Case Study

How Appian Used Hyperproof to Streamline GRC for 28 Frameworks

Appian Case Study

Frameworks

FedRAMP

//

ISO 27001

//

PCI DSS

//

SOC 2

//

TISAX

//

+ many more

Appian

Appian is a low-code no-code platform that automates business processes so they can take on some of the world’s most difficult problems. The Appian AI Process Platform includes everything you need to design, automate, and optimize even the most complex processes, from start to finish.

Product Used: Risk Module, Compliance Module, Vendor Risk Module

Quick Facts: Cloud Computing Software, Tysons, Virginia

$100,000

saved per audit

600+

controls fresh

28

frameworks managed

100+

hours saved on evidence collection

The Challenge

Maintaining compliance with 28 frameworks

Appian has thousands of customers in highly regulated sectors, including healthcare, insurance, finance, and banking. As a result, Appian’s customers rely on them to adhere to over 28 frameworks and regulations and maintain over 600 controls via their Shared Responsibility Model. The manual work required to manage so many frameworks was time-consuming, costing their team of 10 many valuable hours that could have been spent on more strategic tasks. After evaluating their current state and realizing they needed a better solution, three key Appian team members began the search for a new platform: Nick Maddalena, Senior Director of Information Security, Andrew Cunje, Chief Information Security Officer, and Mark Lee, Director of Information Security.

Unifying risk, compliance, and security programs

Over 600 people — including engineers, security experts, and risk managers — at Appian have a hand in managing security, risk, and compliance. Consolidating their programs and having a central place for all employees to manage their work was critical for Appian, both from an efficiency and visibility perspective. Appian treats GRC as a true team effort, and they needed a platform that could align with that methodology. “Prior to Hyperproof, we spent a lot of time just managing the upkeep of our security program as a whole,” says Maddalena.

Manual evidence collection for multiple audits

Appian’s team is responsible for gathering evidence for 21 audits, which is no small task. Before each audit, they would have to manually collect evidence, organize it, and pass it to the auditor. Often, evidence was out of date, which meant they would have to chase down proof owners to get new files and manually send them to the auditor. Going through this process with 21 audits was inefficient for their team, who could be spending time on more important tasks.

Redundancy across compliance frameworks

Appian operates with 28 compliance frameworks, and they struggled to manage redundant controls and understand the control overlap between frameworks. Engineers would have to manually maintain duplicate controls across frameworks, which was painful, frustrating, and time-consuming. Additionally, they would have to track updates to these frameworks manually and stay on top of regulatory changes themselves, adding to their manual work.

The Solution

Quote Sign
No other platform provides this level of a tailored view. It’s exactly what we needed.

Mark Lee

Director of Information Security // Appian

Mark Lee
Granular control management with Scopes

One of Appian’s favorite Hyperproof features is Scopes, a unique feature that helps organizations efficiently manage controls at Scale. With Scopes, Appian can define entities to reflect their preferred organizational structure, like product lines, locations, subsidiaries, and business units. This is particularly important for Appian since they manage many product lines across industries where multiple control owners might be responsible for the same control. With Scopes, Appian’s team can easily see the status of all controls, identify which ones are unhealthy, and determine which entity has issues. They can also see and review evidence of control operation provided by the entity-level operators, ensuring transparency and accountability throughout the compliance management process.

Hyperproof’s Scopes offered exactly what Appian needed — a structured, customizable approach to managing controls. Instead of trying to fit their processes into a rigid solution, they could configure Scopes to meet their needs at every level of the organization. Scopes allowed for:

Scopes
Quote Sign
Scopes is a way to further dissect and evaluate our controls to meet our needs company-wide.

Mark Lee

Director of Information Security //
Appian

Mark Lee
Custom views for different roles

With Scopes, Appian can tailor views for different groups, allowing teams to focus on the controls that impact them the most.

Streamlined evidence collection

Appian has tied ownership of controls and evidence gathering directly to squads, streamlining accountability across the organization.

Customization for multiple users

Department heads, SBUs, and development leads can quickly see relevant controls and their health, filtering through scopes and dashboards specific to their roles.

The largest framework library in the market

Appian evaluated 10 platforms for almost a year before selecting Hyperproof as their vendor of choice. One of the key reasons why they chose Hyperproof was because of the platform’s robust framework library of over 100 out-of-the-box framework templates. The platform is continuously updated with new frameworks every week, and the framework templates themselves are also updated as soon as regulatory bodies announce updates. With Hyperproof, Appian can rest assured that they can manage over 20 frameworks and add new frameworks as needed.

Framework Badges
Quickly adding and crosswalking new frameworks

Hyperproof’s Jumpstart feature helps users understand how their current controls align with a new framework they are considering implementing. With Jumpstart, Appian can assess how their current frameworks align with new frameworks they must implement and quickly gauge the work needed to become compliant. “For us, the Jumpstart feature has helped us understand how far along we are from really getting a new compliance framework,” says Mark Lee, Director of Information Security. “It’s exactly the shortcut and time-savings we needed.” 

Appian can also crosswalk controls to different frameworks to avoid repetitive manual work. “Hyperproof has given us the ability to create a common control framework so engineers can understand what controls they’re responsible for and what to do if a control fails in a more efficient way,” says Lee.

Quote Sign
After implementing Hyperproof, we were able to spend our time in more strategic areas.

Nick Maddalena

Senior Director of Information Security //
Appian

Nick Maddalena
100+ hours saved on evidence collection with Hypersyncs

With Hyperproof, Appian can fully harness the benefits of automation where it matters most. Using Hypersyncs — data connectors that automate evidence collection across a wide range of applications — Appian can streamline evidence collection and ensure that their controls are continuously up to date. “Appian has taken an aggressive approach with implementing Hypersyncs to pull in as much data as we can to cover the 600+ controls in our inventory,” says Maddalena. Hypersyncs have transformed Appian’s control management from reactive to proactive. “We’ve gone from manually pulling evidence of controls to having those controls continuously documented. Hyperproof has saved hours of our time,” says Lee.

Quote Sign
We’ve gone from manually pulling evidence of controls to having those controls continuously documented. Hyperproof has saved hours of our time.

Mark Lee

Director of Information Security //
Appian

Mark Lee
Opening up new markets

Appian’s core GRC teams interact with Hyperproof daily, which means everyone is working in the same place. With Hyperproof, Appian can more easily expand into new markets by streamlining compliance with various regulatory requirements across regions. Hyperproof automates the complex tasks of managing audits, assessing risks, and maintaining regulatory documentation, enabling Appian to swiftly adapt to the legal and compliance standards of new markets. This not only reduces the time and cost involved in entering new markets but also mitigates the risk of non-compliance, which could lead to fines or reputational damage. The Hyperproof platform provides a unified approach to managing these challenges, allowing Appian to focus on innovation and growth instead of manual compliance and risk management processes.

Streamlining the audit process

Managing 21 audits is no longer a strenuous manual process now that Appian has Hyperproof. With Hyperproof’s automated evidence collection capabilities, Appian can rest assured knowing their evidence is continuously up to date so they can be ready for an audit at any time. “Hyperproof has streamlined our audit process by allowing us to be continually compliant with our frameworks at any given moment,” says Cunje.

Quote Sign
With Hyperproof, we’re ready for an audit at any given moment.

Andrew Cunje

Chief Information Security Officer //
Appian

Andrew Cunje

Ready to take command of your compliance and risk operations?

To see the Hyperproof platform in action, schedule a demo with our team today.