We use more software at work than ever before, which has had a massive positive impact on companies working toward ambitious goals. Easy access to a suite of digital tools has helped teams stay connected, build products faster, and grow more efficiently. We are also trying to buy software faster than ever before. And with this speed, the number of vendors we use will only continue to grow.
But there’s a dark side to this proliferation of software.
A recent survey of 1,200 security leaders estimates that nearly half of organizations have suffered a data breach in the past two years. Earlier this year Mailchimp announced that hackers used customer support tools to gain access to hundreds of customer accounts, enabling the hacker to export audience data. Even security-based companies are not immune to breaches, with password management company LastPass exposed when hackers gained access to their development servers. HyperComply is here to tackle this dark side, without slowing down the flow of buying and selling software.
Each time you integrate another vendor into your workflow you increase your risk of an attack, breach, or hack. Larger companies have the people, processes, and technology to address this growing risk. But non-public companies, especially early and growth stage startups, are left extremely vulnerable. Even a 30 person startup like ours, has 50+ vendors.
Additionally, purchasing decisions are increasingly made by individuals within an organization, without security or procurement teams even knowing about it— if there are security or procurement teams at all.
Many companies publicly showcase their SOC 2 certifications, which means an auditor has reviewed the company’s information security program for general best practices. Buyers and sellers are getting more sophisticated in automating their security programs with Vanta and Drata, which have made it 10X cheaper and faster to obtain SOC 2. But just because a company has a SOC 2, doesn’t mean it is safe to use.
There are two key limitations of SOC 2:
While software is able to streamline the initial SOC 2 compliance process, most technology does not automate due diligence, leaving the burden of this process on your company. We're also seeing companies streamline the commercial and legal components of these transactions with procurement and contract products like Vendr, Zip, and Ironclad. But these don’t solve the true risk assessment problem either.
When it comes to communicating security and compliance posture between two organizations, the process is fundamentally broken and relies upon static assessments.
As of today, companies send security questionnaires to Sales teams when they are considering purchasing software as part of the due diligence process. These are sent in all different formats and resemble a traditional RFP, but are focused entirely on security. This is the de facto risk assessment method–and it's clearly a little dated.
We’ve made progress toward our vision (more on the vision shortly) by helping companies respond to security questionnaires faster. HyperComply automates security questionnaire responses with machine learning, and ensures accuracy with dedicated security specialists.
We’ve saved companies like Alloy, Fullstory, Heap, Salesloft, and Affinity tens of thousands of hours responding to these questionnaires. Sales teams love HyperComply because they can shorten sales cycles without having to wrangle a bunch of people internally to close the deal. Security teams love HyperComply too, since they can spend time focusing on actual high-value security work, rather than answering repetitive questions. And companies purchasing software love HyperComply because they get clearly formatted questionnaire responses and can onboard the tools they need faster.
But this is only the start…
Today, we serve Sales teams on the vendor side and Procurement and Security teams on the purchaser side. We’ve been helping Sales teams for more than 3 years and our product for Procurement teams launched today. Companies using HyperComply are verifying and maintaining compliance in a fraction of the time. Our customers spend just 34 minutes on average completing questionnaires compared with days of effort using manual processes.
While we help you automate and accelerate the security questionnaire process today, our goal is to remove the need for questionnaires entirely. The status quo is a convoluted means to the simple end goal of building trust between companies. Our vision is to build this missing trust layer.
Companies should be able to assess risk in a single click, instantly seeing whether another company meets security and compliance requirements. HyperComply will become this source of truth for third party risk management, enabling companies to quickly and effectively digest SOC 2, HIPAA, PCI, and other compliance information. And just like that, no more questionnaires, just instant answers when you need them.
But more than point-in-time assessments, companies need the ability to manage their risk on an ongoing basis. Even small companies set up rigorous automated testing for their codebase to ensure continuous code quality, yet this level of scrutiny isn’t available for the many vendors a company shares data with. Through HyperComply, companies will finally have access to real continuous monitoring across all the tools their team uses.
We are moving quickly towards this vision. If you need help assessing security, we’d love to help you conduct due diligence and manage third-party risk. If you are drowning in security assessments, we’d love to help you respond faster and more effectively.
Security threats will always be on the horizon for companies doing business online. We can’t stop hackers from hacking, but we can prevent companies from becoming more and more vulnerable to data breaches with every vendor they bring on.