Outreach

Customer Story

Outreach Streamlines and Automates Security Assurance Work With Hyperproof

Company

Outreach

Location

Seattle, WA

Industry

Computer Software

Compliance Frameworks

  • SOC 2
  • ISO 27001
  • ISO 27701
  • HIPAA
  • SOX

Products Used

  • Compliance Operations Module
  • Risk Register Module
  • Vendor Risk Management Module

Overview

Outreach creates a market-leading sales execution platform that manages and automates customer interactions throughout the sales cycle, resulting in increased productivity and revenue lift. The company was founded in 2014 and is based in Seattle, Washington.

The Challenge

As a fast-growing global tech company, Outreach must be compliant with numerous data security, data privacy and financial regulations and meet industry standards including SOC 2, SOX, ISO 27001 and ISO 27701. As compliance requirements grew, so did the amount of work for Outreach’s GRC team and control owners across the organization including engineers, IT managers, customer support reps, and legal professionals.

Josef Fukano, Director of GRC at Outreach, knew that it would be important at this time for the organization to start to streamline and mature its compliance function. Fukano and his direct report — Mike Caldwell, Senior Program Manager of GRC –decided to find a compliance software they can use to gain a single source of truth on their compliance projects and help them automate routine, repetitive work.

Quote Orange

Before we selected Hyperproof, our team used Google sheets to manage our SOC 2 and ISO certification work. Google sheets are fine for individual audits, but get messy after a few years. You start losing track of things. Now that we’re running a compliance program at scale, we need a platform that helps us keep a pristine list of controls for easy review, allows the GRC team to collaborate with process/control owners across the organization, helps to automate routine work as much as possible and gives us visibility into where things stand at any given time


Josef Fukano
Director of GRC at Outreach

Results

In five months since implementing Hyperproof, the Outreach GRC team has made significant progress in maturing their compliance operations. For instance, Hyperproof enabled the team to:

Create a single source of truth for all controls and gain greater assurance that controls activities are being performed on a timely and consistent basis

Create a single source of truth for all controls

Make rapid progress in fostering a culture of security and compliance by distributing control ownership to nearly 50 people across the organization

Security and compliance

Verify that risks are being remediated and progress against risk treatment plans are being made without having to ask engineers or logging into multiple systems

Verify that risks are being remediated

Automate a significant portion of their evidence collection process by connecting Hyperproof with existing tools and apps in the organization

Automate a significant portion of their evidence collection process

“With Hyperproof, we were able to build a solid foundation and central system for managing our compliance operations in just a few months, all while using the tool to prepare for our upcoming audits. We were able to accomplish all this because Hyperproof is easy to get started with and intuitive enough to be used by employees who don’t have any experience in compliance,” says Fukano.

Why Hyperproof

The team implemented Hyperproof as Outreach’s central compliance operations platform because they saw that Hyperproof was more intuitive and easier to get started with than any other GRC tool they’d evaluated. Hyperproof also met the organization’s core needs for a GRC platform, which includes gaining a single source of truth for all controls, collaborating with process/control owners across the organization and automating repetitive tasks. 

Quote Orange

Hyperproof was useful on day one. We were able to quickly import our existing controls into the platform. With Hyperproof, the learning curve is low; you don’t need a training session for everyone you onboard. Further, with Hyperproof, we can immediately understand our compliance posture because it provides a single source of truth on controls that is more reliable than Google sheets


Mike Caldwell
Senior Program Manager of GRC

How Outreach is Managing Compliance Operations In Hyperproof

Get out of spreadsheets

Outreach purchased Hyperproof at the end of June 2021 when the GRC team had already begun to prepare for upcoming SOC 2, ISO 27001 and ISO 27701 audits (slated for November 2021). As soon as they got access to Hyperproof, the GRC team imported their existing controls (in Google sheets) into Hyperproof to manage. Each framework/spreadsheet is managed as a separate Program in Hyperproof.

Distribute control activities to people across the organization

In Hyperproof, the GRC team reviewed the controls one by one, made sure each was implemented and assigned to the correct owner. To-date, over 1,000 controls have been assigned to nearly 50 individuals across Legal, Security, IT, Operations and HR teams.

Automate evidence collection requests and the extraction of evidence from source systems

Once controls are documented in Hyperproof, the GRC team began to use Hyperproof to conduct an internal audit in preparation of their formal, external audit. They uploaded evidence for each control into Hyperproof, using Labels to keep track of evidence specific for the internal audit.

They also set up Hyperproof integrations with third-party tools to streamline collecting evidence for control testing and internal audits. For instance, Caldwell connected Hyperproof with Outreach’s Jira instance. Jira is the tool the firm’s Engineering team uses to document risk treatment plans for the company’s top risks. Once Hyperproof is connected to Jira, all updates on Jira tickets (used to track work done to treat risks) are updated in Hyperproof automatically. Caldwell no longer had to log into Jira to check in on their progress; all of the completed tasks within the risk treatment plan are automatically organized in Hyperproof as evidence for future audits.

The team also set up a Hyperproof integration to Okta – the company’s identity and access management platform to facilitate quarterly access reviews. Their security team needs to check that each person who has access to key systems (e.g. AWS, GitHub) are people who are supposed to have access for their jobs, and that no one who shouldn’t gain access is getting access.

Automate control review reminders

In Hyperproof, the GRC team has created Tasks to remind key individuals who need to conduct quarterly access reviews. These tasks are sent out to the individuals automatically via Slack and email, because Hyperproof is connected to these tools.

The current list of users as it stands in Okta gets pulled into Hyperproof automatically in a spreadsheet format. This list is sent to access review control owners to verify that actual user access matches what they’re supposed to (e.g. another static list in spreadsheet). With the Okta integration, the GRC team no longer needs to manually pull in user lists from Okta. Nor do they need to set up manual reminders for user access reviews. .

Implement and Maintain ITGCs for SOX

As Outreach prepares for an IPO, the GRC team has also begun to manage its IT General Controls (ITGCs) for SOX in Hyperproof. The ITGCs for SOX are managed as a separate Program in Hyperproof. The GRC team has given their internal audit firm access to this Program so they can collaborate on controls and evidence collection together.

“Hyperproof has made a big difference in helping us mature our compliance operations in just a few months. In this time, we’ve stood up 5 different programs, nearly 1000 controls, multiple Labels and used Hyperproof to manage 1500 pieces of evidence and to engage with 47 users and contacts across our organization,”  says Caldwell.

“This year, we invested time in setting up Hyperproof in a way that will help us reap the benefits of automation next year and for years to come. In 2022, we plan to further automate our compliance operations with the ultimate goal of automating everything we can automate. For instance, we’d like to add standard operating procedures for every control – so control owners know what evidence they should submit without us on the GRC team having to explain what to do. We’ll also add notifications on controls so Hyperproof can remind control owners when new evidence is needed. Control owners have day jobs to do, we don’t want them to spend more time on compliance than they have to,” says Fukano.

Download Case Study

Hyperproof App on Screen

Sign Up for a Personalized Demo

Let’s go