How Kapiche uses Vendor Risk Management to streamline vendor security reviews

THE COMPANY

Instant, detailed customer insights

Kapiche was founded in 2016 and provides a feedback analytics platform that helps leading brands like Toyota, Zappos, and Target ingest and analyze huge quantities of unstructured customer feedback data in minutes, delivering concrete insights to improve the customer experience. Kapiche consolidates customer feedback from disparate sources like surveys, call transcripts, chat records, support emails, and more, and uses their proprietary text analytics technology to extract trends in conversation themes and user sentiment automatically.  With AI doing all the heavy lifting, customers can get set up in hours instead of months and instantly get answers to answer key business questions. 

Because Kapiche’s customers entrust them with sensitive data about their customers, following strong security and privacy practices has been a priority for them since day one. Leading the charge on their security efforts is Cameron Parry, Staff Site Reliability Engineer at Kapiche. Cameron wears multiple hats at the lean and nimble startup and is responsible for their security and compliance program in addition to DevOps. 

Kapiche has been using Vanta for compliance since 2019 when they decided to become SOC 2 compliant. In 2022, they became HIPAA compliant as well with help from Vanta. Over time, Cameron realized their vendor risk assessment processes could be more comprehensive and organized, which led them to explore Vanta’s Vendor Risk Management (VRM) solution.

‍

THE CHALLENGE

It’s hard to manage vendor risk in a silo

Prior to using Vendor Risk Management, Kapiche mostly relied on tools that measure vendor risk using external signals gathered from scanning the vendor’s cloud infrastructure and internet presence. While these outside-in assessments were useful, they did not inform Cameron and his team about the most important component of vendor risk — the vendor’s day-to-day security practices. Cameron also didn’t have a solution to streamline vendor security assessments, requiring him to note findings separately in their knowledge management system and manually create tickets to track risk remediation items. 

Before he started using Vanta’s VRM solution, Cameron would spend a lot of time requesting security documents from vendors. Once acquired, he had to consolidate them in one location to help with reassessments. All of these manual workflows were a huge drag on efficiency, and having critical vendor information scattered across multiple tools made it difficult to see a comprehensive picture of vendor risk. "Using different tools for vendor risk management and compliance led to a patchwork approach to vendor security, which required more work on my part to consolidate notes and findings on each vendor,” said Cameron. “It definitely prevented me from working as efficiently as I wanted to.”

‍

THE SOLUTION

Automated and streamlined workflows

Vanta’s VRM solution helped improve critical aspects of Kapiche’s vendor security processes. The vendor auto-discovery feature enabled Cameron to easily inventory all vendors being used by the company. It made him confident in his ability to detect and monitor new vendors being brought into the organization. Cameron especially valued VRM’s customizable risk rubric, which made it possible to use a consistent framework to measure vendor risk and capture minute differences in the risk profiles of different vendors.  

“I like that Vanta’s workflows are flexible enough to accommodate my style of vendor security assessment,” says Cameron. “I like to see as much information about the vendor as I can and sometimes review their information multiple times to ensure I haven’t missed anything. It’s easy to do this with Vanta without too much effort.”

VRM also facilitated faster onboarding for new vendors, allowing the security team to maintain a robust security posture while enabling the company to find the best tools for the job. According to Cameron, “VRM has been highly complementary to solutions providing outside-in security scores. While those tools provide valuable information during initial due diligence, VRM makes ongoing assessments of vendor security practices really easy to perform.”

The onboarding and implementation experience for VRM has been smooth and efficient. As one of the earliest users of the product, Cameron appreciated the quick feedback loops and the opportunity to provide input on the product's development.

‍

THE IMPACT

More time for strategic security work

Vanta has been instrumental in improving vendor security reviews by providing insights into each vendor's security practices, enabling informed decision-making. The platform has also helped identify unused or unnecessary applications, leading to cost optimization and a more efficient toolset.

Every minute during the work week is valuable to Cameron since he’s the sole security professional at his company.  “It used to take me a full day to review the security risk of all our onboarded vendors, a task I like to perform every week to check for any changes or incidents like security breaches,” says Cameron. “This task only takes me one hour after I started using VRM. I now have more time for other critical work like cost optimization opportunities and helping our sales team with security questionnaires.”  

Vanta's VRM product has also positively impacted Kapiche's ability to be audit-ready. By streamlining the vendor risk assessment process and providing a centralized platform for information, Vanta has ensured that Kapiche can efficiently manage vendor risks and maintain compliance with regulatory standards like SOC 2 and HIPAA.

Finally, for a growth-focused company like Kapiche, VRM has made it a lot easier to maintain and demonstrate a strong security posture, which is crucial for winning the trust of potential clients and closing new deals. By efficiently managing vendor risks, Kapiche can continue to grow and innovate without compromising their security and compliance.

‍

{{quote-2}}

‍