SingleStore builds and matures its vendor security program with Whistic

Introduction

Prior to the arrival of Jake Bernardes, the head of information security at SingleStore, the business didn’t have any procedures in place for assessing vendors. Bernardes, who used Whistic previously and recommended it to many of his consulting clients, convinced management that it would be a good fit as SingleStore began the process of assessing vendors as it worked toward SOC 2 and ISO-27001 certification.

Additionally, Bernardes implemented Whistic Profile as a tool to enable the sales team at SingleSource to share the business’ security posture with its customers because he believes transparency is so important in today’s cybersecurity ecosystem.

The following are excerpts from a conversation between Whistic and Bernandes.

Conversation

Jake Bernardes, Head of Information Security at SingleStore

Whistic: Tell us about SingleStore and your role there.

Jake Bernardes: SingleStore is a database product. We specialize in high ingest speeds and our ability to deliver high IO, high HTAP type workloads. We do a lot in the analytics and streaming spaces. We’re also doing an increasing amount in the banking space.

Our solution was initially an on-prem product, but now we’ve gone completely managed service-first. I joined in 2019 as the head of information security with the remit to create what was essentially a non-existent information security function. That was when we were moving from on-prem to cloud and we wanted a mature security approach with certifications across a varying number of degrees, so we could answer yes if someone asked us if we could provide evidence of our security.

Whistic: How are you using Whistic for Vendor Risk Management?

JB: I joined a call with Whistic a while ago and I coined the phrase, “Whistic does the stuff that is just not very sexy.” Everyone in cyber wants to do the fun stuff. The tentpoles of security like pen tests and vulnerability scanning. A vendor risk review is traditionally pretty bland. It used to be you develop questionnaires, you send them out, you chase them, you review them, you chase them down some more, and then you approve them. That process is resource heavy and we don’t have enough resources.

Our vendor security program consists of me and some resources that are aligned with me, but not 100 percent of the time. But it’s not just resources. It’s time. We didn’t have the time to focus on [vendor assessments]. On the VRM side, Whistic makes it very easy. The GUI is easy to use. I can ask people in various functions to send the questionnaire to these vendors and let me know what they say. That’s a big thing. More importantly, it goes beyond just standard reporting. I can click through and see what I did, when I did it, what I reviewed, and what I attached.

Whistic has also helped us fulfill certification requirements. I couldn’t have done it by myself. I can’t manage that many different excel spreadsheets and Google Drives to ensure that we do sufficient vendor work. With Whistic, I have all that information in one place.

Whistic: What are you doing on the Profile side?

JB: Profile is the future of security. I’m a massive advocate of security transparency. If you go into our Profile, you’ll see that I’ve linked all our security policies. I’ve put IR and VC testing. I’ve put all of our pen testing. Everything’s on there. And we self-questionnaire against everything. Then I tell our salespeople to just ship this straight to everyone. If they ask any questions, let them know we are willing to be on the front foot and show them everything we’ve got.

I think that is hugely powerful. Not just because it means they can get the answers to the questions they want before they send me a 300-question questionnaire that I can sometimes deflect it off, but more importantly it gives them automatic assurance that I’m going to send everything out live and on the internet. I don’t have anything to hide, and that is a really powerful message. I think that Profile is really the future of vendor risk management.

Whistic: How were you managing vendor assessments and questionnaire responses before Whistic?

JB: The truth is we weren’t at all. It was one of the first things I spotted. When I came in, they said they wanted to be SOC and ISO certified in a year. I said, “That’s great. Show me what you’ve done so far.” And we went through some verticals and saw that they’d done some pen testing. And I said, “That’s great. What have you done on vendor risk?” They said, “What do you mean?” And I said, “Where are your assessments?” They showed me the contracts and I said, “Right, but where are your assessments?” And there was nothing. I knew Whistic before, and I recommended them quite a lot of times when I was a consultant, so it was my first go-to point. It’s given us the legs to not only mature but to develop a vendor risk approach which we didn’t have.

Whistic: What are some of the biggest benefits you’ve seen? First from the Vendor Security side and then from the Profile side.

JB: On the vendor security side, I as one person could not have delivered the amount of assessments I’ve done. I assess all of our vendors that are either high risk or have access to confidential data based on our document classification schema and that ended up being about 89 to 100. I could not do that amount of vendors by myself. I physically couldn’t have completed that effort without Whistic. No question.

Beyond that, on the Profile side, it has significantly reduced the number of questionnaires I’m being sent. I now only get sent questionnaires by the enterprise customers who have massive procurement teams and don’t care what I send them.These companies might look at Whistic, but their procurement is still going to send me the questionnaire. Other than that questionnaires have basically gone out the window. No one sends them anymore.

Whistic: Have you empowered the sales team to share the Profile?

JB: Yeah. And we’re getting better and better because I get notification saying your Profile has been shared with X company and it’s getting higher and higher in terms of the rapidity and volume. It’s being shared earlier in the sales cycle, but also more importantly with more targets than customers. I think it’s more specific to certain salespeople who get it and also those that are more managed service focused, but it’s definitely led to a significant ease in the sales cycle.

Whistic: What would you say to other businesses that are considering Whistic?

JB: I think the security Profile sells itself. In terms of the VRM approach, it’s more a case of what you want to deploy your people to do. In smaller businesses, you can’t take the old school manual approach by yourself and there are other tools that will match Whistic, but you could argue that Whistic is easier to use and therefore more effective.

In businesses that have the resources to be able to already send out and manage the questionnaire process, you can redeploy those people to do better things. There are much better things they can do with their time because this can be managed by one to two people regardless of how many vendors you’re assessing. It’s no-longer a full time job. That’s the key takeaway. Vendor Risk Management used to be a full

Results