The IT Vendor Risk Management (VRM) market has grown in recent years (and will continue to do so), as organizations have seen the harsh reality the increased risk inherent in doing business with third party vendors. Yet, in an ever increasingly competitive market, SaaS applications help us scale faster, do more with less, and grow the business. So, we onboard more SaaS vendors, which means we conduct more security reviews.
In fact, according to recent research, organizations with over 1,000 employees use, on average, 177 SaaS applications. For anyone who’s responsible for managing IT vendor risk, that is a scary — but unsurprising — statistic. Why? Because each of these vendors needs to have some level of security review, based on their risk profile, and each of those reviews means chasing vendors, getting them to respond to security questionnaires, and then reviewing all of the answers and documentation sent back. It’s tedious, time consuming, and, unfortunately, completely necessary.
And this is just the security and risk part of vendor management. There’s also the financial, legal, and operational components involved in onboarding and managing vendors. This can be slow and cumbersome, especially in larger organizations.
Conveyor is on a mission to make vendor security reviews fast, frictionless, and more cost effective for both vendors and customers alike. With our announcement of a ServiceNow integration, Conveyor’s Vendor Trust platform takes the next step in integrating and improving the overall Vendor management processes. Our Vendor Trust platform can integrates with existing tools and processes to help Enterprise organizations fast track their vendor security assessments, saving time and money. Through this integration, we’re bringing Security and Procurement teams closer together to manage and reduce third party risk.
So what are we announcing?
The Conveyor ServiceNow integration allows teams who are using ServiceNow’s Vendor Risk Management module to speed up their vendor assessments by seamlessly sending all relevant information from ServiceNow to Conveyor. Receiving the issues flagged by Conveyor back in ServiceNow allows users to take the most pertinent information Conveyor provides and translate that into next steps in ServiceNow. We help you get to the InfoSec recommendation step of the procurement process much faster (like, 79% faster).
One of the best parts of this integration is its customizable nature. You can create business rules in ServiceNow to dictate at what point you want a vendor to be sent to Conveyor for review. You can also build business rules as to which questions are asked of vendors, based on their risk level. The integration is customizable based on your unique business needs, again helping you get towards fast, easy, accurate security reviews.
Why should you care?
Even for organizations with a procurement / vendor management system set up, security assessments can be a pain-in-the-you-know-what. The time spent chasing vendors to get answers to your questionnaire, collecting the relevant security artifacts (SOC 2s, pen tests, CAIQs and SIGs, etc), and then actually reviewing all that information to map it to your desired controls can take days, sometimes even weeks. What does this mean? Business units are stalled (they can’t onboard the vendors they need), the security team builds up a backlog of reviews (with static or diminishing resources), everyone is frustrated, and precious resources are being spent on menial work.
BUT, with Conveyor handling the initial assessment piece of the procurement process, we do all the work of getting the answers to your security questions, based on the vendor's existing documentation, and highlighting the areas that you need to pay attention to. The information is stored in your system of record, and we get you to the next step of the procurement process much faster (in fact, 79% faster according to current customers).
Most organizations who are using ServiceNow are not interested in replacing their entire procurement process. But, making that process faster and more efficient is a huge benefit. Conveyor’s integration with ServiceNow helps you get more from your existing investment.
TL;DR: If time (and cost) savings are something you care about, then that’s why you should care.
How does it work?
First thing’s first: in order to set up the integration between Conveyor and ServiceNow, you must be using ServiceNow’s Vendor Risk Management module. From there it’s super easy to set up the integration, and we have documentation to walk you through it.
Now, let’s get into what the process of running a vendor review looks like using the integration. There are two scenarios, the first is if the vendor is NOT on the Conveyor network, and the second is if the vendor is on the network as a Rooms user. (This would include companies such as Pagerduty, Datadog, Freshworks, Carta, etc.) Let’s dive into the first workflow.
If the vendor is not on the Conveyor network:
- The review starts from ServiceNow. Let’s say you configured your business rule to send the review to Conveyor when the status is changed from “Responses Received” to “Generating Responses”. As soon as you push the vendor to the “Generating Responses” status within ServiceNow, the Review request gets sent over to Conveyor.
- The system recognizes that there is now work to be done. All of the artifacts collected (SOC 2s, CAIQs, etc) are pushed over to Conveyor, along with your question set (configured during your setup). This is what it looks like in Conveyor:
- This is where the magic happens (and you get to take a break). ConveyorBot will find the answers to your questions from the documentation provided, and will populate the review. Under each answer, we’ll include a citation to where the answer was sourced (with a link) as well as a Recommendation as to what to do with this answer.
- When the questions and answers are ready for you to review (within 72 hours, for vendors not on our network), you just log back into the Reviews tab, click on the vendor, and you’ll see each question with the associated answer & citation. You just have to go through and choose to accept, add a note, flag, or adjust the answer. This is where the huge time savings comes in — the analysis has already been done for you!
- Once you’re done reviewing, just click “Send to VM system”, and all of the answers (and your responses to them), will be sent back to ServiceNow. All of the flagged issues will appear in the Issues Table in ServiceNow.
The second scenario we mentioned (if the vendor is on the Conveyor Network) is essentially exactly the same as the above process, except that you don’t have to collect any documentation from the vendor. Because they’ve already shared all of that information via their Conveyor Room, you just move the vendor (within ServiceNow) to the “Generating Responses” status, and Conveyor will send a request to the vendor to get access to the Room, and start to map the answers to your questions. Everything on Conveyor’s end is the same: we parse the documents, get you the answers, and flag all exceptions / issues. Easy peasy!
How do I get started?
The ServiceNow <> Conveyor integration is available on our Enterprise tier. To learn more about this integration, as well as flexible pricing options, you can contact us directly.
If you want to test out Conveyor’s Vendor Trust platform for free, you can sign up here and kick the tires (click "Vendor Trust" after submitting your email)!