When a security questionnaire arrives, the first instinct is always the same: send it to compliance. They own security. They have the certifications. They know what to say.
The instinct is half right. Compliance does own some of the answers — but only some. And the gap between what compliance can answer and what the questionnaire actually asks is where deals go to slow down.
What compliance actually knows
Compliance professionals own compliance: the frameworks you've adopted, the certifications you hold, the policies you've written, the controls you've implemented to satisfy an auditor. Ask them whether you're SOC 2 Type II certified. Ask them about your data retention policy, your access control framework, your incident response procedure. They'll answer fluently and correctly.
But a modern enterprise security questionnaire doesn't stop there. It asks about encryption implementations — which algorithms, which key lengths, which key management service. It asks about your infrastructure topology, your network segmentation, your patch cadence, your penetration test findings. These are security engineering questions, not compliance questions. Compliance can summarise the policy. They can't speak to the implementation.
And when the questionnaire goes deeper still — into your product architecture, your data flows between services, how a specific integration handles PII, where exactly a particular customer's data resides — compliance has to stop and ask product or engineering. At this point, they're not answering the questionnaire. They're routing it.
The forwarding department problem
Seventy-five percent of organizations involve multiple teams in answering security questionnaires, according to Whistic's 2023 State of Vendor Security report. That figure understates the daily reality for most compliance teams, because it counts organisations, not questions. The compliance team might handle a third of the questions directly. The rest get forwarded — to security, to engineering, to product, sometimes to legal — and then the answers come back, get reviewed, get formatted, and get entered into the questionnaire.
Every one of those handoffs takes time. The security engineer is in the middle of a sprint. The product manager is preparing for a roadmap review. Nobody has a dedicated slot on their calendar for "answer compliance forwarding requests." Security reviews routinely add weeks to deal timelines — and more than half of enterprise deals are delayed because of them, according to multiple vendor security studies. This is the mechanism behind why sales and compliance stay coupled long past the point where it makes sense.
Compliance is not the bottleneck because they're slow. They're the bottleneck because the job was never theirs to begin with.
The questionnaire doesn't know what compliance knows
There's another layer to this. Almost no two enterprise security questionnaires use the same format — no shared taxonomy, no standard mapping to a framework compliance has already documented. Every questionnaire is a fresh set of questions phrased in the buyer's own language, touching their specific concerns about your specific product.
That means compliance can't even run a simple search against their SOC 2 or ISO documentation and be done. They have to read each question, decide who owns the answer, ask that person, wait, receive something that may or may not be formatted correctly, and translate it into something a buyer's security team will accept. Enterprise questionnaires typically run to 100–350 questions, according to EY's third-party risk research — and each one takes 12–18 hours of combined effort across teams to complete. At 179 hours of questionnaire work per month across the average vendor, per Whistic's 2025 TPRM Impact Report, that adds up to more than one full-time employee's output, every month, on routing and translation alone.
The cost is not just speed — it's coherence
When answers route through multiple people under time pressure, consistency breaks down. Security gives one answer about your encryption. Compliance, working from a policy document written two years ago, gives a slightly different one. The product team describes a data flow that doesn't quite match what the security team said last quarter. None of it is dishonest. All of it is a liability.
Buyers notice. Enterprise security teams are good at their jobs. Inconsistencies look like incompetence or, worse, evasion. The deal slows further while the buyer asks follow-up questions that should never have been necessary.
Build the knowledge base before you need it — and map it to the right teams
The fix starts with accepting what compliance can't do: they can't hold all the knowledge. But they can own the knowledge base — a centralised, curated repository of answers that has already pulled in the input from security, engineering, and product, verified once, and made reusable indefinitely.
Industry research consistently finds that 60–80% of questions repeat across security questionnaires — the same controls, the same frameworks, the same concerns, phrased differently each time. The answers to those questions can be written once, reviewed by the right people, and stored so they never need to be routed again. Compliance doesn't become less relevant in this model. They become more relevant — they're the team that owns and maintains the source of truth, rather than the team that's perpetually chasing contributors.
Start building this before the questionnaires start arriving. Every team that will ever need to contribute an answer — security, engineering, product, legal — should have their slice of the knowledge base defined and maintained. Not a shared Google Doc that goes stale. A structured repository with ownership, review cadences, and clear boundaries for what each team is responsible for knowing.
The side effect nobody talks about: when your colleagues know that you hold the knowledge, they keep coming to you. Compliance stops being the forwarding department and starts being the team that has the answers. That's a better job, and it's also the correct architecture — and it's what lets your AEs serve enterprise buyers on a silver platter instead of pointing them at a portal.