Leading sales commission software provider Spiff uses both of our solutions, TPRM and Beacon by ThirdPartyTrust, to accelerate third-party risk assessments of their providers while scaling their own security response process as a vendor.
This case study highlights their operational improvements after implementing ThirdPartyTrust and features a video testimonial from Sean Jackson, Director of Information Security at Spiff.
Q: How did you come across ThirdPartyTrust?
I was at another company and a controller who wanted to check our security posture sent me an invite to ThirdPartyTrust. I didn’t know what it was or how to use it, so I sent an email to ThirdPartyTrust and a demo was quickly set up so they could show me the platform.
“As soon as I saw the benefit ThirdPartyTrust was providing to this customer, I realized how it could also help me. I said ‘Finally, someone has fixed this! Someone has made third-party risk assessments an automated process”.
Sean Jackson, Director of Information Security at Spiff
Q: What third party risk assessment challenges were you facing?
I found that every time I was doing questionnaires I was answering the same questions over and over again, and showing the same documents over and over again. Every time someone from Sales had to bring a new customer, I wished we could just give them a package instead of answering to multiple requests for documents.
We had the problem of:
- Controlling the message
- Controlling the exposure of data
- Making sure the security posture was showcased in the best possible light
When I got my new position at Spiff, a startup with sales that are just off the charts, there were so many customers coming in. I was getting a lot of questionnaires and requests for data. We just barely finished our SOC 2 and then we had a pentest, and then we had another pentest…
In my second week I said ‘I know the tool we need’. My boss already knew ThirdPartyTrust and agreed to get it. So I just called and we closed the deal quickly.
Q: How does your security response process look like now ThirdPartyTrust?
After we adopted it I introduced it to the Sales team and started onboarding them. I showed how they could proactively get in front of those security requests by getting the NDA signed and then inviting the customers to ThirdPartyTrust.
It’s super easy for the customers. They click the link in the email we send, they sign up, and immediately can see our entire profile. If they have any questions they can contact me directly – one security guy to another security guy.
It’s not Marketing talking to Sales talking to Security. It’s their security person checking with me about compliance, GDPR, CCPA… We run through our security standards and it’s all done. It actually speeds up the sales cycle, as Sales is no longer waiting to know when I’m gonna get to the questionnaire. It all happens behind the scenes, and it’s FAST.
Q: How about the process for assessing your third-parties as an enterprise?
When I evaluate my vendors, I am able to determine the requirements for each type of relationship. If they’re a data controller for CCPA and GDPR, I know I need to see their insurances, policies, pentests, questionnaires… If they’re handling credit cards, I set the tag of “PCI vendor”, and I know I need to see their PCI compliance, pentest, and insurance; I don’t need their ISO, but I do need their SOC. And so on.
What’s beautiful is that if they’re also ThirdPartyTrust customers with a Beacon security profile, I set the requirements and they go “check check check”, as they have it all in there. Their job is done and my job is done just like that.
I always tell people “Go sign up to ThirdPartyTrust. It makes it easier for you and me”.
Q: How much faster is the assessment turnaround?
Before having the Beacon profile I would have to manually answer 15 assessments a month, but it’s only 1 a month now. By giving customers access to our security profile, they find most of the questions are already answered and our SIG Core, SIG Lite and other documents are also there. Their compliance needs are satisfied by what they see in ThirdPartyTrust, so I rarely need to intervene.
“Since I would spend an average of 3 hours on each, it’s roughly 45 hours a month versus 3 hours a month now. We’re talking 95%+ saved hours that I was able to relocate to IT: putting down fires, doing policy reviews, forensic investigations, troubleshooting, integration management, etc.”
As for assessing our vendors, depending on their size and how mature their security department is, it can go anywhere from 1 month to 3 months. Using this platform has significantly reduced the amount of emailing back and forth and manual effort.
Learn more about our two-sided platform for enterprises and vendors
Q: What are your favorite features of ThirdPartyTrust?
Pushing my security data to a customer and getting security data from a vendor when things are updated (such as a new SOC report, pentest, etc.). It works flawlessly both ways.
I like that I can easily showcase my security posture as a third-party to someone else, and see that of my third-parties.The notifications are amazing. I get a heads up when a vendor’s pentest is up to 1 year, and if they don’t proactively update it, I send them a message asking for a new one. Once it’s there, I can check that off for the year. This shows who is taking security seriously.
I do the same for the customers looking at us. I am proactive so when I upload a new pentest, SOC report or insurance, I want them to know we’re staying current.
Q: Why should other organizations choose ThirdPartyTrust?
I can think of a few reasons:
- It solves the rinse and repeat problem with GRC
- It makes third-party risk assessments almost painless, as you don’t have to hunt for the information – it’s just there for you
- It makes our customers’ assessments easier
- It works flawlessly to push and pull security data both ways
- It’s a network that will keep growing to have more vendor profiles to accelerate assessments
Learn how ThirdPartyTrust can help you streamline your vendor risk assessments and/or security response process:
