Toward the beginning of 2020, an app-based financial services business had plans to ramp up its marketing spend to help drive continued growth for the organization. Along with that would come an influx of new vendors. A single InfoSec employee would be responsible for assessing their security risk before they could be onboarded into the business’s environment. The business had a vendor assessment process in place but knew that if they were going to scale at the expected rate, they would have to change things up slightly.
“We needed a tool that provided us with a more prescriptive, risk-based analysis for each vendor we worked with,” said the Senior Information Security Compliance Manager.
In the past, this employee had built out a spreadsheet questionnaire based on the NIST framework, but he knew it wasn’t going to handle the volume of vendors he was going to assess in the coming year.
In addition, the company didn’t have a clear view to track the status of their vendors’ assessments and when they were up for reassessment.
“The spreadsheet was not going to be scalable for us,” he deduced. “We were going to have to look at a different solution. Something that can provide better tracking for us overall.”
That’s when the business began evaluating vendor management solutions. One thing that was very important to this employee was the ability to integrate with Jira workflows that could help them automate many of the key processes along the way. They wanted a robust reporting engine that would enable them to show executives and investors a big-picture view of the third parties they were working with.
After evaluating a number of potential tools, the business settled on Whistic because it delivered the scalability and open API it was looking for.
The biggest benefit the business has seen right off the bat is the seamless rollout to employees. One of the hardest parts about its old process was collecting information for new vendors. Whistic’s Vendor Intake Form makes it easy to collect all of the necessary information up front.
“If you take the time to craft and develop the intake form, you can eliminate the back and forth, and then the process becomes even more seamless,” said the employee. “As we add additional fields to the intake form, we’re gathering everything we need in one go, meaning I don’t necessarily have to go back to the requestor for additional information.”
The business has also seen an improvement in the amount of time it takes to complete an assessment. Previously, it would take up to a week. Now, that has been whittled down to just two or three days.
The employee attributes that reduction to the type of standard questionnaires available in Whistic. The business utilizes the SIG Lite, which captures much of the necessary security documentation, certifications, and controls. This is especially helpful when it comes time to reassess because of how thorough the first evaluation was. It often isn’t necessary to go into much detail the second time around.
With regard to keeping tabs on all the vendors, the dashboard view inside Whistic gives him ready access to all of the information he needs. Previously, this was a manual, ad hoc process that ate up a lot of his time. And even with all that effort, the employee still didn’t have all of the data he needed.
“Generating reports through Whistic is a major win for us,” said the employee. “When you think of any meeting where there’s an inquiry of what we’re doing with procurement and our spend, being able to automate a report is an important capability. That really takes a lot off of my plate because in the past, I had to manually create all of those different reports.”
A more scalable process streamlines vendor security assessments
Whistic’s robust reporting engine improved the business’s visibility into the breadth and depth of third parties operating in its environment.
Whistic helped the business eliminate spreadsheet questionnaires to deliver a scalable process that reduced the security assessment turnaround time by 40%.
Improved vendor intake process
The business is able to capture all of the data it needs from requestors up front, eliminating back and forths previously needed to gather that information.
Next up for the business will be making the Vendor Catalog more readily available to the broader organization to help create more awareness about what vendors are currently available to use and what vendors have been used in the past.
In addition to that, the employee will be building out a more robust Security Profile. He has currently completed one self-assessment and is looking to add more certifications as they complete their SOC 2 audit in October 2021.