200+ Vendors, One Platform: CPI Secures Its Global Mission with Panorays

Meet CPI, the De-escalation Specialists

For over four decades, the Crisis Prevention Institute (CPI) has been the go-to experts of crisis prevention. Since 1980, the organization has trained 17 million professionals – teachers, nurses, security teams, and caregivers – to de-escalate high-stakes situations. From school districts to hospital networks, CPI’s evidence-based methods are the gold standard for keeping people safe.

But behind the scenes, CPI was facing a new kind of challenge: securing its growing network of third-party vendors.

The Post-Pandemic Wake-Up Call

The human services sector was hit hard by the Covid pandemic, with healthcare and education professionals reporting record levels of demand and supply chain disruptions.

Simultaneously, these same organizations were facing a tsunami of cyberattacks targeting critical infrastructure and customer data. In 2023, healthcare data breaches exposed over 133 million sensitive records, affecting nearly 1 in 4 Americans. For CPI, whose clients work directly with vulnerable populations, this was a wake-up call.

The Challenge: Scaling with a Small Team

When Hal Kochiu joined CPI as CISO in 2023, he walked into a security infrastructure that had outgrown its original capacity. “We were racing to onboard vendors who were handling sensitive client data, using simple tools,” he recalls.

Under Kochiu’s leadership, CPI’s third-party ecosystem had grown to include over 200 partners, with 170 requiring active monitoring. “Imagine having to manually assess 200+ partners, some critical, some nice-to-have,” says Kochiu. “It was unsustainable.”

The final wake-up call came from CPI’s European private equity owners, who required stronger adherence to NIST CSF compliance and third-party risk management. CPI realized it needed to regain control of their vendor security ecosystem.

Finding Panorays: 360° Clarity, 24/7 Control

Panorays was selected shortly before Kochiu joined CPI, and he quickly realized why. As a security veteran with sharp instincts, he noticed it had three key differentiators:

1. Panorays provided deep, real-time visibility into CPI’s vendor network, stretching to 4th- to nth-parties. For a team building a foundational process for the first time, seeing their real attack surface was a huge jumpstart.
2. Advanced automation options gave the team the bandwidth to manage 200 vendors and scale without adding headcount. “Our analysts can quickly check a vendor’s security setup during onboarding,” explains Kochiu. “Panorays is so intuitive that even junior team members can use it”.
3. From a business angle, Kochiu emphasizes that value for dollar was key. “We want to back up every investment and show consistent improvement. With Panorays we get custom questionnaires, automated assessments, and continuous monitoring in one platform. It’s a strong value proposition”.

Results

Fast forward 18 months, and things look very different. Kochiu is happy to report that security assessments that used to take weeks now take a single day.

Panorays’ NIST-aligned questionnaires make compliance a breeze. Even better, with continuous monitoring, the team receives alerts on GDPR, NYDFS, and other regulatory security gaps.

Kochiu is also excited about how smooth communications have become. The automated vendor outreach process runs smoothly, rarely requiring escalation:
“Our customer success manager checks in quarterly, but honestly, if we don’t hear anything, that’s good. It means everything’s working as it should.”

Building Trust, at Scale

Leveraging Panorays’ continuous third-party risk monitoring, CPI built a scalable security program that protects their core mission and scales with their growth.

Today, CPI manages its third-party risk network with the same expertise its frontline professionals bring to high-stakes situations. As Kochiu puts it, “cybersecurity isn’t a checkbox. It’s how we protect the people who protect others.”