Project Description

ABB Optical healthcare manufacturing customer Onspring GRC Software

A case study from ABB Optical Group

Read lessons from the CISO of ABB Optical Group, who garnered learnings after launching Onspring at both ABB Optical, a leading provider of optical products for the eye care industry, and Intarcia, a biopharmaceutical company, both headquartered in the United States.

“You’re only limited by your vision.”

Lesson 1

Phase your Onspring uses for speed to market

In their excitement to immediately maximize everything available in Onspring, the InfoSec team slowed down launching new programs into production. “There were just too many features the team wanted to include at the onset. Because you can do so much, anything can be large.”


The best way to take advantage of the platform is to optimize your immediate business needs first, then add incremental phases to address the nice-to-have elements.

Lesson 2

Identify how you can best integrate your end users

The ABB InfoSec team realized that building an incident management tracking system in Onspring alone wasn’t going to create the level of enterprise engagement required, so they designed forms within their intranet that fed into Onspring. In doing so, the entire ABB Optical organization can interact with the security compliance team in a platform in which they already have comfort and familiarity.


Employees of ABB Optical now send requests for support or incident needs directly to the information security team. Streamlining created faster ticket fulfillment and reduced their team’s workload by 50%.


Design not just for yourselves but with your end-users in mind.

Lesson 3

Connect BC/DR plans to all your assets in Onspring

Spreadsheets were not keeping up with their business lifecycle and were not lending to business continuity planning, so the InfoSec team rolled asset management and business continuity programs into Onspring. They connected risks to every asset under management, which created key factors in their risk mitigations and recovery plans.


Business continuity test plans and individual recovery plans should live in Onspring and connect to every asset in your organization so you can review where you stand at a moment’s notice.

Lesson 4

Look across your enterprise to see where automation can help

By adding the simplest automation into so many different aspects of their business, the InfoSec team is now focused on driving their business versus driving their technology.


We can withstand three audits back to back, and our external auditors have commented on the fact that we are light years ahead of peers with the ability to demonstrate at-a-glance where the risks are in our organization.

Lesson 5

Take advantage of Onspring professional services team

In hindsight, as a first-time user, it would have been better to utilize the Onspring professional services team because they are subject matter experts in the platform and can bring ideas to market much faster.


Don’t be afraid to ask for help. If budget is your issue, consider using them for planning and strategy, while you manage the configuration.

Lesson 6

Plan who will serve as the best Onspring administrator

The Onspring platform is not technical. Your Onspring administrator does not need technical skills.


Choose someone who knows your business and the various roles in your organization to serve as your administrator.

Lesson 7

Utilize automated surveys to quickly assess vendors

The InfoSec team mapped third-party vendor survey data to the UCF framework to validate controls. By building scoring into their surveys, they were logging real-time, risk-evaluated data each time a survey was submitted. These simple steps enabled their team to see immediately any issues needing remediation.


Create reporting dashboards that show risk for both your organization and a third-party security perspective.

Lesson 8

Make a plan based on what you want to do for each process

Whether you’re first starting out in Onspring, or you’re thinking about what other programs you want to add to the platform, go after each process addition in a planned manner. This ensures you never overspend on implementation, you build the proper foundation, and your team is adequately trained.


Choose your business priorities first. These should drive your Onspring evolution phases.

Download this case study

Regulation Solutions for NIST NERC CMMC GDPR by Onspring
Analytics Creates Better Decision Making