St John WA

‍St John Western Australia (St John WA) is a non-profit organisation that provides essential healthcare services including ambulance services, first aid training and medical centres. Serving the Western Australian community for more than 130 years, the organisation seeks to build resilient communities through the relief of sickness, distress, suffering, and danger.  

Andrew Bullen is the Manager of IT Security & Governance at St John WA and is primarily responsible for cybersecurity, technology risk, and governance.

The Challenge

As a healthcare organisation, one of St John’s main priorities is safeguarding patient data and Protected Health Information (PHI) by monitoring and securing its vendor ecosystem. Reliant on an extensive network of suppliers, vendors, and partners for day-to-day operations, St John faced several challenges in managing third-party cybersecurity risk. 

Prior to onboarding UpGuard, St John relied heavily on manual processes - such as manual searches, spreadsheets, and Word documents - to manage numerous third-party vendors. This manual process was resource-intensive, slow, and lacked a structured approach to understanding the risk associated with their extensive network of third-party vendors. Andrew found it challenging to determine the exact number of vendors St John WA engaged with, making it difficult to categorise them based on their risk levels.

To compile a comprehensive list of vendors, Andrew had to collaborate with the Finance and Procurement departments to identify every vendor. With nearly 7,000 vendors at the time, this process was incredibly time-consuming and yielded only surface-level information about each vendor, without providing a full understanding of the nature of each supplier's integration with St John. 

“Third-party assessments could take up to 20-80 hours per vendor. With hundreds of vendors, it would take a team of two a full year to assess them all.”

Additionally, many of these vendors were smaller, local vendors across Western Australia, which made it difficult for Andrew and the team to ensure they had the same level of security as their larger suppliers. In most cases, the team had to send questionnaires individually to each vendor to understand how they were being used. St John lacked the ability to understand the full scope of its third-party risk and needed a tool to help build a more structured approach to onboard, assess, and evaluate vendors.

The Solution

Andrew, having previously used UpGuard at another organisation, was able to move quickly when it came to assessing how the platform could solve the challenges St John’s was experiencing. While the organisation had an existing security monitoring tool in place, it had limited scalability to support its vast vendor ecosystem. St John found that UpGuard’s Vendor Risk product was able to monitor significantly more vendors at a comparable price point to their existing solution. This addressed the healthcare company’s most pressing need for vendor coverage.

Another key benefit for Andrew and the St John team was the ability to automate and track the completion of their third-party security questionnaires. For a small team with limited capacity to handle the extensive manual workload required for thorough risk assessments, UpGuard’s Managed Vendor Assessments (MVA) saved them a great deal of time and effort. UpGuard’s in-house team of cybersecurity analysts was able to handle the entire vendor assessment process from start to finish. Upon assessment completion, the St John team would be notified, and able to access a historical record of all assessments undertaken as and when needed. 

“We previously used one service for security ratings and another for managed security assessments, which was a very manual process trying to communicate between both services. UpGuard allows us to manage everything in the platform under one provider, which was extremely convenient.”

St John also uses BreachSight's keyword search feature to identify any data leaks impacting its supply chain. In previous services, other keyword detection features were susceptible to false positives, making the entire process extremely inefficient. Since using UpGuard’s Data Leak Detection feature, the platform has become a key part of its organisational security monitoring process. 

Additionally, to meet the data security requirements of the Australian Privacy Act, St John aligns with the NIST CSF framework, accessing UpGuard’s library of questionnaires to manage third-party compliance. Furthermore, as a major government contractor, St John looks to align with Essential 8 controls and guidelines. With UpGuard’s platform, St John is able to map its compliance obligations to these frameworks and controls. 

The Result

The onboarding process for St John was extremely easy, quick, and seamless. Andrew notes that it was a “refreshing experience” to work with a responsive, friendly team that prioritises their customers through regular check-ins, coverage across different time zones, monthly calls, and follow-ups that have greatly improved their internal processes.

“UpGuard is one of the best vendors I’ve ever worked with. Onboarding was super quick and easy–it didn’t take them very long to set up their environments. There also wasn’t much of a learning curve because the platform is very intuitive and easy to navigate.”

The biggest benefit that St John found was the time and resources saved by using UpGuard. Whether it’s through automation, new features, or a constant feedback stream, St John WA can continue assessing new and existing vendors without needing to expand their team, especially as they scale. Andrew appreciates the autonomy that the platform provides and the workload that has been freed up since using UpGuard.

“UpGuard has saved us around 2000 hours of assessment time, equivalent to two personnel per year.”