ZenBusiness

Scaling Third-Party Risk Management with a Lean Security Team

ZenBusiness is an all-in-one platform that helps entrepreneurs start, run, and grow their businesses. The company’s offerings include sensitive legal and finance functions like business formation, banking, and financial management, so effective security and compliance practices are essential. This includes ensuring that the numerous third-party vendors that support ZenBusiness’ offerings have sound security practices throughout the lifecycle of their relationships.

Download Case Study
zenbusiness logo

Proof Points

Doubled vendor coverage without additional headcount

Scaled third-party risk management program through a more systematic approach.

Streamlined cyber risk assessments & monitoring

Replaced manual processes with self-service workflows and automated alerts.

Expedited compliance requests from auditors

Simplified compliance through centralized visibility into vendor security practices and documentation.

Brian Rutledge
Security Director

Our vendor relationships have more than doubled over the last couple of years as our business has grown. Solutions like Bitsight are the only way to scale as the pressure to do more with less increases.”

Assessing vendor risk more systematically

Since ZenBusiness partners with an extensive number of vendors to manage sensitive aspects of its customers’ business operations, the company takes a comprehensive approach to managing risk. “It’s important for us to perform regular risk reviews for all critical vendors, particularly any that interact with our internal finance or customer data,” said Brian Rutledge, Security Director at ZenBusiness.

Before Bitsight, these assessments required a significant amount of manual effort, making it impossible to keep up with the growth demands of the business without adding security team headcount. “Our vendor relationships have more than doubled over the last couple of years as our business has grown and as we’ve developed new products,” Rutledge said. “Solutions like Bitsight are the only way to scale as the pressure to do more with less increases.”

Streamlining vendor onboarding and assessments

One area where Bitsight made an immediate impact is transforming ZenBusiness’ vendor cyber risk assessments. These start with a review of the organization’s Bitsight Security Rating. “We use the rating when we’re considering a new vendor to understand their public profile and decide whether it’s someone we really want to partner with,” said Rutledge. “This includes understanding whether they may have vulnerabilities that would concern us from a supply chain perspective.”

Once prospective vendors advance beyond this initial step, Bitsight Vendor Risk Management (VRM) streamlines the process of assessing their security practices in more detail. This replaced what was once a highly inefficient manual process. “It was a pain,” Rutledge said. “I would need to contact each vendor manually using email, request their certification documents, and exchange information back and forth using email or Google Drive.” Now, ZenBusiness has a single source of truth with Bitsight VRM where they can manage all of their vendors. Even better, vendors can access Bitsight Trust Management Hub (TMH), a customer self-service module, to upload requested documents, making it easier for both ZenBusiness and the vendor to work together.

Brian Rutledge
Security Director

When I completed my recent PCI DSS and SOC 2 evidence submissions, I used Bitsight to demonstrate the vendor due diligence we perform to our auditors. They were very happy with what they saw.”

Reviewing vendor risk posture proactively

Another growing pain that ZenBusiness encountered with its third-party risk management program was revisiting and validating vendor risks at a regular cadence after the initial point of onboarding. Relying on manual reminders based on each vendor’s time of initial onboarding was an inefficient and error-prone process. Now, Bitsight VRM makes this process systematic and simplifies the review process for the security team.

“Bitsight sends me an email whenever a vendor assessment is close to expiring along with a weekly summary report,” Rutledge said. “It’s also much easier to make the updates when all of the documentation – along with any internal notes – are in one place.” Additionally, Bitsight Continuous Monitoring alerts ZenBusiness when security incidents, zero day vulnerabilities and other critical risk occurs between assessments, so they can investigate and mitigate issues on an ongoing basis.

Simplifying audit and compliance activities

Given the nature of its business, ZenBusiness must comply with various industry regulations, including PCI DSS and SOC 2. They must also support the audits of third parties, such as their partner bank. Using Bitsight to manage third-party risks removes significant time and complexity from these audits as well. “When I completed my recent PCI DSS and SOC 2 evidence submissions, I used Bitsight to demonstrate the vendor due diligence we perform to our auditors,” Rutledge said. “They were very happy with what they saw.”

Easy access to centralized information about vendor risk also makes it easier to support one-off internal requests from key stakeholders. “If my boss is looking for a report on a specific vendor, he can just go in and grab it,” Rutledge said. “He doesn’t need to go hunting around for individual documents and piece them together.”

Detecting and responding to new vendor risks

Bitsight’s continuous monitoring capabilities also alert the ZenBusiness team to significant changes in vendors’ security posture, enabling them to address potential issues proactively. While these incidents are relatively rare, it’s important that they don’t slip through the cracks and expose ZenBusiness to hidden risks. “When a vendor’s Bitsight Security Rating drops significantly, I’m notified immediately,” said Rutledge. “This allows me to contact the vendor to understand more about what changed and ensure any issues are fixed.”