When you’re Canada’s second-fastest growing company and a leader in the background screening industry, security is always top of mind. You need to ensure your internal systems and security protocols are compliant as you manage sensitive personal information. You also need an easy way to share these security details with potential clients so that they feel confident with how you’ll manage their employee information.
That’s why Certn, a leading SaaS company that’s revolutionizing background screening and who runs employee background checks for enterprise-scale employers, wanted to streamline its processes and turn compliance and security questionnaires into a valuable business tool.
Moe Serry, Security Team Lead, joined Certn as the second security hire and was tasked with managing everything from obtaining Certn’s SOC 2 report, to managing security questionnaires and overseeing application security, to running security operations, and supporting business teams with security questions and needs.
As Certn’s business grew, Moe and his team found themselves spending more time (and eventually all of their time) overseeing compliance tasks and security questionnaires. After trying the old tools and manual processes, Moe finally found HyperComply and Drata to solve Certn’s security management issues.
On Moe’s first day at Certn, a security questionnaire landed on his desk. The questionnaire was 180-questions long, and from a potential customer in a highly regulated industry, so the topics were very technical and specific. As a new employee, not only was Moe unfamiliar with Certn’s network and data practices, he was also unfamiliar with his new team and didn’t know who to seek out for the answers.
“I was very stressed. It was a questionnaire from a government-regulated body, and they asked all these questions about firewalls and processes I wasn’t aware of yet, so it was overwhelming.”
Moe spent all 40 hours of his first week on the job chasing down engineers, operations, and sales teammates to try and piece together the answers required. By the end of the day on Friday, Moe had completed the questionnaire, but he also realized that this process was completely unscalable, and was slowing down sales conversations with important customers.
“Because security questionnaires were so manual, we had a few near misses on deadlines. We even had to jump on calls with a few clients and had to be very strategic to not lose any customers. You can imagine the stress that that added to the team.”
As Certn grew and attracted more enterprise customers, the volume of questionnaires increased quickly. Moe knew they had reached a breaking point when they were managing four questionnaires per week, and completing these questionnaires had become a full-time job for a security engineer on his team.
Even in cases where all security questions could be answered within a day, there were often a few outstanding questions that required another team’s input, causing the whole questionnaire to be put on pause waiting for a response.
The volume of questionnaires was creating immense pressure for the engineer managing this process, and also starting to slow down her career progression as she got stuck answering the same tedious questions over and over.
After surviving his first week filling out a single security questionnaire, Moe was able to refocus on a priority project he had been hired to tackle: ensuring Certn was ready for an upcoming audit. Certn was hoping to become SOC II and ISO 27001 certified to enable them to partner with larger customers, and a formal audit was only a few months away.
While Certn had previously used a compliance automation system, the original tool wasn’t flexible enough to support their growing needs. In order to successfully navigate SOC II and ISO 27001 requirements, Certn needed a new tool to help get them through the compliance process smoothly.
Moe knew he had two big problems on his desk with security questionnaires and an upcoming audit, and finding the right tools to solve these would be critical to Certn’s business success. Thankfully, Moe connected with HyperComply and Drata, and realized they could work together seamlessly to help him move forward.
Drata is a security, compliance and risk automation platform that continuously monitors and collects evidence of a company's security controls, while streamlining compliance workflows. Drata has helped many organizations like Certn to achieve and maintain compliance reports faster and easier than ever before.
Certn first identified Drata as a partner they could trust to help them navigate their SOC II and ISO 27001. Not only did Drata have the product solution that Certn needed to manage the compliance audit, but they also offered a customer-forward partnership that gave Certn confidence in choosing them as their tool of choice.
“Drata simplified compliance and saved me a lot of time. The Drata platform laid it out clearly and made it easy to identify what had already been completed and what compliance work still needed to be done.”
Now that the audit process was moving forward smoothly, Moe focused on finding a security questionnaire solution to reduce the burden on his team and accelerate sales conversations. Since they had built a trusted relationship with Drata, Moe reached out to them for recommendations on how to automate security questionnaires.
With a strong business partnership and product alignment, Drata naturally recommended that Moe use HyperComply to automate his security questionnaires and ease the burden his team felt.
“With HyperComply and Drata, it’s like a pot found its cover–both sides of security come together into one solution. It makes perfect sense.”
Moe ran an initial pilot with HyperComply to see how effective the automation process was, and he was excited to see that for the very first questionnaire HyperComply was able to auto-complete more than 90% of the questions submitted. Moe knew that the automation would only get better with more questionnaire data, and he was thrilled that the system had provided such a strong result as a starting point.
Beyond completion rates, Moe was also excited by HyperComply’s knowledge management tools. While other tools had restrictive rules about specific file formats and types of data that could be uploaded, HyperComply was able to support all of the security documentation that Moe wanted to use in his knowledge base, and also automatically sync his Drata control information.
By uploading everything from policy documentation to hundreds of previous questionnaires, Moe ensured that HyperComply could build the most robust security knowledge base possible, and optimize completion rates for future questionnaires
“I really like the flexibility that enables you to upload everything from documentation to previous questionnaires. We’ve uploaded all of our policies, our engineering documentation, and over 200 previous security questionnaires.”
With all of their security knowledge centralized in one place, Moe was able to completely hand off the questionnaire process and free up his team’s time. Moe focused his efforts on creating and maintaining a security knowledge base, and trained Certn’s Sales team on how to use HyperComply so they could easily automate incoming questionnaires on their own. Thanks to a user-friendly interface and easy tools, the Sales team now submits questionnaires to HyperComply directly and receives automated responses in as little as two days.
Certn decreased time spent on security questionnaires by 98%, opened up new sales channels, and increased the security team’s availability.
One of Certn’s biggest challenges before HyperComply was the time it took to complete security questionnaires. Moe had to dedicate an entire security engineer on his team full time to completing questionnaires, and coordinating responses from other teams as well.
Moe’s team was previously spending 40 hours per week on security questionnaires. Today, they spend just an hour per week updating their HyperComply knowledge base, and answering new or one-off questions.
Previously, Certn was unable to get a foothold in bigger sales conversations because they didn’t have the compliance minimums needed to attract enterprise customers. Without SOC II or ISO 27001 reports, customers in regulated industries weren’t able to consider Certn as a potential vendor.
Thanks to Drata, Certn was able to seamlessly achieve their SOC II and ISO 27001 attestations, and can now share this information with prospects through HyperComply. The compliance process was so smooth that Certn is planning for additional certifications such as GDPR through Drata’s platforms as their business grows and they see new customer security needs, especially in Europe.
Before HyperComply, Moe’s team was at the mercy of incoming security questionnaires, and never really knew how much time, if any, they’d have to dedicate to other security projects. Since security questionnaires are directly tied to revenue, other initiatives had to be deprioritized to keep customer questionnaires moving forward.
Now that HyperComply automates 90% of Certn’s security questionnaires and can be managed directly by the Sales team, Moe’s team is able to dedicate their efforts to kickstarting security initiatives across the organization. As Moe creates his security team roadmaps for upcoming months, he knows that there won’t be any surprises from a questionnaire coming across his desk.
Don't let security questionnaires slow you down. Respond in 1 day, guaranteed.View All Case Studies