Ever since the EU General Data Protection Regulation made organizations liable for third parties acting as processors, vendor management has become crucial for organizations that do not wish to face stiff financial penalties. The conversation has evolved to the point where it has shifted to how vendors should manage “their” vendors.
In order to properly vet vendors, organizations will often send out questionnaires to a prospective third party to learn about its practices. Caroline McCaffery had been working with tech startups for years, and as time went on, she saw a steady increase in the number of questionnaires received by vendors.
In order to help those vendors face the deluge of surveys, McCaffery decided to launch a startup of her own. She is the founder and CEO of ClearOPS, a platform designed to help vendors streamline their responses to all these questionnaires.
“What we have built and are continuing to build is on the response side,” McCaffery said. “There are a lot of companies that are generating security questionnaires to send them out to vendors from the enterprise, but the vendors themselves are getting inundated with questionnaires. They are all custom. They are all different and while there are standard forms, no one is consistently using them. We are focused on that vendor response.”
And streamlining that vendor response can be a significant business imperative.
“I think it is important for us to exist because vendors should not be spending all this time responding to questions. They should be spending that time looking at their controls and improving them,” McCaffery said. “Essentially, it’s a communication problem within companies. The lawyers don’t understand the thing that the information technology people are saying and vice versa. There’s a huge information gap that is occurring and this is a hole that needs to be filled.”
So, here's how it works.
Vendors sign up for a ClearOPS account and create individual profiles for each organization that sends them a questionnaire. The vendor then uploads the document to ClearOPS, which, in turn, populates each question into the tool. As the team answers questions, they can share the survey with internal stakeholders, who can offer their feedback via the tool’s collaborative-notes feature for each inquiry.
After a vendor has completed a few questionnaires, McCaffery said the tool can help streamline future efforts by drawing back on previous answers.
“Once they uploaded a questionnaire, we would be able to use a repository of responses from other questionnaires that they have responded to and be able to provide them with prior answers that they can either reuse or update,” McCaffery said. “If they update, it updates into our repository as a new response to a particular question.”
A completed questionnaire can be downloaded in several formats, which are then sent back to the organization that initiated the survey. For security purposes, McCaffery recommends vendors download the final forms in a PDF file.
ClearOPS has initially been rolled out to “friends and family” as McCaffery described them, adding that her company has received positive feedback so far. She said users have seen a decrease in the amount of time to complete the surveys by about 30 to 40%.
“We know for a fact that an average question takes four minutes to craft a response, and sometimes we are able to crack that down to as little as 30 seconds,” she said.
It has not all been smooth sailing, however, as McCaffery has experienced some growing pains. The most pressing issue has been conveying its importance to investors. She has been told vendor response is better suited as a feature rather than a full-fledged platform; however, she believes that viewpoint comes from those who do not have experience as a third party.
It has certainly not come from a lack of need, as McCaffery found out as she laid the groundwork for her startup.
“I have done a lot of research before I built this company, talking to a lot of people to see if this would be something that people need. As I continued to walk around trying to sell it, we continued to have very positive feedback about people needing it,” McCaffery said. “I think the biggest challenge is that investors don’t understand it. Unless they are in this space, investors are looking at me like I have two heads. They don’t get the problem very easily, so we are working on that part.”
She pointed to smaller organizations that do not have the resources to answer the questionnaires as easily as the entities ClearOPS plans to target. As a small startup itself, ClearOPS has been “bootstrapping,” as McCaffery called it, but this tactic has paid off for her company as it has been able to start hiring additional staff. McCaffery hopes the new hires will allow ClearOPS to “go to market broadly instead of a case-by-case basis” by the first quarter of 2020.
Vendor management is going to continue to be a noteworthy topic as privacy law compliance requirements continue to proliferate. McCaffery believes ClearOPS is positioned to fulfill a need for vendors and hopefully keep everyone’s names out of the headlines the next time there's a major enforcement action.
If you want to comment on this post, you need to login.