日本語

Security and Compliance Review Without Losing the Deal

Key Numbers Enterprise AEs Should Know

  • Roughly 60% of enterprise deals run a formal security review, and the percentage climbs above 80% in financial services, healthcare, and any deal where buyer revenue exceeds $500M.
  • AEs who manage security review as part of the deal close 4x faster than AEs who hand it to InfoSec or Legal at verbal commit.
  • Median enterprise security cycle in 2026: 28 days. The top quartile of AEs hold it under 21.
  • Custom-DPA requests appear in roughly 35% of enterprise deals, but the AEs who proactively share a standard DPA at discovery cut that number to under 25%.
  • Deals lost at security review average 14% of qualified enterprise pipeline. The AEs who treat security as a workstream get that under 10%.

The first time I lost a deal at security review, it was a Friday-afternoon close-won I told my manager about over drinks. CRO had verbally signed off. The slide deck had the customer logo. ACV was $480K. Procurement was already booking the kickoff.

Then Tuesday the CISO sent a single email to my champion: "We can't approve this until they answer our security questionnaire and accept our standard DPA." Six weeks later, the deal was alive on paper but dead in practice. Nobody wanted to touch it. My champion got reorganized. The questionnaire had 312 questions, and three of them were about a sub-processor the buyer's InfoSec team had blacklisted two years earlier.

I lost the deal because I treated security review as a department I was going to hand the deal off to. The AE who got that account a year later treated security review as a workstream he was going to run.

That's the difference. And it's the entire premise of this playbook.

Why Security Review Is the Deal

Enterprise software buyers don't reject vendors at security review because the product is bad. They reject them because the AE didn't manage the workstream. Specifically:

  • The questionnaire showed up at a stage where the AE had no political capital left to spend.
  • The buyer's InfoSec team had no executive sponsor pushing the deal forward.
  • The AE didn't know which certificate (SOC2, ISO 27001, GDPR adequacy) the buyer cared about, so they led with the wrong one.
  • The custom-DPA request quietly replaced the standard contract, and three weeks of redlines landed on Legal's desk with no escalation path.

Security review is where deals go to die when AEs are passive. It's also where the best AEs separate from average ones. The strong AEs run a parallel workstream from discovery onward: surfacing security scope early, pre-filling questionnaires, positioning the right certificate, and pre-negotiating the DPA before Legal becomes the bottleneck.

That's not extra work. It's the work. And it pairs directly with how you're multi-threading enterprise deals, because the CISO is one of the threads, not a footnote.

Step 1: Surface Security at Discovery (the Three-Question Script)

If you wait for security questions to surface, they always surface too late. The buyer's InfoSec team gets pulled in by Procurement after the verbal yes, and at that point you have a stalled deal and a stranger asking you for a SOC2 report you should have led with.

Instead, ask three questions in your second discovery call. Casually. Before legal is even in the room.

Question 1: "Walk me through how you typically evaluate vendors from a security and compliance perspective. Who's involved, and at what stage?"

This tells you who the CISO is, whether there's a centralized GRC team, and whether security review happens in parallel with commercial negotiation or sequentially after it. Sequential is a red flag. It adds 30+ days to the cycle.

Question 2: "Are there specific certifications or frameworks your security team requires? SOC2 Type II, ISO 27001, HIPAA, FedRAMP, anything specific to your industry?"

The answer here tells you which certificate to lead with. Financial services almost always cares about SOC2 Type II. European buyers and global enterprises lead with ISO 27001 plus GDPR. Healthcare wants HIPAA. Government wants FedRAMP. Lead with the wrong one and you signal that you don't understand their world.

Question 3: "Is there a specific data processing agreement template your legal team uses, or do you typically work from the vendor's standard?"

This is the question that saves you four weeks of redlines six months later. If they say "we have our own DPA template," ask for it now. Get your security team to review it before commercial terms are finalized. If they say "we work from yours," send your standard DPA at proposal stage so it's already on their lawyer's desk when you reach verbal commit.

These three questions take six minutes. They surface 80% of the security scope before Procurement is even in the deal.

Step 2: The Questionnaire Workflow

The standard enterprise security questionnaire runs 150 to 400 questions across access control, encryption, sub-processors, business continuity, incident response, and data residency. The buyer's InfoSec team has a template. So does the SIG (Standardized Information Gathering) framework, the CAIQ (Consensus Assessments Initiative Questionnaire), and a dozen vertical-specific variants.

You will get one of these. Plan for it.

Rule 1: Never let the buyer write the questionnaire from scratch. If they ask you to "fill out our internal security review document," push back politely. Ask if they accept SIG, CAIQ, or a completed SOC2 report as a starting point. Most do. The ones who insist on their custom 312-question form are the ones who will take 10 weeks to review your answers.

Rule 2: Pre-fill 90% of the answers before the questionnaire arrives. Your security or GRC team should maintain a master Q&A library: every question you've ever been asked, with the approved answer attached. When a new questionnaire lands, you should be filling in the last 10% of novel questions, not writing the whole thing from a blank document.

Rule 3: Own the routing. The questionnaire goes from the buyer to you, from you to your InfoSec team, and back through you to the buyer. You are the project manager. If your InfoSec team takes seven days, the buyer thinks you took seven days. If your buyer's team takes ten days to review your answers, you ping them on day five with a status check.

Real questions you'll see, repeatedly:

  • "Provide your SOC2 Type II report from the last 12 months."
  • "List all sub-processors that will have access to customer data."
  • "Describe your incident response process and notification SLAs."
  • "Confirm encryption at rest and in transit, including key management."
  • "Provide evidence of penetration testing in the last 12 months."
  • "Describe your data residency options and any cross-border transfer mechanisms."

If you can't answer those six in your sleep, you're not ready to run a security workstream. Memorize them. Know which document has the answer. Know who at your company owns the response.

Step 3: SOC2, ISO 27001, GDPR: Lead With What the Buyer Cares About

Three certificates cover 90% of enterprise security review. Knowing which one to lead with tells the buyer you've done this before.

SOC2 Type II: The default for North American buyers. Audited annually across the trust services criteria (security, availability, processing integrity, confidentiality, privacy). If a CISO asks "do you have a SOC2?" they mean Type II. Type I is a snapshot; Type II covers a 6 to 12-month operating window and is what enterprise buyers actually want. Lead with this for U.S. financial services, SaaS, and tech-forward enterprises.

ISO 27001: The default for European, APAC, and global enterprise buyers. It's an information security management system standard, not a control attestation, so it covers the program rather than point-in-time controls. Regulated European buyers will often ask for SOC2 and ISO 27001. Lead with ISO 27001 for EU-headquartered multinationals and any deal with a Chief Privacy Officer in the room.

GDPR: Not a certificate but a regulatory framework. Buyers want evidence you're a competent data processor: Standard Contractual Clauses (SCCs), a documented sub-processor list, a clean DPA, and a DPIA if you're handling sensitive data. If your buyer is European and your deal touches personal data, GDPR posture is the conversation, not a checkbox.

The mistake I see junior AEs make: leading with "we have SOC2" to a German buyer who wanted ISO 27001. The CISO interprets that as "this vendor doesn't understand our regulatory environment," and the deal gets harder from that moment forward.

Step 4: The Custom-DPA Question: Fight, Redline, or Escalate

Roughly 35% of enterprise buyers will ask for their custom DPA. You have three responses available, and choosing the wrong one costs weeks.

Concede when: The custom DPA is materially identical to your standard, with cosmetic redlines (governing law, notice periods, defined-term changes). Concede fast, get the deal moving, document the precedent.

Redline when: The custom DPA has 5–15 substantive deviations from your standard but no clauses that violate your security policy. Common redlines: liability caps, notification timelines (they want 24 hours, you have 72), audit rights (they want unlimited, you have annual), sub-processor approval (they want consent, you have notice). Redline these methodically with your Legal team, in a single round if possible.

Escalate when: The custom DPA includes clauses you cannot accept: uncapped liability, real-time audit rights, data residency requirements you don't support, sub-processor veto, or termination-for-convenience with money-back guarantees. These need a security-team-plus-Legal-plus-CRO conversation, not an AE redline session.

The DPA negotiation matrix I keep on my desk:

Clause type Standard concession When to redline When to escalate
Liability cap 1x annual fees 2x annual fees with carve-outs Uncapped or 5x+
Breach notification 72 hours 48 hours with reasonable cure Under 24 hours, or to regulators on buyer's behalf
Audit rights Annual, with notice Twice yearly, with notice Unlimited, real-time, on-site
Sub-processor changes Notice with right to object Consent for material changes Veto on all sub-processors
Data residency EU, US, with explicit confirmation Specific country (if supported) Country-of-origin only with no exceptions

Print this. Tape it to your monitor. It will save your deals.

This is also where the navigating procurement and legal workstream connects. The DPA is one of three documents (MSA, DPA, Order Form) that move in parallel, and your job is to make sure none of them block the others.

Step 5: The Security-Team Escalation Path

When security review stalls, you escalate. But escalation only works if your security team has already met the deal, has context, and treats it as a priority.

The script I use, sent at the moment a security question requires a human response (not a copy-paste from the Q&A library):

"Hey [Security Lead], I'm in active security review with [Buyer Co], $[ACV] ACV, target close [date]. CISO is [name], reviewing through [framework]. I've attached the questionnaire and the three questions that need a custom response. Can we get answers back in 48 hours? The buyer is expecting us to respond by [day]. If we hit that, we're on track for a [target date] close."

Notice what's in that script: the deal value, the close date, the buyer's CISO name, the specific questions, and an SLA. That's how security teams prioritize. They are running a queue. Without context, your deal is a row in a spreadsheet.

For deals where security is going sideways (custom DPA with 40 redlines, a buyer demanding a clause you can't accept, a sub-processor concern that needs CTO sign-off), escalate to your CRO and your Head of Security in the same Slack thread. Do not let the security workstream happen in a silo while the commercial workstream stalls in parallel. Get them in the same room.

Common Pitfalls

Waiting for security to surface. It always does, and always too late. Use the three-question discovery script.

Going into a security call with no questionnaire reference. If the CISO asks how you handle key management and you have to "get back to them," you've lost the meeting. Carry the questionnaire-pack on every enterprise call from proposal stage onward.

Letting custom-DPA scope creep replace your standard terms. Each custom redline becomes precedent. After three deals, your "standard" DPA isn't standard anymore. Track every concession, review with Legal quarterly, push back on redlines that don't have business justification.

Running security review with no executive sponsor on the buyer side. If the CISO is reviewing your contract and your champion is a Director of Sales Ops, you have no political cover when the CISO finds an issue. Multi-thread early. Get the buyer's CFO or COO aware of the deal so the CISO has someone to escalate to internally if they're the bottleneck.

Not pre-filling the questionnaire. You should know what 80% of the answers will be before you receive the document. The novel 20% is where your time goes.

Templates and Tools You Should Have Ready

  • Security questionnaire cheat sheet: A 1-page document with your SOC2 Type II report link, ISO 27001 certificate link, sub-processor list URL, pen-test summary, encryption summary, and incident response SLA. Send this at proposal stage.
  • DPA negotiation matrix: The table above, printed and shared with your Legal team so concessions are pre-approved by category.
  • Security-team escalation script: The Slack/email template above, customized to your security team's naming and SLA expectations.
  • Master Q&A library: Maintained by your InfoSec or GRC team, every question you've answered with the approved response.

The AEs who run security as a workstream maintain all four. The AEs who treat security as a handoff have none of them, which is why they run 50-day cycles instead of 21-day ones.

For the broader stack of tools and surfaces that make this manageable across a $5M+ pipeline, see the enterprise AE tools and tech stack. And for the patterns that sink deals at this stage, the common pitfalls enterprise AEs make overlap heavily with this workstream.

Measuring Success

Three numbers tell you if you're running security review well:

  • Median security-cycle days: under 21 for standard deals, under 35 for highly regulated buyers. Above that, you're handing off too late.
  • Custom-DPA rate: under 25% of enterprise deals. Above that, you're not pre-empting with your standard DPA at proposal stage.
  • Deals lost at security review: under 10% of pipeline that reaches that stage. Above that, you're running security as a department, not a workstream.

Track these by quarter, by AE, by deal size band. The patterns surface fast. The AEs running 40-day cycles are the ones who haven't built the questionnaire pre-fill workflow. The AEs at 60% custom-DPA rate are the ones whose proposal decks don't include the standard DPA.

Security review isn't legal's problem. It isn't InfoSec's problem. It's the deal. And the deal is yours.