Leading sales commission software provider Spiff uses both of our solutions, TPRM and Beacon by ThirdPartyTrust, to accelerate third-party risk assessments of their providers while scaling their own security response process as a vendor.
This case study highlights their operational improvements after implementing ThirdPartyTrust and features a video testimonial from Sean Jackson, Director of Information Security at Spiff.
I was at another company and a controller who wanted to check our security posture sent me an invite to ThirdPartyTrust. I didn’t know what it was or how to use it, so I sent an email to ThirdPartyTrust and a demo was quickly set up so they could show me the platform.
“As soon as I saw the benefit ThirdPartyTrust was providing to this customer, I realized how it could also help me. I said ‘Finally, someone has fixed this! Someone has made third-party risk assessments an automated process”.
Sean Jackson, Director of Information Security at Spiff
I found that every time I was doing questionnaires I was answering the same questions over and over again, and showing the same documents over and over again. Every time someone from Sales had to bring a new customer, I wished we could just give them a package instead of answering to multiple requests for documents.
We had the problem of:
When I got my new position at Spiff, a startup with sales that are just off the charts, there were so many customers coming in. I was getting a lot of questionnaires and requests for data. We just barely finished our SOC 2 and then we had a pentest, and then we had another pentest…
In my second week I said ‘I know the tool we need’. My boss already knew ThirdPartyTrust and agreed to get it. So I just called and we closed the deal quickly.
After we adopted it I introduced it to the Sales team and started onboarding them. I showed how they could proactively get in front of those security requests by getting the NDA signed and then inviting the customers to ThirdPartyTrust.
It’s super easy for the customers. They click the link in the email we send, they sign up, and immediately can see our entire profile. If they have any questions they can contact me directly – one security guy to another security guy.
It’s not Marketing talking to Sales talking to Security. It’s their security person checking with me about compliance, GDPR, CCPA… We run through our security standards and it’s all done. It actually speeds up the sales cycle, as Sales is no longer waiting to know when I’m gonna get to the questionnaire. It all happens behind the scenes, and it’s FAST.
When I evaluate my vendors, I am able to determine the requirements for each type of relationship. If they’re a data controller for CCPA and GDPR, I know I need to see their insurances, policies, pentests, questionnaires… If they’re handling credit cards, I set the tag of “PCI vendor”, and I know I need to see their PCI compliance, pentest, and insurance; I don’t need their ISO, but I do need their SOC. And so on.
What’s beautiful is that if they’re also ThirdPartyTrust customers with a Beacon security profile, I set the requirements and they go “check check check”, as they have it all in there. Their job is done and my job is done just like that.
I always tell people “Go sign up to ThirdPartyTrust. It makes it easier for you and me”.
Before having the Beacon profile I would have to manually answer 15 assessments a month, but it’s only 1 a month now. By giving customers access to our security profile, they find most of the questions are already answered and our SIG Core, SIG Lite and other documents are also there. Their compliance needs are satisfied by what they see in ThirdPartyTrust, so I rarely need to intervene.
“Since I would spend an average of 3 hours on each, it’s roughly 45 hours a month versus 3 hours a month now. We’re talking 95%+ saved hours that I was able to relocate to IT: putting down fires, doing policy reviews, forensic investigations, troubleshooting, integration management, etc.”
As for assessing our vendors, depending on their size and how mature their security department is, it can go anywhere from 1 month to 3 months. Using this platform has significantly reduced the amount of emailing back and forth and manual effort.
Learn more about our two-sided platform for enterprises and vendors
Pushing my security data to a customer and getting security data from a vendor when things are updated (such as a new SOC report, pentest, etc.). It works flawlessly both ways.
I like that I can easily showcase my security posture as a third-party to someone else, and see that of my third-parties.The notifications are amazing. I get a heads up when a vendor’s pentest is up to 1 year, and if they don’t proactively update it, I send them a message asking for a new one. Once it’s there, I can check that off for the year. This shows who is taking security seriously.
I do the same for the customers looking at us. I am proactive so when I upload a new pentest, SOC report or insurance, I want them to know we’re staying current.
I can think of a few reasons:
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |