The traditional security review process is broken
Before partnering with SafeBase, the Instacart security team was constantly swamped with security review requests from retailers. There were three key parts of the due diligence process that took far too much time from the internal teams:
- Repetitive questionnaires — Internal teams had to fill out customized spreadsheets that contained tens, or even hundreds, of items that were often minor variations of previous questionnaires.
- Inefficient NDA process — Two-way mutual NDAs frequently involved several emails, redlines, and multiple teams.
- Outdated or inaccurate information — Sales team members had to locate and resend PCI and SOC 2 reports after sending outdated versions.
Large retailers in particular have stringent security requirements due to the millions of PII records that Instacart processes on their behalf.
Third party risk is top of mind for modern security teams
In addition to the pre-sales process, the recent trend of major vulnerabilities and data breaches such as the Late 2021 Log4j incident meant the Instacart GRC team had to respond to a high volume of inquiries from retailers. Over the past couple of years, these types of industry-wide incidents have become increasingly common, and teams everywhere have been struggling to efficiently communicate their responses to customers. It is fairly common that vendor teams must respond to multiple emails from the same customer, craft responses from leadership, and in some cases, fill out entire questionnaires that focused solely on a recent incident. This process can be extremely time consuming and result in lost productivity, especially if the vendor never even used the affected software.
Less time spent on questionnaires means more time doing security
With these challenges in mind, the Instacart team reached out to SafeBase after interacting with another vendor’s Trust Center. The SafeBase team quickly helped the Instacart team to stand up their own Trust Center to enable retailers and prospects to quickly review Instacart’s security posture and to request access to common documents such as SOC 2 reports and SIG questionnaires.
The Instacart team saw immediate benefits. To start, they were able to drastically reduce the number of custom questionnaires by encouraging retailers to download the standardized CAIQ, VSA, and SIG questionnaires. For the sales team, sharing up-to-date documents such as SOC2 and PCI AOC took just minutes rather than hours or days. Sales teams no longer had to contact the security team to ask for the latest security documents. They could instead point retailers to the Trust Center, knowing that the security team keeps it up to date. On the legal front, the time to sign an NDA was drastically reduced from several hours via back and forth emails to a few minutes using SafeBase’s built-in Clickwrap NDA feature. The legal team was no longer bogged down with a backlog of custom NDAs to review.
By the numbers
The SafeBase and Instacart teams were able to quantify the reduction in time spent. From a sample size of 10 retailers, the Instacart team was able to do the following:
- The Instacart GRC team was able to skip three custom questionnaires with an average of 500 questions each by sharing the CAIQ, VSA, and SIG. Previously, they would spend an average of about 15 minutes per question, which includes crafting responses and clarifying with other partner teams. In total, the team estimates that about 375 hours, or 47 business days, were saved through the use of standardized questionnaires.
- By leveraging a simple, easy-to-read Clickwrap NDA, Instacart’s team was able to save an average of 20 minutes per NDA that typically would have been spent signing, reviewing redlines, and crafting emails. This alone saved both the GRC and Legal teams over 3 hours.
- In using SafeBase’s Trust Center Updates feature, the GRC team was able to publish an update regarding the late 2021 Log4j vulnerability informing customers that Instacart was not affected. Previously, the GRC team would spend approximately 6 hours responding to emails, drafting official responses, and answering breach and vulnerability specific questionnaires per retailer each time there was a major incident. The team was able to share their Log4j update with 20 concerned retailers, saving the team approximately 120 hours of repetitive work.
- In total, the team was able to save nearly 500 hours of valuable time in just a few months, with this number expected to increase significantly in the future.
When Instacart applies this to 100 retailers per year and an assumption of 10 major industry-wide security incidents per year (a conservative estimate with the rate at which companies are being breached), they save about 5,000 hours per year! Assuming an average junior team member salary of $110K, this results in a savings of about $290,000 per year, or that of almost three full-time employees.
SafeBase is the scalable Trust Center that automates the security review process between buyers and sellers. With a SafeBase Trust Center, companies can seamlessly share sensitive security documentation with buyers and customers, including streamlining the NDA signing process by integrating with CRMs and your data warehouse.
If you’re ready to take back the time your team spends on security questionnaires, create a better buying experience, and position security as the revenue-driver it is, get in touch with us.
