Cybersecurity Risk Management | Live Panel with Built Technologies
Built Technologies is a unicorn based in Nashville, Tennessee, United States, supporting construction finance management through SaaS solutions.
Being in the FinTech space, the company’s primary security focus is protecting its customers' data - a complex challenge given that Built also supports financial institutions.
Richard (Russ) Russel, Director of Information Security, and Adam Vanscoy, Senior Security Analyst, are members of the Built Technologies security team.
Russ is focused on building the security program and policies to support Built’s rapid growth.
Adam is involved in managing Built’s third-party security risk management and vulnerability management programs, both internally and externally.
Built’s rapid expansion means the company is continuously onboarding new third-party services to maintain operational efficiency. To ensure best security practices throughout this effort, the company decided to evaluate its procurement processes, focusing on vendor security assessments.
The security team started looking for tools to help manage the potential attack landscape of their supply chain. They looked at UpGuard, along with the other solutions out there. Ultimately, they felt that UpGuard was the best fit due to its holistic vendor risk management capabilities, ease of use, and pricing.
During the implementation of UpGuard’s Vendor Risk solution, Built’s Chief Revenue Officer presented Russ with an additional challenge. They expressed concerns with the company’s revenue cycle because of customers’ repetitive due diligence packages asking for the same security questions.
UpGuard helped Built address this concern. Thanks to UpGuard, Built’s security team can now instantly provide annual SOC reports, pre-filled SIG lite, SIG full, or any other security documents frequently requested during the sales process, without straining the company’s bottom line.
Adam and the team conduct a holistic review of each current and prospective vendor with UpGuard. In addition to the risks surfaced through UpGuard’s continuous scanning solution, the team also add their own insights through the platform’s additional evidence feature. This could include personal notes or security documents supplied by vendors.
The team typically begins its third-party risk management efforts by using UpGuard’s Vendor Tiering feature - a process that categorizes vendors based on their level of security risk.
This helps the team understand which risk assessment is required for each third-party vendor. Russ and the team utilize UpGuard's built-in fourth-party analysis feature to further drill down into the fourth-party attack surface. This allows them to learn which solutions each of their third-party vendors uses, information that helps them contextualize their risk assessment processes.
This level of analysis is critical because there's a high degree of trust that has to be placed in the third-party vendor’s security practices.
Our vendor security risk assessments are now a well-oiled machine from where we started using UpGuard. - Adam
Thanks to UpGuard’s rapid notification system, Built can now instantly address security rating dips that could negatively impact its security posture.
UpGuard is phenomenal. We’re required to do an annual internal review of all third-party vendors. We have an ongoing continuous review with UpGuard through its automated scanning and security scoring system. - Russ
Initially, Built was planning to primarily use UpGuard to monitor its supply chain's expanding attack surface. Still, after experiencing all of UpGuard’s features, an additional security project was pursued.
Inspired by UpGuard’s shared profile feature, Adam and the team created an information-rich web page describing Built’s security practices. It can be viewed by visiting getbuilt.com/security.
The web page includes some decent high-level information, but when you scroll down to the bottom, you also have the option to request more detailed information hosted on our shared UpGuard profile. This is where we host all of the information we used to have to manually provide our business folks and client services - Adam.
Built has noticed some of its vendors also using their dedicated shared profiles to publicize their security efforts.
The security team at Built took a phased approach of how many vendors they were reviewing. At their scale, Built found that the additional time and effort it took to make continuous vendor monitoring work with UpGuard was minimal.
UpGuard has helped Built’s security team automate assessments to improve process efficiency and deep cyber risk visibility across its attack surfaces.
We now have a lot more visibility to what we couldn't see before, which is excellent. - Adam
UpGuard provides Built’s security team with a snapshot of each vendor’s security posture. They can then share the findings from risk assessments or automated scans with each vendor being analyzed. Built has seen some great responses from vendors unaware of their security posture.
We've had vendors thank us for the information we provide them due to assessments done using UpGuard, which was a bit shocking to us. I've never been thanked for assessing somebody. I don't know if I've ever thanked someone for evaluating me, but it's because we provide executive summary reports to vendors, which are almost like a free assessment for them. - Adam
Russ mentioned that where most companies and security teams won’t consider putting their security score on their website, Built CEO Chase Gilbert was very supportive of the security page initiative to build credibility in the eyes of their customers.
When a financial institution contacts us to do business, we say, here you go, just request access. And here's everything that your security, risk, and/or compliance team needs to assess Built from a security posture perspective. So a client can start their review processes in the background while all of its stakeholders decide if they’ll partner with us. This has significantly reduced the sales cycle for everyone. Everyone loves this, and it's been a great partnership with UpGuard. - Russ
Senior Security Analyst at Built Technologies