CHNG-12

Do you have a technology roadmap, for at least the next two years, for enhancements and bug fixes for the solution being assessed?

Explanation

This question is asking whether your organization maintains a formal technology roadmap that outlines planned enhancements, feature additions, and bug fixes for the product or service being assessed, with visibility extending at least two years into the future. From a security perspective, this question matters for several reasons: 1. Proactive security planning: A roadmap demonstrates that your organization is thinking ahead about how to address known vulnerabilities, security debt, and emerging threats. 2. Lifecycle management: It shows you have a structured approach to maintaining and improving the solution over time rather than letting it become outdated and potentially vulnerable. 3. Resource allocation: It indicates your organization has committed resources to ongoing maintenance and security improvements. 4. Transparency: It demonstrates your willingness to share future plans with customers, which builds trust regarding your security posture. 5. Compliance planning: It shows you're preparing for future regulatory requirements that may impact security. When answering this question, you should: - Be specific about what format your roadmap takes (document, project management tool, etc.) - Mention the timeframe it covers (confirming it extends at least 2 years) - Describe the process for updating the roadmap - Highlight security-specific elements in the roadmap - Explain how customers or clients can access roadmap information if applicable

Example Responses

Example Response 1

Yes, we maintain a comprehensive technology roadmap for our solution that extends three years into the future The roadmap is managed in Jira and includes planned feature enhancements, architectural improvements, security updates, and bug fixes It is reviewed and updated quarterly by our product and engineering leadership team, with input from our security and compliance teams to ensure security improvements are properly prioritized The roadmap includes specific initiatives for upgrading underlying infrastructure components, implementing enhanced encryption methods, and addressing technical debt We provide our customers with a sanitized version of this roadmap during quarterly business reviews and maintain a public-facing version on our customer portal that outlines major upcoming features and security enhancements.

Example Response 2

Yes, our organization maintains a two-year technology roadmap for the solution being assessed The roadmap is documented in our internal wiki and is broken down into quarterly milestones It includes planned feature releases, performance improvements, security enhancements, and scheduled maintenance windows for addressing accumulated bug fixes Our security team has dedicated capacity allocated in each quarter for implementing security improvements and addressing vulnerabilities The roadmap is updated monthly during our product planning sessions and is informed by customer feedback, security scanning results, and industry trends While we don't share the complete internal roadmap externally due to competitive concerns, we do provide customers with a high-level overview of upcoming security and feature enhancements upon request.

Example Response 3

No, we currently don't maintain a formal technology roadmap that extends two years into the future Our development approach is more agile and responsive to immediate customer needs and market conditions We typically plan our development cycles in 3-month sprints, with a general direction set for approximately 6-9 months ahead While we prioritize critical security updates and bug fixes as they arise, we don't have a documented long-term plan for enhancements beyond our current development cycle We recognize this as a gap in our process and are working to implement a more structured long-term planning approach that will include a formal roadmap extending at least two years, with specific attention to security improvements and technical debt reduction We expect to have this in place within the next quarter.

Context

Tab
Organization
Category
Change Management

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron