How Giift streamlined security ops across 14 entities following ISO27001 implementation with Sprinto
Giift is a Singapore-based loyalty marketplace with end-to-end loyalty solutions that engage and reward customers as well as your teams. Staying true to the pioneering ideology, Giift is continuously setting new benchmarks for the loyalty industry worldwide. It is the leading loyalty solutions provider spread across 55+ countries, with over 50,000 programs, and engages more than 65 million users across banking, payments, travel, utilities, retail, and numerous other sectors.
ISO 27001
Singapore
+40%
Improvement in org-wide efficiency
15%
Reduction in RFP response time
Ready to get started?
Challenge
Because Giift works with enterprises that control and process reams of customer data on their systems, 80% of Giift’s loyalty platform implementation must happen on-prem. As a result, these customers, in an effort to ensure tight compliance with regulations and internal mandates, tend to share security questionnaires, requesting answers to as many as 400 questions. These typically come as part of the RFP.
“Enterprises want to dig into details of how we do things like branching, patch management, vulnerability management, pen testing, data encryption, and more. They also want to know our internal processes and policies,” notes Shreerang Gondegaonkar, CTO of Giift.
“But RFPs have a time limit – you have to respond quickly. Sadly, explaining our entire security posture and providing evidence of good practices consumes a lot of sales bandwidth,” he adds.
Because Giift is spread across multiple entities, the RFP process can vary significantly from region to region. With further [business] expansion on the cards, Giift was keen on optimizing its RFP process at the earliest to improve sales efficiency pan markets. “You can’t have people working only on RFPs. Sales teams – no matter where they are – should be able to respond to security questions quickly using a standard template,” says Shreerang. “It became important for us to be agile on this process,” he adds.
With each implementation, Shreerang could see an increasing need for ISMS. “We knew we should set this up along the ISO27001 framework,” he remarks. “It was something our clients also demanded.”
Applying ISO27001 standards across each of Giift’s 14 key entities would ensure a uniform, auditable security practice; the ensuing certification would prove – indisputably – effective infosec capability. “In fact, the certification would adequately answer many security questions and expedite due diligence,” remarks Shreerang.
To implement ISO27001 standards and get certified, Giift sought out a partner who could
- Get the process going at the earliest
- Help orchestrate compliance across 17 entities at once
- Move the organization towards agility and efficiency without a lot of lift
Giift chose Sprinto to power its ISO27001 compliance journey.
“I spoke to a lot of vendors. But no one gave us the kind of confidence that Sprinto did. The choice to work with the platform and the team was easy and immediate.”
Solution
Sprinto was implemented to map and manage Giift’s control measures for ISO27001 compliance. A core team worked with Sprinto’s compliance experts to define Giift’s ISMS scope and security baselines as per risk assessment.
“Sprinto collated everything under one roof. Control monitoring was automated through integrations, so there was no manual work, per se. Sure we had to do our bit to categorize and put across the right roles and responsibilities for users. But we were able to move fast thanks to Sprinto.”
To implement the ISO27001 standards across each of the 14 entities, Giift decided to strategize by way of “divide and rule”. They created mini clusters across each region, training select individuals on security practices and entrusting them to train other clusters and teams under them. “We completed security training for everyone within a week!” exclaims Shreerang.
“Sprinto was transparent from the beginning. Very early on in the process, the Sprinto team had called out that getting people together to complete security training, across such widely spread entities, would be challenging,” remembers Shreerang. “But because we knew the bottleneck going into the process, we could set the right expectations, strategize, and avoid slowing down.”
Sprinto platform implementation was completed in under 8 weeks to meet Giift’s ambitious compliance certification timelines.
“We had a timeline to achieve so we had to be strategic about how we went about ISO27001. From defining processes and policies to getting all employees under compliance, each sufficiently trained – despite language barriers – Sprinto was instrumental to our success. Throughout, the platform would pull the data and all I had to do was help categorize it: it was all fairly straightforward. This is why we were able to complete ISO27001 so quickly.”
Results
Giift completed ISO27001 implementation in 8 weeks and received their certification in 4.
Immediately, the ISO27001 certificate was made available to all teams – sales included. “Now, our presales and sales teams spend little-to-no time justifying our security practice,” remarks Shreerang. “Earlier someone from the infra team had to come in and explain to our prospects what we do and why. But they had their own priorities which never matched sales KPIs. All of that’s smoothened,” he says.
Since their certification, Giift has noticed that the typical RFP response time has come down from up to 8 days to 6. “With ISO27001, the first level of information is filled. And because we have trained our teams, they answer security questions easily and do it better than before. All information is now consolidated in one place.”
In the process, Sprinto has also become Gifft’s trusted ISMS, helping them support good security practices while enabling them to act with agility on all matters related to information security.
“Though we played our part, it was important for our partner to play theirs as well,” remarks Shreerang. “Honestly, I was unsure if we could even get it going in 6 weeks, but we received our certificate in 4 weeks with Sprinto,” he declares.
“With ISO27001, we were primarily focusing on ensuring our security practices and strengthening our processes. We have sufficiently managed both. Our hiring process has improved, our policies are now consolidated, and with the Sprinto dashboard in place, everyone can easily view and accept company policies. Sprinto, in fact, keeps us compliant by moving us toward the right behaviors and practices – forcing the team to ensure zero glitches. This is the only way to strengthen security and stay compliant.”
