Josh McIlwain joined Terminus in June 2021 as Senior Director of Information Security, tasked with running the company's security program. As the company looked to achieve their SOC 2 Type II certification, getting their vendor management program in order was one of Josh's top responsibilities.
As a one-person team responsible for managing all of the security program (not just vendor risk management), Josh was looking for a way to get more out of what he was already doing.
“Questionnaires are probably the worst part of my job. They take a long time to complete; they’re the same questions, just repurposed. The vendor ends up just regurgitating information to questions they’ve already answered in other compliance documentation, and audits they’ve completed throughout the year.”
Josh had several dozen vendors who needed to be reviewed — 12 from his subprocessor list, and another 20 to 30 that were used internally and needed to be reviewed. As a one person team, he knew he needed a better way of assessing his vendors that was both fast and thorough.
When Conveyor first pitched their Reviews product to Josh, he was cautiously optimistic. The idea that all he had to do was provide his list of questions and controls that he cared about, and the rest would be done for him, sounded too good to be true.
“There are a lot of vendors out there who assign arbitrary scores and it’s not based on in any real data. Or they try to fill in the answers to your questions, but you don’t know where the answer came from. I don’t use vendors like that. I was looking for a vendor that would provide a good solution but also be a true partner, and make me better at my job. That’s what it’s been like, working with Conveyor. Not only is the software great, but it’s the people who care about getting you what you need.”
Of course, in addition to the partnership, the product itself has been a huge help to Josh.
“The hardest part of the vendor review is that initial stage: getting all of the information, having it in one place, and putting it in that succinct, digestible format. That’s what Conveyor does. And, they flag issues that you need to pay attention to, so you can decide what to accept or what you need to go back to the vendor on.”
When using Conveyor, Josh was able to review 17 vendors in just 4 hours — previously it had taken him about 60. So he was able to save 56 hours of his time: more than a week’s worth of work! But even more than the time savings, what has been the most impactful is the depth of the review. Instead of just simply answering “yes”, or “no” to questions, the software cites the location in the vendors’ documentation where the answer was sourced from, giving another level of thoroughness and validity to the review. As a reviewee, Josh is able to focus just on the findings and the exceptions, which is where his time is better spent.
Security professionals at high-growth SaaS companies like Terminus are often a team of one or few. As such, they are often are tasked both with conducting vendor security reviews and responding to customer questionnaires. By leveraging Conveyor’s Customer Trust platform, both vendors and customers are able to benefit from faster, easier security reviews.
“For a small team, it’s extremely important to take that focus away from having to fill out monotonous questionnaires but rather being able to leverage the documentation that’s already out there. Where Conveyor is really hitting the mark is being able to take advantage of the documentation that’s already there.”
Vendor risk management is not a point-in-time exercise. Vendors change; they get new subprocessors, they have leadership changes, or their policies change. It’s important to not think of vendor security reviews as a tick in the box and that’s it. With Conveyor, your connection to a vendor stays intact even after the initial security review is completed. You can stay informed of updates to the vendors’ policies, and access information more quickly. Vendor security reviews go from being a point-in-time activity to an ongoing, living connection. For Josh, that’s incredibly important to improving the security posture of Terminus, by keeping up to date with his most high-risk vendors.
“Probably one of the biggest stressors for security professionals is their third party vendors. You’re sharing your data with your vendors. They’re an extension of you. If you’re going to go through the work of improving your security controls, but share your data with vendors who don’t take that same approach? That’s a huge risk to your company.”
“Using Conveyor, there is a time-saving component. But maybe more importantly, the reviews are more thorough. You’re not compromising on the quality of your review. You’re able to compile different artifacts to answer one question. So you’re able to do more from a depth perspective.”
Josh McIlwain, Senior Director of Information Security