Main content

How ZoomInfo is automating trust management

George Lawton Profile picture for user George Lawton May 8, 2024
Summary:
Simon McDougall, Chief Compliance Officer at ZoomInfo, explains how the firm uses Vanta's trust management tools to streamline security, compliance, risk management, and sales processes.

man-with-trust-card

Building trust across a large enterprise can involve juggling a lot of information across different workflows and processes. Compliance teams need to vet information controls. Security teams need to distill information from many systems. HR teams want to ensure that everyone is following best practices and local regulations. Risk management teams need to balance the costs and benefits of various risk controls. Customers need to vet vendors’ IT controls before entrusting their data to a third party.

Now, ZoomInfo is leveraging a consolidated suite of trust management tools from Vanta to help automate many of these processes. Simon McDougall, ZoomInfo's Chief Compliance Officer, says previously, the firm relied on a collection of manually curated spreadsheets and email threads to connect the dots across teams. Fielding requests from new and existing customers was a slow, manual process that required capturing lots of screenshots and haphazardly organized data.

McDougall says:

We were basically just dealing with questions as they came in and providing the same kind of documents again and again as a team. So, for us, the value of Vanta is reducing the sales cycle. A lot of it is self-serve, so customers can go in there and just get the basic stuff they need. And for a lot of customers, that's all they want. And with other customers, they might want to have more in-depth material.

Once these customers have completed an NDA in Salesforce, they can better understand ZoomInfo’s process. Previously, this was an elaborate process that involved a series of emails. Sometimes, a salesperson would send outdated information to customers they found in an old email thread. Vanta’s tools help enforce version control to ensure everyone relies on the most recent updates.

Streamlining risk management

ZoomInfo launched a major effort to assess all their major risks across the organization about a year ago. This spanned economic, security, operational, physical infrastructure, HR, and reputational risks. It started doing this in a spreadsheet but shifted to new Vanta tools to help automate the process of tracking and managing inherent and residual risks in a central risk register. The inherent risks consider the likelihood and potential costs relating to issues like GDPR, security breaches or earthquakes. The residual risk assesses the cost of potential controls and how much these reduce the likelihood or impact of a given scenario.

McDougall explains:

So you might have controls across risk. The inherent risk is just the thought process before the control. So firstly, we go and see what might happen because we do business. If we were manufacturing radioactive measuring things for the medical industry, we would have risks around handling radioactive material. You put that in, you say, ‘What is the likelihood, and what is the impact of interest.’ For example, the likelihood that we will be affected by an earthquake might be higher on the West Coast or elsewhere. Then, you overlay the control. So, do we have disaster recovery in place to manage that risk? And so you can basically say to the board, ‘Here's the biggest thing we have to manage, and here are the controls we have that pull these things down to a point where we're happy.’

AI risk management is immature

Traditional information security compliance is mature, and most large enterprises ask similar questions. In an ideal world, it'd be the same questionnaire for every company. There have been some efforts to standardize questions, but some companies want to have extra little bits that don’t quite fit into a framework. Here, the Vanta tools can help pull out and formulate appropriate responses from a centralized and versioned knowledge base.

However, the rapid growth of AI and its uncertainties are also raising headaches for McDougall’s team as they try to respond to a variety of new questions and considerations. He explains:

AI risk management is a very immature and new area, and there aren't the same kind of questionnaires out there. So, you must have a broader range of documentation and a bit more freestyle responses. There aren't yet the same kind of standards in place as with security, and what will sort of change over the next couple of years get to a more structured and standardized way of discussing other areas of compliance risks.

Here, they use the Vanta tools to help respond to the various kinds of questions that come up. Sometimes, these can be related to more structured information. But Vanta is also starting to leverage generative AI to help correlate new inquiries with information in a centralized knowledge base about risk management processes. An AI chatbot allows potential or existing customers to ask free-form questions about a vendor’s security controls and processes.

A questionnaire automation tool uses AI to jumpstart the process of helping teams respond to lengthy security questionnaires that often ask for the same security and compliance information in slightly different ways. It saves time by generating suggested responses for security teams to review and approve rather than starting from scratch each time. It can also analyze previously submitted questionnaires and security documentation to update the knowledge base as policies evolve.

But this requires some oversight to ensure that hallucinations don’t slip into the conversation. Jeremy Epling, Chief Product Officer at Vanta, said it has also invested a lot of work in refining the data used to train more competent AI. For example, it has developed a golden data set they constantly train against. Then, it measures that against customer responses to determine whether a result was helpful or needed more work.

However, he points out that it was important to refine the training process without directly using their customer's data. Epling explains:

So, we don't train on any customer data, but we work with our customers to see which questions are voted down or not. That gives us a signal to then engage with the customer and let us know which parts of our data set may be off and where we need to grow a bit. We also use different prompt engineering libraries to go through and test against the golden dataset. We are looking at precision and accuracy numbers, how we continue to drive those, and the kind of win rate.

My take

The process of building trust within and between organizations will continue to grow more complex with the frequency and rapidly escalating severity of various risks. These have traditionally been considered in isolated silos like HR, security, IT, supply chain, environmental, and reputation types of categories that are difficult to compare in an apples-to-apples way. Things will only get more complicated with all the various new risks AI introduces, such as data leakage, copyright infringement, and hallucinations.

The risk management industry is still developing a consolidated approach to estimating, budgeting, and collaborating across categories. A new category of IT compliance automation platforms has emerged from vendors like Drata, Sprinto, Scrut, Laika, and HIPAA One.

Vanta is doing some interesting work to extend this kind of capability to help manage other types of risks as well. It's still early, and it will be interesting to see how more types of compliance automation, risk management, and security tools evolve into more consolidated digital twins that #acceleratetrust across within and between organizations.

Loading
A grey colored placeholder image