The Traditional Security Review Process is Broken

Before partnering with SafeBase, the Instacart security team was constantly swamped with security review requests from retailers. There were three key parts of the due diligence process that took far too much time from the internal teams:

• Repetitive Questionnaires — Internal teams had to fill out customized spreadsheets that contained tens, or even hundreds, of items that were often minor variations of previous questionnaires.
• Inefficient NDA Process — Two-way mutual NDAs frequently involved several emails, redlines, and multiple teams.
• Outdated or Inaccurate Information — Sales team members had to locate and resend PCI and SOC 2 reports after sending outdated versions.

Large retailers in particular have stringent security requirements due to the millions of PII records that Instacart processes on their behalf.

Third Party Risk is Top of Mind for Modern Security Teams

In addition to the pre-sales process, the recent trend of major vulnerabilities and data breaches such as the Late 2021 Log4j incident meant the Instacart GRC team had to respond to a high volume of inquiries from retailers. Over the past couple of years, these types of industry-wide incidents have become increasingly common, and teams everywhere have been struggling to efficiently communicate their responses to customers. It is fairly common that vendor teams must respond to multiple emails from the same customer, craft responses from leadership, and in some cases, fill out entire questionnaires that focused solely on a recent incident. This process can be extremely time consuming and result in lost productivity, especially if the vendor never even used the affected software.  

Less Time Spent on Questionnaires Means More Time Doing Security

With these challenges in mind, the Instacart team reached out to SafeBase after interacting with another vendor’s Smart Trust Center. The SafeBase team quickly helped the Instacart team to stand up their own Smart Trust Center to enable retailers and prospects to quickly review Instacart’s security posture and to request access to common documents such as SOC 2 reports and SIG questionnaires.

The Instacart team saw immediate benefits. To start, they were able to drastically reduce the number of custom questionnaires by encouraging retailers to download the standardized CAIQ, VSA, and SIG questionnaires. For the sales team, sharing up-to-date documents such as SOC2 and PCI AOC took just minutes rather than hours or days. Sales teams no longer had to contact the security team to ask for the latest security documents. They could instead point retailers to the Smart Trust Center, knowing that the security team keeps it up to date. On the legal front, the time to sign an NDA was drastically reduced from several hours via back and forth emails to a few minutes using SafeBase’s built-in Clickwrap NDA feature. The legal team was no longer bogged down with a backlog of custom NDAs to review.

By The Numbers

The SafeBase and Instacart teams were able to quantify the reduction in time spent. From a sample size of 10 retailers, the Instacart team was able to do the following:

• The Instacart GRC team was able to skip three custom questionnaires with an average of 500 questions each by sharing the CAIQ, VSA, and SIG. Previously, they would spend an average of about 15 minutes per question, which includes crafting responses and clarifying with other partner teams. In total, the team estimates that about 375 hours, or 47 business days, were saved through the use of standardized questionnaires.
• By leveraging a simple, easy-to-read Clickwrap NDA, Instacart’s team was able to save an average of 20 minutes per NDA that typically would have been spent signing, reviewing redlines, and crafting emails. This alone saved both the GRC and Legal teams over 3 hours.
• In using SafeBase’s Trust Center Updates feature, the GRC team was able to publish an update regarding the late 2021 Log4j vulnerability informing customers that Instacart was not affected. Previously, the GRC team would spend approximately 6 hours responding to emails, drafting official responses, and answering breach and vulnerability specific questionnaires per retailer each time there was a major incident. The team was able to share their Log4j update with 20 concerned retailers, saving the team approximately 120 hours of repetitive work.
• In total, the team was able to save nearly 500 hours of valuable time in just a few months, with this number expected to increase significantly in the future.

When Instacart applies this to 100 retailers per year and an assumption of 10 major industry-wide security incidents per year (a conservative estimate with the rate at which companies are being breached), they save about 5,000 hours per year! Assuming an average junior team member salary of $110K, this results in a savings of about $290,000 per year, or that of almost three full-time employees.

Proactively Sharing Updates Saves Time for Everyone

In addition to time saved during the initial due diligence process, the GRC team was also able to proactively publish Smart Trust Center Updates regarding critical items such as the Log4j vulnerability, which drastically reduced the need to write custom responses to retailers and demonstrated the team’s commitment to security and transparency. In fact, they were even able to upload a custom questionnaire addressing common questions around their response to this vulnerability, allowing customer-facing teams to refer concerned customers to one single location.

Instacart is just one of more than 100 companies that have successfully used SafeBase to streamline their security reviews, speed up the sales cycle, and build trust with their customers. At SafeBase, our goal is for companies of all sectors and sizes to be able to share their security posture transparently with the world.