Pythian Uses Hyperproof to Get Time Back and Improve Its Risk Management Maturity
- Compliance Operations Module
- Risk Management Module
- Vendor Risk Management Module
Founded in 1997, Pythian is a global IT services company that helps organizations transform by leveraging data, analytics, and the cloud. From cloud automation to machine learning, Pythian designs, implements and supports customized solutions for organization’s toughest data challenges and has delivered thousands of professional and managed services.
Since Pythian is in the business of helping its customers design, implement, and effectively utilize data analytics solutions, they must be able to demonstrate that they can be trusted with access to customer data in the course of doing work for clients. Many of Pythian’s clients rely on a robust SOC 2 Type 2 report to assess and understand Pythian’s security posture.
As Pythian has grown, their Security team recognized that using spreadsheets, Google Docs, and Jira tickets to manage their security compliance wasn’t a scalable solution. To continually maintain its status as a trusted partner, Pythian needed to maintain a solid IT risk management program and gain additional certifications. It was time to find a more robust compliance operations platform that could support the company’s IT risk management and compliance efforts at scale.
Jessica Parant, the Security Compliance Specialist in Pythian’s Security Department, led the effort to evaluate potential solutions. Parant evaluated software with key capabilities in mind:
- Ease of use: She wanted software that would be easy-to-use for managing risks, compliance requirements, controls, evidence, and audits. She didn’t want her colleagues involved in compliance and audit preparation efforts to be overwhelmed or intimidated by the number of features within the software.
- Automation: As a company, Pythian likes to automate as much as possible. For Parant, automation was a critical trait of a compliance software platform because it would boost her team’s productivity level and eliminate human errors that can result in problematic audit findings.
- Integrations: Employees at Pythian use lots of different tools. As such, the new compliance software platform needed to be integrated with Pythian’s existing tech stack to be useful.
- Robust reporting: Jessica wanted to get insightful reports so she could understand the organization’s security and compliance posture in depth and prioritize the most important actions to improve the organization’s security posture.
Parant selected Hyperproof and began to implement the software at the beginning of May, 2022. After 30 days, she’s already realized numerous benefits, including:
1. Saved time on SOC 2 Type 2 audit
Hyperproof now serves as the company’s central repository for controls and evidence. Parant no longer needs to schedule meetings with control operators to gather evidence; she uses Tasks in Hyperproof to request evidence digitally, saving several hours per week in the weeks leading up to an audit. Further, she can now generate all the documentation requested by the external auditor in just a few hours when it had previously taken her at least an entire day to do so.
2. Matured the organization’s risk management practices
Instead of tracking risks in a spreadsheet (which requires a lot of maintenance), risks are now tracked in Hyperproof’s Risk Register module and each risk is tied to mitigating controls. The actual risk level of each risk item stays up-to-date because controls are automatically monitored in Hyperproof.
3. Automated security controls
Pythian has set up automated evidence collection and testing procedures on many of their controls. The automation eliminates the risk of human error and ensures that the security team and control operators know about control deficiencies as soon as possible.
Security Compliance Specialist, Pythian
In addition to Hyperproof, Parant evaluated OnSpring and Reciprocity (formerly ZenGRC). She felt that those solutions were too cumbersome for her company size and stage. When she found Hyperproof, she felt that it checked off all of her boxes – usability, automation, integrations, and reporting.
“When I learned more about Hyperproof, I realized that it can help us really quickly manage all of our controls and identify gaps we have – so we know what we need to do to improve our security posture,” says Parant.
Parent also liked the breadth of security frameworks Hyperproof supports:
Security Compliance Specialist, Pythian
She also commented that she felt extremely supported by the Hyperproof team.
“I’ve had a fantastic experience with Hyperproof so far. The implementation team was very hands on; they trained us and had weekly touchpoints with us to help us make rapid progress. The Customer Success team constantly checked in to see how I am doing, making sure any issues I’ve raised are looked after,” says Parant.
Hear Pythian's story or read the transcript
The importance of a strong security posture
"I'm Jessica Parant, I'm the Security Compliance Specialist at the security department at Pythian. So my responsibility is ensuring that our company remains compliant with our security standards, as well as all the security requests of our clients. And I also lead our audit team. So, when it comes to both doing external, internal and client audits, I am the person who is leading the team and providing all the evidence that we need for our clients.
I'm realizing how important it is to have a compliance tool like this to help you be in alignment with a lot of the different security standards that are coming out. Like they're always coming out and they're always changing. And a lot more clients are asking for visibility into your security compliance and how compliant you are to be able to access and do work for them in their environments. The stronger our security posture is, the stronger that our clients have confidence in us."
Finding the right software
"We came to Hyperproof we were trying to solve organization and functionality. So when I first started in this role at Pythian, the audit program was essentially a mix of Google Docs, shared drives, spreadsheets, things that were kind of like all over the place and largely being managed in JIRA—which I didn't find very user friendly for me every year when I had to start a new audit.
As our company continued to expand and grow, we needed a software that was going to grow with us and not feel limited by the functionalities that we had here in place. The four big things I was looking for was usability. So how easy is it to use? Is it something that people are going to struggle trying to figure out how to use all the features?
Because often I find with a lot of tools you get really cool features, but half the time they're hidden within the software. You don't really know how to use it. So it was usability, automation—we're really big here at Python at automating things. So how much can we take manual work and be able to automate it so that we're not dealing with just user error, which could happen quite often.
Integrations, so we have a lot of different tools that we have to use here at Pythian and so being able to integrate a lot of our key tools to its core tools is really important for us. And then reporting, because we love our data, not only do we love it for our clients, we also love it for ourselves.
Because through that reporting, we can see where we need to improve, where are our gaps and where our strengths, and how we can continue growing on those strengths."
Easy and smooth implementation
"I started implementing Hyperproof about the beginning of May, 2022, and it was a fantastic experience. I was so impressed and I was even my speaking with my boss at the time, Mark St-Louis,he was also really impressed by just how hands on Hyperproof has been since, you know, not even just from like the beginning of the sales discussion to all the way into implementation, having those training sessions to kind of walk us through the tool again and give us a step by step guides.
You know, having someone who was there to walk me through each week and be like, okay, where are you at with your implementation? How much further do you feel you need? And then what other tools can we help you with? Are you stuck on anything?
And I just, the whole experience is really great and like within a month I was able to have Hyperproof stood up, my controls all in there, and I'm starting my audit right now and it's just been so easy and smooth that I've been really happy with it."
Automated risk management
"We get audited twice a year by Deloitte and so it's really great to be able to have a tool that we set up all the controls, set up our proofs, and then run the audit and export everything out to Deloitte and hopefully in time we're able to bring our auditor into that same tool with us. And then the other big sell that for us was risk management, because once again, we were a company that was still working off of spreadsheets and stuff like that.
When we saw that there was this risk management feature that also connected to a lot of our controls, we thought this was a really great tool for us to have as well and to, I guess you say, become more mature when it came to our risk management profile. All our controls are all nicely and neatly packaged up in one nice place.
We're able to show samples of evidence. So, if I'm off on vacation, someone who can step in and see what I'm working on and be like, "Oh, this is what we need to provide for our auditors." We're able to automate our controls. I love that. Like I said, we really believe a lot in things like automation integrations. So I'm able to set up all the things and have evidence and proof already when I need it."
A team that loves Hyperproof
"And then most importantly, one of the things I'm able to do is invite team members in who manage the controls, not having to book them for a bunch of meetings. So often they'll be like, "Oh, we need this evidence for this type of control. Now I need to go book a 15-minute meeting with this person from another team to do this."
Now, I don't have to do that anymore. I can just set them all up and be like, okay, here's a task from Hyperproof that I need you to upload this new evidence for this audit. And we don't have to have that 15 minutes out of your day to go in and do snapshots for our auditor. It's already done.
So I can just upload it, done, and then I know a couple members of my team are really happy about that because they're just like, "hey, we'll jump on and do this at any time. But if there's a task that we could just upload into it, that'd be great." So saving a lot is actually saving a lot more time. And that's what I really wanted as well too."
Time well saved
"I was just saying today, I'm getting ready to submit a bunch of evidence to my auditor—which normally would take me about a half a day here and there. Like, I have other responsibilities that I do. I had thought it was going to take me all day to get what I need to done today and I was done by noon.
So I have a whole afternoon to be able to complete my work because I was able to have all my evidence up in Hyperproof, export it all at once and upload it all to my auditors portal."
Spreadsheets no more
"Do you really want to continue using spreadsheets for the rest of your work career? Because it's a lot of work and it's a lot of upkeep and Hyperproof takes that away, which I love.
Like I said, I love that because there is always a possibility for manual errors. And so when you're able to move yourself into a program that helps to kind of eliminate that, that's really key and it's really important. And like, do you want to save time in your work? Do you want to be able to jump onto the other projects that you're really interested in doing?
Then Hyperproof is going to help you do that. Coming from someone for three years who has been using spreadsheets and JIRA tools and having to rebuild projects every year, it's a timesaver."