and Governance Disappears

When sales says yes to everything, security becomes the cleanup crew.

Teams are forced to:

  • invent new policies on the fly
  • justify every “no” like it’s a personal failure
  • accept risks nobody would accept internally
  • maintain fifty flavours of compliance for the same product
  • bend their roadmap to satisfy non-risk-based demands

This is not governance. It’s survival mode.

And when everyone owns the requirements, nobody owns the consequences.

3. Compliance Has Turned Into Security Theatre

Most customer questionnaires have nothing to do with real risk. They’re a ritual ; a symbolic performance meant to reassure someone who doesn’t understand your environment.

So organisations respond with their own theatre:

  • policies written purely for audits
  • controls documented but not implemented
  • evidence that proves nothing
  • promises nobody can honour

Meanwhile, the actual risks remain unaddressed.

This is how companies end up compliant on paper and exposed in reality.

4. The Core Issue: Fragmentation

Right now, vendor assurance is a messy intersection of:

  • procurement teams with no security background
  • compliance officers chasing checklists
  • GRC consultants who still operate in a PDF-first world
  • security teams trying to defend real risk
  • legal teams drowning in amendments

No central ownership. No unified expectations. No risk-based alignment.

The wheel keeps spinning because everyone pushes their piece of the puzzle in isolation.

5. What We Need Instead: A Shared Trust Model

Vendor security can work ; but only if the industry agrees on baseline principles:

1. Realistic security expectations

Based on the service, the data, and the exposure. Not based on fear, tradition, or internal politics.

2. Standardised trust signals

Third-party certifications. Unified control sets. Evidence once ; accepted broadly.

3. Risk-based requirements

Controls tied to actual threats, not procurement folklore.

4. Governance between sales & security

A single point of authority for what is acceptable ; and what isn’t.

Until we have this, every SaaS company will continue living in the Compliance Hunger Games.

6. Security’s Goal Isn’t to Make Every Customer Happy

Here’s the uncomfortable truth: Security is not customer service.

A CISO’s job is not to satisfy every checkbox. It is to protect the organisation, its customers, and its ecosystem from real harm.

Those two things ; happy customers and safe customers ; are not the same.

Strong CISOs choose safety first, even when it means saying: “No, this requirement is irrelevant, and here’s why.”

Final Thought

The compliance circus won’t stop on its own. It stops when organisations adopt shared baselines, commit to real risk management, and stop treating every procurement questionnaire like holy scripture.

Security shouldn’t be a theatre. It should be a partnership built on transparency, evidence, and trust.

Until then, enjoy filling out your 47th spreadsheet of the week.

If you want to build a vendor assurance strategy that eliminates chaos ; with clear baselines, defensible positions, and risk-aligned responses ; that’s exactly what we teach in the Cyber Academy Certified CISO programs. Join the next session and end the compliance circus for good.

Want the next field note in your inbox?

The GRC Brief newsletter. Five links and one short take, every Monday at 8am CET. Three-minute read.