Mattress Firm is America’s largest specialty mattress store, with more than 2,400 neighborhood stores in 49 states.
Brad Hollingsworth is the Senior Director of Cybersecurity at Mattress Firm. Brad is focused on administering and enforcing the organization’s Information Security Program.
Dan Cuellar is the Senior Manager - Cyber Risk & ITS Compliance. Dan is responsible for ensuring Mattress Firm’s policies and procedures comply with regulatory requirements.
Joyce Earvin is Mattress Firm’s Cyber Vendor Risk Analyst. Joyce is responsible for performing due diligence on vendors during onboarding and throughout the lifecycle.
As a retail operator, Mattress Firm processes thousands of customer transactions daily via third-party solutions. Accordingly, Vendor Risk Management (VRM) quickly became a priority for Mattress Firm, and the need to implement a more robust VRM program became apparent.
The team wanted to ensure they could effectively mitigate and monitor third-party risks affecting the organization.
They recognized an opportunity to perform due diligence more consistently throughout the vendor lifecycle. Before UpGuard, Mattress Firm’s vendor risk assessment process was “heavily weighted toward the onboarding side,” said Brad.
Their existing process also relied heavily on “an informal risk ranking.” They determined each vendor’s level of criticality by its potential effect on the organization’s regulatory compliance.
“If they had a potential accounting impact, then we would insist on a SOC 1, Type 2 or SOC 2, Type 2. If they did not have an accounting impact, we had a phone call or sent a questionnaire.”
Vendor documentation is just one way to assess a potential vendor’s level of risk, and it quickly becomes dated. The onboarding process is also frequently delayed by pending vendor responses. The team needed real-time risk insights for a clearer picture of Mattress Firms’ third-party risk exposure.
With new cybersecurity risks emerging rapidly, remaining up to date with the latest threats and vulnerabilities is critical. The team would also need a more effective way to track how their vendors’ security postures changed over time to ensure Mattress Firms’ sensitive data remained protected.
To achieve this level of visibility, Mattress Firm needed a solution to continuously monitor for security risks affecting the organization and its vendors.
Brad and his team tried several solutions to help them establish a more comprehensive VRM program that could continuously monitor Mattress Firm’s security posture. They decided that the UpGuard platform offered the most appropriate balance of risk insights and alerts.
“UpGuard sits in that sweet spot of signal-to-noise ratio”
Dan said using UpGuard Vendor Risk to continuously monitor vendors is the “primary reason” he uses the platform. He can quickly identify critical third-party security risks impacting the organization’s regulatory compliance.
Joyce leverages the Vendor Risk solution to help find, monitor, and assess security risks affecting Mattress Firm and its vendors. The platform allows her to compare vendors against industry benchmarks to track their performance over time.
“When I add a new vendor in UpGuard, I see what their ratings look like and download the report to keep as a baseline. I can also identify any outstanding remediation issues on existing vendors and make sure they’re resolved.”
Joyce regularly uses UpGuard BreachSight to continuously monitor Mattress Firm’s security posture. The platform instantly identifies any security risks affecting the organization and automatically assigns a criticality rating.
“I send out remediation requests for anything flagged as critical.”
With UpGuard, the team can perform due diligence more effectively throughout the vendor lifecycle. The platform’s real-time risk alerting and on-demand scanning allows them to conduct point-in-time assessments and maintain a more adaptable VRM program.
“When it comes to monitoring vendors, UpGuard is our chosen platform.”
Leveraging the UpGuard Incidents & Alerts newsfeed, Joyce filters through the latest global security updates to quickly identify any data breaches affecting Mattress Firms’ vendors.
By monitoring the news more efficiently, Joyce can respond faster in the event of a third-party data breach.
“I look at the newsfeed to see if any companies we do business with have had a cybersecurity incident.”
Joyce said using UpGuard streamlines the vendor risk remediation process. She can provide vendors with specific insights into their security issues by drilling into identified risks in the platform.
“I take a deep dive into the technical features to help the vendor when I send a remediation request.”
UpGuard helps the team maintain ongoing visibility into Mattress Firm’s third-party risk exposure to help establish a complete picture of the organization’s security posture.
“We definitely have more visibility with UpGuard.”
Cyber Vendor Risk Analyst, Mattress Firm