Enterprise access management company streamlines vendor security assessments with Whistic
Introduction
In today’s connected world, technology drives business and making sure employees have access to the applications and technology they need to do their jobs, especially when it is critical to their success. And that’s exactly what this enterprise access management company helps accomplish for nearly 9,000 enterprise businesses.
“Our business enables our customers’ employees to securely connect to any technology they want to use,” said the Senior Manager of Security Assurance. “We provide them with best of breed tools and help them implement best security practices based on their risk appetite.”
The business also helps its customers not only identify risk, but mitigate risk as well with an auditing tool, Healthinsight, which evaluates the businesses security posture and makes recommendations on what can be done to improve security.
“Healthinsight gives our customers an idea of what we consider to have high impact security wise,” related the Senior Manager of Security Assurance. “But it’s up to our customers to determine what’s most important to them and how they are going to allocate their resources.”
And that’s how the business approaches risk well. “We don’t look at just what’s the risk, but also what’s the impact,” said the Senior Manager of Security Assurance. “We also look at where we are going to get the best return on risk mitigation and focus our resources there.”
This is especially true when it comes to vendor risk management. The business needed a solution to help them streamline vendor risk assessment, and help them prioritize which vendors to spend time on.
Problem
Trying to fit a round peg in a square hole
The business was using an internal tool to manage vendor risk assessments, but it wasn’t the right tool for the job. “The tool we were using wasn’t designed to meet the needs of doing a security assessment of a third party vendor,” said the Senior Manager of Security Assurance. “It was like trying to fit a round peg into a square hole.”
The business had a process in place for handling security assessments that was working, but the problem was that process was manual and not scalable. It was also difficult for the team to get a handle on the overall volume of assessments they were working on at any given time and where each vendor was in the process.
“Things just weren’t working,” recalled the Senior Manager of Security Assurance. “We needed to find something that was going to address the problem we were having.”
And after reviewing a number of solutions they settled on Whistic.
Solution
Initially, what they liked most about Whistic was how much of the solution was ready to use immediately, with little to no modifications. They were able to get everything set up and implemented in less than two months.
“Whistic gave us best of breed practices right out of the box,” said the Senior Manager of Security Assurance. “The form elements were in place. The workflows in place had already been vetted. All we needed to do was fine tune it to how we approach risk.”
The business was also now able to scale the processes they had in place for vendor risk management. “Whistic gave us all the key things we were looking for in terms of automation, reporting, and standardizations,” said the Senior Manager of Security Assurance.
Of those three benefits, standardization was the most important to them. The Vendor Catalog gave the team everything they needed in one place and gave increased visibility into the vendor risk management process.
In addition to sending security assessments for new vendors, they also need to send recurring assessments to existing vendors and that’s where automations come into play.
“With Whistic, we can set up an automaton for vendors that are up for renewal to send them a set of core questions to revalidate those vendors,” stated the Senior Manager of Security Assurance. “That was huge for us.”
An early win for the business’s Whistic implementation came when they received an expedited request for a security review for a new vendor. Before sending out a questionnaire, the security assurance team checked the Whistic Trust Catalog and found the vendor had a Profile and they were able to quickly approve that request.
Results
Increased visibility into vendor security assessments means more effective allocation of resources
Better allocation of resources
Whistic identifies which resources are overburdened and which resources can take on more work.
Reduced attention cost
Quickly identify which vendors are compliant and which vendors need further validation.
Eliminate unnecessary meetings
Increased visibility in the process resulted in the elimination of a weekly checkup meeting with procurement.
The Future
They recently started using Whistic Profile to streamline vendor security assessments it receives from potential customers. It has completed all of the standard questionnaires as well as creating some custom questionnaires that better fit its use case.
“We have started directing prospects to leverage our Whistic Profile and that has been great so far,” said the Senior Manager of Security Assurance. “We’ve seen an uptick in profile views. The reporting is great. It shows us clearly how much utility we’re getting out of it and we’re currently reviewing it with our sales team to see how we can make it more of a focus going forward