In the Disney animated classic Aladdin, there’s a scene where Aladdin invites the princess Jasmine on a magic carpet ride in an attempt to win her heart. To overcome her uncertainty about stepping off her balcony, he reaches out his hand and says, “Do you trust me?”.
Cue “A Whole New World”.
Here in the world of third-party risk management, however, trust isn’t supposed to be a leap of faith into the unknown. It would be better if we didn’t have to take any risks at all when purchasing a new piece of software. The truth is, though, the threat landscape is always evolving and technology is critical to business outcomes—certainty isn’t always possible, so we have to build trust.
Opportunities and Roadblocks for Trust in the TPRM Process
Before we take a look at statistics related to trust, it’s important to understand why it matters, what it can do for your business, and what holds some organizations back.
Unlike Jasmine, businesses can’t just walk off the edge with their vendors and take them at their word. Instead, trust is built through a rigorous process of assessing risk based on industry standards, controls, and a mutual exchange of security posture between software buyers and sellers.
This process is critical for a number of reasons:
- Helps ensure regulatory compliance and and maintain privacy standards
- Helps to effectively allocate security resources to the most salient risks
- Provides business units with greater visibility into risk so they can own it and make smarter decisions
In other words, adhering to great risk-management processes creates tangible benefits which, in turn, build the confidence to move forward with a purchase. Voilà! Trust is established!
So, what gets in the way of building trust?
If that last sentence seems too good to be true, it’s because things are never quite so simple. Great process is a critical strategic foundation for great TPRM, but many organizations on both the buyer and seller sides still struggle to execute quickly and efficiently.
Software buyers often face long waits for a response to their questionnaire requests—if they get a response at all. Even then, there is often lengthy back-and-forth for additional clarification or documentation. For sellers, questionnaire responses are highly manual, time consuming, and overly reliant on InfoSec.
There are huge business consequences for these challenges, including:
The sales cycle “Dead Zone”
When the TPRM and security-assessment processes are heavily manual and reactive, they can be extremely time consuming, slowing down the sales process. This is known as the “Dead Zone” because the longer it takes a deal to close, the higher the odds that the sale is lost—in a recent survey, Whistic found that 90% of sales reps had at least one deal push every quarter because they couldn’t respond to a questionnaire request in time.
Here are some reasons that traditional security assessments linger in the Dead Zone (according to Whistic research):
- More than 30% of companies spend more than five hours per assessment, with 40% of companies responding to at least 11 assessments every month
- More than 50% of assessments require clarification and additional information, with each clarification adding an average of 4-10 days to the process
- Salespeople help to draft nearly 75% of security assessment responses; not only does this cut into their selling time, it often requires constant oversight from InfoSec
Delayed value from software investments
A slower sales cycle doesn’t just hurt vendor revenue; it also keeps software buyers from utilizing a necessary tool. If a buyer can’t get the answers they need in a timely fashion, they must either look for another solution or take on greater risk.
Poor vendor/customer relationships
Third-party risk management isn’t about perfection. As the name implies, TPRM is about understanding and identifying risk, measuring it against potential reward, and managing it responsibly. Buyers need to know their vendors can be true partners in the process.
When vendors aren’t totally transparent about risks and the things they are doing to address them, it erases the foundation of trust that is necessary for successful business relationships. For vendors, this lack of trust can cost deals, make implementation more challenging, and hurt the chances of renewals.
Trust, by the Numbers
So, let’s do a quick recap:
- Risk is unavoidable, so trust must be built between buyers and sellers
- Great TPRM process builds that trust through security assessments
- The reactive, highly manual nature of traditional TPRM makes it needlessly arduous
- In response, companies aren’t transparent or cut corners, and trust is eroded
- Businesses lose deals, take on excessive risk, or lose out on a valuable tool
It’s a good story, but you’re probably not here for even more words. We recently surveyed more than 500 cybersecurity and risk leaders on what trust means to them. Based on their responses, here’s four statistics on trust that speak for themselves:
That’s the percentage of respondents who said they would be more likely to purchase from a vendor that is transparent about its security posture.
This percentage of those surveyed said that when a company publishes their security and compliance information publicly, it increases their trust in that company.
That same percentage reports that if a company’s security documentation were available on demand, it would speed up the vendor assessment process and save an average of 12.3 hours per week on vendor assessments.
Trust is a two-way street. This percentage told us that when a software buyer proactively publishes their security requirements, it helps vendors respond more quickly and efficiently.
Whistic Empowers a Proactive Approach to Trust
What do these statistics tell us about the impact of trust? One key takeaway is that proactively and publicly sharing security information can be a competitive differentiator for vendors. Another is that software buyers also need to proactively share their security requirements, making it easier for vendors to focus their responses more quickly.
Whistic empowers just this kind of proactive TPRM. Our dual-sided platform leverages powerful AI capabilities to streamline the assessment process for buyers and sellers. It’s the only platform you’ll ever need to:
- Keep sales people selling by reducing security bottlenecks—Whistic Profile with Knowledge Base gives you a centralized, dynamic way to share your security posture proactively (including integrations with platforms like G2, so you can share where your customers are looking).
- Make security your competitive advantage—Whistic Profile gives InfoSec centralized control of your security posture and offers automated NDAs, so your sales team can be empowered to share info earlier in the sales cycle—increasing the likelihood of closing deals. They can even share through platforms like Salesforce, giving you better visibility and helping you measure the impact of security on revenue.
- Show off your standards—Whistic Profile allows you to share all the standards you support in a single place. You can also share your Profile through the Whistic Trust Catalog, which makes your security posture on-demand so you don’t have to answer the same questions over and over again.
- Take control of security assessments—Whistic Assess makes it fast and easy for buyers to manage all aspects of their TPRM program from a single platform, helping to reduce the likelihood of a breach, reducing manual processes, and helping to meet regulatory requirements. But the best part? With the Trust Catalog and AI-powered automated response, you no longer have to wait around for a questionnaire response.
But there is one thing you won’t get from Whistic: anyone saying “trust us”. Let us prove to you how our platform works and show you firsthand the impact it can have on your organization. Reach out today and schedule your hassle-free demo and see the power of trust for yourself,