Project Description
Taste of Success: Focus Brands Reduces Findings by 95% with Onspring
A GRC Case Study
OVERVIEW
Not everyone thinks of security practices when they catch the scent of Auntie Anne’s pretzels in the airport, but Chief Information Security Officer (CISO) James Baird does. Baird leads an eight-person security team at Focus Brands, a renowned developer of global, multi-channel food service brands, including Auntie Anne’s, Cinnabon, Jamba, Carvel and Schlotzky’s. He recognizes the deep need for structure and accountability in its risk and incident management processes. To ensure the security and privacy of their operations, Focus Brands turned to Onspring, one of the country’s leading GRC and business process SaaS platforms.
This case study explores how Focus Brands leveraged Onspring’s automation software to enhance their risk management practices, including IT risk and vendor IT risk, as well as streamline their incident response workflows.
By the Numbers
Challenge
As a franchise company with over 6,000 stores across the United States and around the globe, Focus Brands faced the critical responsibility of ensuring PCI DSS compliance, monitoring firewall traffic, and safeguarding information security and privacy across their retail organizations. With varying privacy laws and regulations across different states and countries, managing risk at both the enterprise and store levels became a complex task.
“We have 102 different authoritative sources with which we have to comply to address both international and domestic laws,” says Baird. “This means there are 102 different authoritative sources from which we have to build control environments. If I had to crosswalk these things on paper, I’d still be doing it two and a half years later.”
Additionally, the company needed to address the emerging threat of supply chain attacks from non-IT vendors, which had previously been overlooked.
Armed with a small team responsible for managing a wide range of capabilities, including digital transformation, risk management, and network security, Baird needed an efficient solution to automate tasks, improve collaboration, and provide a comprehensive overview of their security controls and GRC program maturity.
Solution
Baird had previously implemented Onspring at several other companies, so he was familiar with its capabilities for digital transformation. Onspring provided a comprehensive suite of tools to manage governance, risk management, compliance, privacy, email management, pen tests, threat management, and network security.
So the CISO and his team configured Onspring’s GRC capabilities to establish a comprehensive security program, leveraging the Cybersecurity Framework as a foundation. Onspring’s no-code platform allowed them to build customized applications and workflows tailored to their specific risk management needs.
With Onspring, Focus Brands enhanced their GRC processes by:
- centralizing their policies, processes, and procedures
- providing a system of record for all IT-related controls, audits, and compliance requirements
- automating third-party surveys to assess risk from over 300 non-IT vendors, enabling better supply chain risk management
- setting alerts & reminders for outstanding information
- tracking and reporting of key performance indicators (KPIs) and key risk indicators (KRIs) related to security incidents, such as meantime to discovery and meantime to resolution.
Result
In multiple areas, on multiple levels, Focus Brands achieved significant improvements in their security and risk practices. In one platform Baird summarizes, “Onspring has given us a toolbox for automation, a repository for continually updated and managed controls and the ability to perform risk management for the enterprise and for our vendors and suppliers.”
Workforce Multiplier
Baird has two designated staffers on his team that runs GRC. Those two people also manage:
- All IT risk management
- All non-IT supply chain, risk management, source, cyber, and supply chain risk
- All internal auditing capabilities
- All security awareness capabilities
- All PCI DSS compliance
Additionally, when his team could track and manage security incidents, measure meantime to discovery and resolution, and generate reports for internal stakeholders, he knew the platform’s automation capabilities reduced manual effort and improved response times.
According to Baird, “With two people, I’m able to do the work of 10 inside of Onspring because we’re able to manage everything: all of the PCI DSS controls are managed and measured inside of Onspring, all of the surveys and assessments for doing supply chain assessments are managed in Onspring, and all of our security awareness tracking or training is done in Onspring.
He emphasizes, “These are all things that are workforce multipliers. Onspring allows us to do more at a level that would take double my number of staff without it.”
Tangible Savings
Ultimately, Baird reports that Onspring has allowed Focus Brands to manage processes more effectively and in a repeatable manner, which seems staggering in light of managing IT and enterprise risk management, audit and compliance for the enterprise and over 6,000 locations.
According to Baird, “All the things that Onspring allows us to do—tracking, reporting, managing, taking all of my controls, doing all the auditing capabilities that we have using it to satisfy legal requirements and privacy requirements—all of these things have a tangible aspect to them.”
He says they’re also able to govern from a legal perspective, which allows them to become better stewards of their compliance time and budget. The effect of ensuring that deadlines are met and showing insurance providers they can manage security and privacy risk, results in better insurance rates, which saves the company both time and money as a whole.
Enhanced Program Maturity
When Onspring could help identify potential supply chain vulnerabilities and proactively mitigate risks to ensure the continuity of their operations, Baird knew this comprehensive approach to vendor risk management strengthened their overall security posture.
When Onspring could provide a clear picture of the organization’s security posture against a multitude of controls compliant with 102 authoritative sources, Baird knew he could prove their program facilitated better decision-making and resource allocation.
To measure this work, Onspring’s maturity assessment process enabled Focus Brands to measure and track their security controls’ maturity levels accurately. This provided a clear overview of their program’s effectiveness and allowed for targeted improvements.
Fully Comprehensive, Mature Practices in Less Than Three Years
By leveraging Onspring’s GRC and business process automation software, Focus Brands successfully enhanced their risk management practices, streamlined their incident response, and improved vendor risk management. The platform’s flexibility, automation capabilities, and centralized repository for policies and controls provided the organization with a comprehensive solution to address their complex security and privacy requirements.
With Onspring, Focus Brands achieved greater efficiency, cost savings, and a strengthened security posture, ensuring the continued success of their global food service brands.
Explore more insights
Banking on Change: GRC Lessons from a Financial Journey
Discover how transformative changes in the banking industry can offer valuable lessons for both financial and risk management professionals.
Maturing Your Third-Party Risk Program On-Demand Webinar
As businesses grow, so should their approach to managing third-party risks. Are you ready to evolve your TPRM strategy?
Navigating the Road to Third-Party Risk Management Maturity E-Book
In this guide, we’ll help you understand what a mature TPRM program looks like and how you can get your company there.