Oh and, "How many prospective/customers of your customers will accept security questionnaire answers prepared by an outside firm?" Was answered by saying that being a third party- hey! That brings value right there!
Huh? You're helping answer questionnaires. The risk is that your bullshitting my clients by writing technical, impressive answers but you don't work at the company. You don't know if - do you check if it's 256 bits or 512 bits? And why it's better or worse to use one or the other?
No-You're not designing, implementing, monitoring, or auditing in any way, are you? Your deliverable is to eat data and format/match it to the questionnaire.
How is your product actually add value to infosec and GRC?
I can't use an answer written by you that explains that your company is actually adding value other than making answering questionnaires more efficiently.
I mean- that's a good thing- but it doesn't validate you and answer the question above.
Sorry- but the responses were regurgatory and vapid.
A question for how you would deal with a client's IP was not really answered. Yes or no questions:
Do you have some kind of liability insurance? What actual operational controls do you have to keep client information secure? Saying things like, "only people who are authorized to see the data can see the data." Doesn't say anything meaningful.
What tools do you use? Actually use?
Do you have samples of the reports, if you have them?
I've been at start-ups and those were superficial answers that I could send if a client/partner/vendor needed to check a box.
But I've also worn the hat of asking for those to be filled out and really caring about the answers. I wouldn't take anything I've heard so far as an indication of anything other than buzzword competency in a information security and compliance vocabulary. Sorry.