UpGuard’s customer is one of Australia’s largest superannuation fund managers, and provides superannuation and retirement solutions for all members of the community, including first responders, healthcare workers, and teachers. They have more than 1.1 million customers and $150 billion funds in management.
The Head of Information Security’s primary responsibilities are managing incident response, detecting and remediating vulnerabilities, assessing third-party vendor risks, conducting penetration and assurance testing, and consulting businesses on security certifications.
Although our customer had been using UpGuard as a security tool for many years, they had used their own internal processes to manage third-party vendors. As part of the procurement process, each vendor was classified based on how they handled the information belonging to the business, with a heavy focus placed on tier one and two vendors. The manual nature of their original internal process was a big challenge, including provisioning of assessments and sending out questionnaires via email, managing vendor communication to ensure the security questionnaire was completed within the requested timeframes, and evaluating the results. This was a long, resource-intensive process that could last 10-12 weeks.
“Our independent assessment process was very cumbersome and long. The nature of the process made it very resource intensive.”
Even when questionnaires were sent back to our customer from the vendor, in many instances, there was still information missing. This meant that the IT Security team then had to follow up with the vendor multiple times, which also included having to speak to various people within the vendor’s organization. The time spent on conducting vendor risk assessments did not align well with the pressure from the business to deliver at a faster pace.
With hundreds of vendors to manage, the manual process to evaluate third-party risk needed to scale quickly to reduce the onboarding time of new vendors. However, this would require the Head of Information Security to double or triple his team of 4, which was not feasible to do.
Adding the Third-Party Risk Management Service (TPRMS) to our customer’s existing UpGuard license, to fully manage the third-party vendor risk assessment process, was an easy decision for the Head of Information Security and the team.
“We said let’s pass (the third party risk management process) back to UpGuard, who are the experts in the field. They are able to see the problems faced by the vendor and are able to streamline their processes and toolset as well.”
Using the UpGuard platform, the manual nature around the risk assessment function is now outsourced to UpGuard. Our customer uses UpGuard’s managed services, which has not only helped the IT Security team assess the risk of new vendors during onboarding but also helped do the follow-up on the security hygiene of existing vendors.
In addition, UpGuard helped streamline the onboarding process, including risk assessment, third-party outreach, and questionnaire analysis. UpGuard is able to send questionnaires to vendors on behalf of our customer, and follow up with vendors that have not responded. Before any responses are fed back to the IT Security team, UpGuard reviews the responses, along with any other associated documentation, and a final report summary is provided that identifies areas where responses may not be complete or align with the questions asked.
By doing so, it created extra controls for our customer, and all they have to do now is final verification and eliminate any possibility of error.
“The excellent customer service is a distinguishing factor of UpGuard. They actively listen to customer feedback to continue building up the platform and improve its features.”
With so many vendors to manage, the UpGuard platform helped our customer quickly pull specific reports related to the vendor, such as their penetration test result, SOC report, or monitoring for any recent data leaks. The Head of Information Security and his team were able to pull that information easily with UpGuard’s centralized repository of all the reports.
“I think UpGuard plays a very large role in terms of third-party risk management. Our clients are getting peace of mind even though the risk in the tech landscape has largely increased.”
From an original turnaround of 10-12 weeks to finish security assessments, UpGuard’s managed services were able to help cut that time down to roughly half, and in many cases, down to less than 5-6 weeks. As soon as our customer identifies a potential vendor and submits a request, UpGuard immediately responds and prepares to send the questionnaire to the vendor within the requested time frame, which in many instances is required to be done by the end of that business day.
“One thing that works really well is UpGuard’s relationship with our vendors. We can depend on them to handle any questions or concerns our vendors have on their security posture.”
In addition, the Head of Information Security values the relationship UpGuard has with their vendors. He can safely depend on UpGuard to ensure the risk assessment process is conducted efficiently and to completion. If a vendor comes back with any questions, UpGuard is able to respond on behalf of our customer, or ensures the correct follow ups are conducted so that the matter is resolved for the IT Security team.
Another one of the biggest benefits to our customer was UpGuard’s ability to provide business-level security context to the vendors to cut down on time spent during their vendor review process.
The Head of Information Security also noted the quick response times and excellent customer service from UpGuard’s customer success team. The success roadmap played a huge role in helping vendors develop their security posture, but also helped build a stronger relationship with the vendors as well.