When security leaders are asked to assess their company's security and governance the process that can sometimes involve reviewing a 400-question assessment that looks suspiciously like an entire security governance framework dropped into a locked spreadsheet with the only options for answers being “yes” or “no” are most certainly not the way to gather critical information. Yet, tactics such as this are used often -- and sometimes completely void of the information you need to accurately answer the questionnaire.
When used correctly, questionnaires and assessments can be valuable. David Levine, Vice President of Information Security & CISO for Ricoh USA, Inc. wrote about this topic and provides advice in an article for CSO1, a source of news, analysis and research on security and risk management.
He says that while some vendors have developed tools that try to solve this puzzle, as of yet, there's no silver bullet. Some strategies Levine recommends: