Our customer is a large Canadian media company with a diverse portfolio of strong brands reaching millions of people globally.
Before 2019, our customer did not have a structured vendor assessment program in place. The security profiles of prospective vendors were evaluated through public documentation, such as the availability of SOC2 reports.
Without a dedicated vendor assessment process, our customer was faced with three major challenges:
- They did not have confidence in the security posture of newly onboarded vendors.
- A lack of ongoing visibility there was meant no way to identify any lapses in security after a vendor was onboarded.
- All vendor risk assessments were managed differently depending on who was assigned the assessment on the security team, resulting in no uniform visibility into the risk assessment status of each vendor.
We spoke to Mark* (not his real name), a security analyst at our customer.
Their security team set out to find a vendor risk management solution to fill the third-party risk security gaps. Three options were trialed by the security team, including UpGuard.
To the security team, it was apparent that UpGuard outperformed its competitors. The primary differentiator was the ease with which information was presented in the UpGuard platform. Unlike the other solutions, UpGuard presented all relevant information in a clean and easy-to-navigate layout. This made the product incredibly intuitive and the third-party risk management process highly efficient, with less time wasted on searching for relevant functions.
“With some of the tools that we looked at, you had to drill down through a dozen or more menus to find the information we required, but with UpGuard, I could instantly understand how to access all of the functions and data we needed,” said Mark*.
Onboarding and implementation
The simplicity of presented information on the UpGuard platform meant that the security team could become adept at using the solution almost instantly. Even the remediation process of discovered vulnerabilities could be mastered without assistance.
“Other solutions would warn me about a vulnerability, but I couldn’t understand how to access more details about it. It was very frustrating. With UpGuard I could easily access more information,” explained Mark*.
Because UpGuard’s functionality was intuitive and predictable, there was little to no need for a formal implementation process. “To be honest, no implementation help was needed from the UpGuard team. During our trial period, we quickly became proficient on the platform, and that naturally transitioned into a daily workflow when we purchased the product,” said Mark*.
An unexpected feature that has now been implemented into our customer’s security program is UpGuard’s ability to identify internal vulnerabilities and manage their remediation processes.
“That has actually been integrated into the core of our vulnerability program. We now produce thorough reports, get them to the internal stakeholders responsible for projects, and then track remediation efforts in real-time through security score changes on UpGuard,” explained Mark*.
“That wasn’t what we were initially shopping for in a tool and it doesn’t directly apply to third-party vendors, but that was an addition that made us say ‘wow, this is awesome!’,” shared Mark*.
On top of the UpGuard BreachSight and Vendor Risk features that have now been implemented into their vulnerability program, the security team has also been leveraging UpGuard’s Identity Breaches engine to further improve their security posture.
“We don’t have control whether employees use their company email to sign up to a web service, but with UpGuard’s Identity Breaches feature, we can see if a staff member has signed up for a service that has suffered a data breach. We can inform the potentially impacted staff members to change their passwords. Our staff appreciates this goodwill gesture, and it keeps us safe from third-party breaches,” explained Mark*.
Custom Questionnaire Builder
At certain times of the year, the security team becomes inundated with vendor assessment requests. To speed up the classification of third-party risks and streamline the assessment workflow, Mark* knew they needed a process to be able to assess how detailed they should assess a vendor.
UpGuard’s Custom Questionnaire Builder has helped our customer customize its vendor assessment process while also managing its internal resources more efficiently.
“We’re creating a custom questionnaire that we call a ‘Gatekeeper Questionnaire.’ We are using this as a first stage questionnaire that asks enough questions to determine whether a more thorough vendor security review is required,” explains Mark*.
After each prospective vendor has completed this ‘Gatekeeper Questionnaire’, Mark* and the team can quickly decide whether they’ve met the company’s security requirements or whether they require a more comprehensive risk assessment from the security team.
“Thanks to UpGuard’s custom questionnaire builder, the custom questionnaire we have created will significantly speed up our vendor assessment process. Many assessments will be reviewed and approved in only half an hour. We’re really excited about that,” shares Mark*.
Results with UpGuard
Since implementing UpGuard, our customer has significantly increased the speed of vendor onboarding. The security posture of prospective vendors can now be evaluated instantly so that more time can be spent on evaluating critical vendors and improving security efforts.
“Occasionally, we’ll get a request from somebody in the business considering a few vendor options. We’ll run these options through with them by utilizing UpGuard to generate a risk report and security rating for these vendors. This helps us instantly eliminate the options with serious security problems.”.
UpGuard has also helped improve our customer’s appeal to their prospective clients that could be evaluating their security posture. “We want our external posture to look as strong as possible too for anybody that’s considering dealing with us and our security score,” said Mark*.
By discovering commonly overlooked vulnerabilities both internally and throughout the vendor network, UpGuard has empowered our customer to continually cultivate its global security posture to further minimize the possibility of data breaches. “This is a tool into the visibility of our security posture that we just didn’t have before,” said Mark*.
*Not their real name
Large Canadian media company