Automating Vendor Security Due Diligence

We’re excited to announce that we led a $3M seed round in VISO Trust, with participation from Sierra Ventures and Lytical Ventures.

VISO Trust fixes the broken and time intensive process of third party risk management with a platform that optimizes the speed, accuracy, and scalability of vendor due diligence. Their third party lifecycle management solution is created by security professionals that meets customers and vendors where they are.

The Problem

It’s no secret that vendor relationships are crucial to successful enterprise operations. Vendor relationships are growing at a rapid pace that was only expedited by the pandemic and new digital demands. Executives from our corporate network have shared with us that they have anywhere from 700 to 10,000+ vendors involved in their operations at a given time. Along with that, the usage of SaaS is also growing. A recent Okta study found that on average their customers deploy 88 apps, with their larger customers deploying an average of 175 apps.

To support this growth, security teams are tasked with the Herculean effort of onboarding third party solutions quicker than ever, while adequately evaluating their security posture to minimize breach risk and satisfy financial partners and regulators. In a recent Deloitte survey, 84% of respondents said their organization had experienced a third party incident in the last three years.

However, third party risk management is often hampered by:

• Hours of manual work. The vendor due diligence process is time intensive and involves back and forth review and verification of 300+ question security surveys per vendor.
• No definitive standard. Questionnaires are often custom per organization, although there are frameworks like Vendor Security Alliance, NIST, ISO, and others. This means security teams design what’s best for their own companies and place the burden on vendors to navigate their way through each questionnaire. This inefficiency adds to the delay and frustration on both ends.
• Lack of insights. The takeaways from these questionnaires often don’t move the needle in understanding the holistic risk of vendors. Third parties can range in their criticality and impact to the business based on the inherent risk of a process, but typical questionnaires don’t adapt to risk context and as an effect all vendors tend to get put through the same gauntlet.
• Current solutions don’t scale. Security ratings can provide useful data, but don’t tell a full or accurate story, and cyber audit firms are way too expensive to cover anything more than a fraction of partners. While Governance, Risk, and Compliance (GRC) and privacy related firms have added modules, they are seen as “digital” equivalents of a questionnaire that still require manual effort.

The Product

VISO Trust delivers a platform that allows security teams to onboard, review, and manage the lifecycle of any number of third parties.

At its core, the solution provides:

• Low friction. VISO Trust is easy to deploy for drop-in due diligence. Third parties can fulfill assessment requests in minutes and leverage source documents and audit reports to accelerate the process.
• Flexibility. Practitioners use different security questionnaires and standards based on their environment. Document Intelligence and customizable controls and risk models help extract relevant insights from responses that map to areas of risk that the security team cares about.
• Automation. VISO Trust automates as much as possible to spare vendor and reviewer time wherever possible, so that more time is available for making informed risk decisions. This automation extends beyond onboarding to continuously managing the entire vendor lifecycle.

As a happy customer put it, “VISO Trust has enabled us to bring the security staff time per relationship down from more than 8 hours to only 30 minutes — for us that’s gold.”

The Team

The VISO Trust team saw this problem firsthand as practitioners and knew there was a better way to manage third party risk. As former security leaders at LendingClub, Restoration Hardware, and ASAPP, co-founders Paul and Russ lived on each side of this problem, previously managing thousands of third parties at highly regulated technology companies and spending years building security programs and software to support technology products in use by the Fortune 1000.

We’re excited to see them already delighting customers with their fresh and pragmatic take to the vendor security process. Congratulations to the VISO Trust team!

You can check out more coverage in VentureBeat.