Manual Approach to Third-Party Security Risk Management Created Process Inefficiencies and Limited Scale
As a law firm, Taylor Rose is well-accustomed to being audited. But preparing for an audit is far different than preparing to run audits, continuously and at scale. With a manual approach to vetting, evaluating, and monitoring third-party vendors and partners, the UK-based multidisciplinary law firm found it difficult to scale up its third-party risk management program. “There was little control over who was allowed in — no real assurance,” said Adrian Thompson, who now serves as CISO at Taylor Rose. According to Thompson, it was difficult to enforce security standards when the need arose to integrate a new third-party supplier.
“They did their financial checks and the standard business checks, but nobody was thinking about security checks,” he said. “Unless our third parties have the correct controls in place and their security is as tight as ours, then [our internal security efforts] are all for nothing.”
Thompson, who served as Head of IT at the time, performed third-party security checks manually, using spreadsheets, emails, and Google Drive. However, this approach was not sustainable or comprehensive enough.
These process-related challenges were compounded by Taylor Rose’s recent growth. The company has expanded after multiple mergers and acquisitions, with more deals on the horizon. Currently, Taylor Rose has 38 offices, with about 2,000 users. Each time the firm acquires another company, any vendors that remain in the supply chain pose new security gaps.
After the supply chain attack on SolarWinds, it became obvious that the firm had to make third-party security risk management a greater priority.
“Once it became clear the attack surface had changed from targeting single businesses to attacking hundreds in one go through the supply chain, business leaders started to look for some assurance,” said Thompson.
The firm needed a solution that could automate and streamline the evaluation, monitoring, auditing, and communication with vendors. Fortunately, Taylor Rose’s motto is “Smart Modern Law,” and the board embraces improving how the firm works with technology. After the board approved his proposal to adopt a third-party risk management solution, it was Thompson’s job to find the right platform.
Automated, Comprehensive and Streamlined Security Vendor Risk Program
In late 2021, Taylor Rose selected Panorays to gain visibility on its current suppliers, develop a system of due diligence for assessing new potential vendors and gain the assurance of ongoing security risk monitoring.
After viewing a demo, Thompson said it was clear the platform was intuitive, easy to use, and comprehensive.
“It ticked all of our boxes,” he said. As a result, Taylor Rose didn’t pursue other solutions. The firm determined Panorays would be able to fulfill its needs for:
- Automation to increase efficiency and scalability: Instead of wasting time on a manual approach, Panorays provides automated, dynamic security questionnaires with external attack surface assessments and business context to rapidly deliver an accurate view of third-party and fourth-party cyber risk.
- Comprehensive yet non-disruptive monitoring: Panorays non-intrusively evaluates Taylor Rose’s vendor’s attack surface by performing hundreds of tests, such as collecting information on exposed assets or checking the lack of security best practices.
- Centralized communication and record-keeping: Instead of manually tracking hundreds of emails, spreadsheets, and assessments, Panorays enables streamlined, in-platform engagement. It eliminates the friction between Taylor Rose and its suppliers by centralizing questionnaires, communication and remediation within the platform.
- Accelerate the ISO 27001 accreditation process: Panorays’ automated security questionnaires are easy to customize according to an organization’s needs. Among other priorities, Taylor Rose utilized this customization feature to ensure its questionnaires evaluate ISO 27001 standards. Organizations aiming for ISO 27001 accreditation can upload their own proprietary questionnaires to the Panorays platform, or utilize standard questionnaires, such as the SIG. The firm took advantage of the SIG Upload feature, which helps accelerate the third-party security component of ISO 27001 accreditation by automating this portion of the process. This feature enables suppliers to upload their own completed SIG questionnaires, which are automatically scored on the platform. This helps suppliers gain more flexibility while reducing the time and resources required to fill out questionnaires manually. As a result, assessing third-party security for ISO 27001 became a much simpler and more efficient process for Taylor Rose.
According to Thompson, onboarding was “a breeze… because the product is so intuitive.” Getting acclimated to the Panorays system and dashboard was simple, straightforward and fast.
Unprecedented Clarity, Organization, and Confidence Managing Third-Party Security
In the year since implementing Panorays, Taylor Rose has onboarded about 25 vendors to the platform, focusing on those that have some level of access to its systems or data, and present risk.
According to Thompson, the ability to centralize and streamline communication and provide a trackable source of records has made it far easier to ensure security standards with business stakeholders and communicate with vendors. Moreover, automating key aspects of the vendor security assessment process — such as questionnaires and ongoing monitoring — has generated unprecedented efficiency.
Prior to implementing Panorays, it took more than eight hours to assess cyber risk for a single vendor. Utilizing the platform, Taylor Rose reduced that time to under two hours.
The shift from a manual approach to third-party risk management to an automated, comprehensive third-party security solution has been a game-changer for Taylor Rose. Now, the law firm has complete visibility of its security posture, and can easily manage a growing list of third-party partners and vendors. In addition to gaining the peace of mind that the firm’s vendor security is now being comprehensively managed, the enhanced efficiency, visibility, ease of use, and freed-up time have become invaluable benefits.