Trust is a fundamental requirement for any healthy relationship. In romance, friendship, and business, trust is a safeguard, a litmus test for anticipating how much you could be harmed by the other party. The more trustworthy a person, the less likely they will harm you through deception or deceit. In a business context, knowing the level of trustworthiness of your connections (partner, vendor, etc) isn’t just about peace of mind: it’s often a regulatory requirement and a critical part of maintaining SOC 2 and or other certifications. More and more, trust and security are becoming interrelated and, given the fact that some estimates put the average number of cloud providers per company above 1,000, that’s a lot of risk to be managed and mitigated.

The traditional way of assessing the trustworthiness of a potential vendor is by issuing a vendor security review. Some would argue that these reviews are less a question of “can we work with this vendor” and more a question of “what’s the level of risk that this vendor will introduce, and how can we mitigate it.” This is a great article from Daniel Meissler on the topic. Vendor security reviews are a critical way to assess the risk that a potential vendor introduces, and determine if it’s acceptable to the business (and, how to mitigate if and when possible). So, yes, these reviews are necessary. However, they are also monotonous, redundant, and very inefficient. 

Source. At Conveyor, we're focused on helping organizations reach the intersection of Vendor Security 1.0 and 2.0 and achieve instant, frictionless, accurate security reviews.

At Conveyor, we understand that establishing trust in the vendor-customer relationship is non-negotiable, but we also believe that the current ways of doing it are inefficient and not built to scale. For fast-growing companies who are onboarding new vendors regularly, spending dozens of hours Google searching, requesting and reviewing SOC 2 reports, and reviewing security pages will quickly result in either a slower time to market, or an incomplete security review. Neither is an option in the competitive SaaS space.

Conveyor’s platform exists to help organizations spend less time on security reviews, but without sacrificing quality. Our Vendor Network is a directory of hundreds of Vendor Trust Reports on top SaaS providers that give you a “cheat sheet” of that vendor’s security practices and a roadmap to learn more about the specifics. No more endless Google searches, digging through marketing websites to find security pages, or waiting on a vendor to respond to your email. Now you can access hundreds of profiles in one spot, and get the low-down on their security practices. Like a TL;DR for security postures. Our Vendor Trust Reports consolidate answers to a number of Trust Indicators such as:

  1. Do they have a current SOC 2 Type II and how do you get a copy?
  2. How do they encrypt data at-rest and in-transit?
  3. Do they complete regular penetration testing?
  4. Where is their application hosted?

A screenshot of one of our Vendor Trust Reports. You can see an overall rating of the organization's security maturity, and then drill down into more detail on their Trust Indicators and how we rank them.

The ultimate goal of these reports is to provide transparency into the security posture of these companies (all of the data presented is based on publicly available information) so you can determine early on if a full vendor security review is even necessary. If further information is needed, the reports direct you to the appropriate spot to request more information. You can add vendors to your Workspace, allowing you to track all your vendors in one spot & subscribe to any updates to their report. 

Conveyor helps organizations achieve fast, frictionless, accurate security reviews by improving transparency between vendors and clients, and simplifying the responsibility of sharing security information. Be sure to check out our Vendor Directory, and if you want to start managing all your vendors with Conveyor, you can sign up for a free Vendor Management account today.