Pollinate is a software business, focused on reinventing merchant acquiring for banks around the world. The business is based in London, UK, and formed of experts and global industry leaders from the financial services, merchant acquiring, loyalty and technology sectors.
Third-party risk management is an important consideration for any financial services CISO and Jim Hart, CISO at Pollinate is no different. Jim along with Vaida Maxsims, Procurement Director at Pollinate, own the entire vendor lifecycle from onboarding and due diligence to ongoing monitoring and offboarding.
In 2019, Jim and Vaida knew it was time to start looking for a solution to help them save time and money while ensuring the ongoing improvement of their security posture as well as their vendors’.
Jim and Vaida were spending a lot of time conducting vendor due diligence when onboarding new vendors and they wanted to streamline the manual process. Their previous process included manually investigating each vendor by doing research, understanding the supplier’s processes by reading their privacy policies, and searching for any evidence of previous security breaches. “The process we had was manual and rather hand-cranked, none of the findings we had were definitive either since it relied on our manual processes,” said Jim.
They also wanted a solution which could provide them with more holistic and thorough information on their vendors. “Vendors don’t always want to fill in hundred of pages of questionnaires,” said Jim, “we were looking at solutions who were able to provide a quick scan to see if there are any issues with a particular vendor, while still checking for all the security categories that we are concerned with.” Speed wise, they wanted an instant scan that enabled the broader Pollinate team to work with the vendor as fast as possible.
In addition, Pollinate wanted the ability to continuously monitor their vendors, so they could get a sense of their vendor’s security posture over time so their lean team did not need to manually monitor all their vendors.
Vaida was tasked with improving the vendor due diligence process and looked at a number of vendors including UpGuard. The important considerations to Vaida and the team were:
- the ability to do an instant scan to speed up the vendor due diligence process
- a solution that could continuously monitor vendors over time
- reports that are auditable and a platform where they can provide evidence to their other stakeholders
Vaida looked at a few solutions and when she found UpGuard’s website, she reached out to the team for a trial of the UpGuard platform. Throughout the trial process, Vaida and Jim saw UpGuard was able to fulfill their requirements and ticked all their boxes, performing the best among the solutions that they looked at.
Being in financial services, Pollinate works with a number of financial institutions vendors. According to Jim, it is important to have the ability to audit and have records of the due diligence conducted with all their vendors. UpGuard shows them the historical records of their vendors’ security score and lets them track all their security questionnaires in one place. Now they can confidently say they have conducted due diligence on all their vendors to new partners and customers.
Apart from the challenges listed above, other important considerations for Jim and Vaida were the number of security checks that the solution reported on, as well as the ability to send questionnaires and drive remediation from within the platform.
With UpGuard, Pollinate is able to speed up vendor due diligence by conducting an instant scan whenever they onboard a vendor, allowing all parts of the business to move faster and with more confidence. “We tend to only work with vendors only with an A or B UpGuard security rating, and if they are below that , that is when we will send the report to the vendor to remediate certain security findings,” said Vaida.
Jim and Vaida are now able to easily monitor the security posture of their vendors with UpGuard. “We have set up notifications with UpGuard, such that if a vendor drops by 5 points, we reach out to the vendor in order to fix those security issues,” said Vaida. “These are usually issues such as SSL certificates expiring or DNS issues,” added Vaida.
Jim gave an example of one of their vendors with a score drop. With UpGuard, Jim spotted the score drop was because a particular vendor was still hosting a website for a customer they thought they had taken down -- and Jim was able to notify them of this, helping them decommission the website.
Pollinate has also set up a notification when a vendor drops below a certain score. “If a vendor score drops below 600, we know there is a security issue with that vendor and we work with them to remediate that,” noted Jim. Jim noted that usually they give a reasonable timeframe to these vendors to fix these security issues, otherwise, Pollinate will stop doing business with them.
Pollinate recently renewed with UpGuard with the Starter plan, allowing them to monitor the increasing number of vendors as they grow while ensuring that they manage their vendor risk.