Manual Third-Party Security Management Process
WalkMe was in a hyper-growth mode, providing an enterprise-class ready solution with the highest security standards to large organizations from diversified verticals including the financial and health industries. Therefore, WalkMe was looking for a comprehensive way to check the security posture of its many third parties. It was important for the company to exercise due diligence to better understand the cyber risks that third parties might introduce.
“We were looking for a platform or tool that could bring us to the next level so that we could perform deeper analysis and assess even more suppliers,” said Chief Information Security Officer Daniel Chechik.
Continuous Monitoring That Combines the Outside-In with the Inside-Out
Panorays was chosen as an all-in-one solution that combined the “outside-in” exterior scanning of assets with the “inside-out” questionnaire process.
“When I looked at other security rating services, they focused more on the exterior scan and gave scores, but then I needed to go to another supplier who could handle the questionnaires,” he said.
“With Panorays, it’s all one system.”
Panorays’ customized questionnaires also allowed WalkMe to cut down on time spent verifying answers. The WalkMe security team would often need to email or call suppliers if answers were unclear. With Panorays, all interaction with suppliers takes place on the platform.
“Our goal with the questionnaires was to create questions and answers that would include follow-up questions,” Chechik said. “So if the supplier answers ‘no,’ we can immediately clarify what that entails and what needs to be done to rectify it.”
A Comprehensive View of Supplier Security Posture
Since WalkMe has started evaluating its third parties with Panorays, Chechik has noticed a significant improvement in the quality of the assessments.
“With Panorays, we have a more comprehensive view of our suppliers,” he said. “We have a better understanding of who we are dealing with, what are their levels of security and privacy, what permissions they need and what data they use. We can then review all of the data we’ve gathered on suppliers and make an informed decision about how to proceed.”