BARR Advisory streamlines questionnaire responses and reduces friction with Whistic
Introduction
BARR Advisory’s mission is to help create a more secure world by simplifying the path to security for its customers, consisting mostly of technology and cloud service providers.
“We try to take out all of the complexity and heartburn that comes with compliance and security,” said Mitch Evans, Director, CISO Advisory at BARR Advisory. “Making it easier for our clients to have both a secure environment while also com-plying with any regulations or customer requirements they may have.”
What sets BARR Advisory apart from its competi-tors is its adaptability and agility. They’re focused on meeting their clients’ needs and requirements and are willing to change their practices to accomplish that.
BARR Advisory essentially acts as a virtual CISO for its clients—gap assessments, policy documentation, procedure documentation, and responding to security questionnaires, among other things. “We’re a go-to resource for any questions related to information security and compliance,” said Evans.
With all of those responsibilities, Evans and his team are always looking for ways to be more efficient with their time. One area where they would often get bogged down is responding to security and compliance questionnaires on behalf of their clients.
Problem
A tedious and repetitive process
One of Evans’ clients, an SMB SaaS provider, receives, on average, about five security questionnaires per week, and many of the questionnaires take at least two hours. This work was tedious and repetitive. “It was at the point where I was spending more than half of my time that I have dedicated to this client on questionnaires,” related Evans.
This was also causing difficulty for the client because once BARR Advisory received the questionnaire, they had an SLA in place to complete it within five days, which could extend the sales cycle by up to a week.
In addition to answering those questions, the client would receive requests for things like security policies, procedures, and penetration tests. “It was just too much to handle,” said Evans.
“We needed something that was more centralized and a little easier to manage.” Evans wanted to find a solution that would streamline the process for handling questionnaires and provide transparency and more visibility into the process. He found that with Whistic.
Solution
BARR Advisory is currently using Whistic Profile to centralize the management of security questionnaires, shorten the sales cycle, and answer customer questions more quickly.
“We really liked the proactive nature of Whistic where you’re not necessarily sitting there waiting for a questionnaire request all the time,” said Evans. “It’s more like social media where you’re publishing your details and then people can come look at it when they need it.”
Evans has created multiple Whistic Profiles for his clients based on the standard questionnaires and has created both public facing versions and private versions that require an NDA, depending on which information is required. The private profile includes the client’s policies, procedures, penetration test, and SOC 2 report, while the pub-lic-facing profile only includes the SOC 3 report and security whitepaper.
Additionally, BARR Advisory has trained its client’s sales team on how to request a Whistic Profile, which has eliminated many of the delays typically associated with responding to questionnaires as most are accepted with little to no follow up required.
“Previously, it would take us up to five days to respond to a security questionnaire,” stated Evans. “But now with Whistic, we’re able to turn around 80% of those requests in less than one day.”
With all that time freed up, Evans and his team can focus on more strategic initiatives for their client as opposed to being buried in administrative work.
Results
90%
of profile shares are accepted with no follow-up required.
6.5
hours saved each week using a streamlined process
Minimized friction
Questionnaire response time reduced from 5 days to 1.
The Future
Currently, BARR Advisory is only using Whistic Profile, but is considering expanding their usage to request security questionnaires on behalf of their clients.
“We have other clients we do vendor evaluations for,” said Evans. “We have a good process in place, but we could benefit from making the process more systematic with a tool like Whistic.”
Evans thinks it could be valuable to his clients to use Whistic to automate evaluations that need to be sent out every year.