Nine technology companies—Uber, Docker, Dropbox, Palantir, Twitter, Square, Atlassian, GoDaddy, and Airbnb—have recently founded the Vendor Security Alliance (VSA), an independent, non-profit coalition that aims to help member companies evaluate or assess the security and privacy of third-party providers whom they heavily rely on and even entrust their users most important data with. They also have taken upon themselves to standardize and create a benchmark of acceptable cybersecurity practices vendors need to comply with.
If you may recall, criminals are able to compromise companies they’re eyeing on by breaking into systems of third-party providers or subcontractors first. Such has been the case with the Target breach.
In a blog post, George Totev of Atlassian gives their readers a bird’s eye view of how the group will be performing their duties:
We believe trust begins with transparency and accountability, and having an independent entity [to] manage this process for all its members will provide an efficient, common, and credible way of evaluating the vendors we all use. [For example] Each cloud company will be evaluated, audited, and scored based on a set of common criteria that measures cybersecurity risk, policies, procedures, privacy, vulnerability management, and data security.
Each year, VSA will be creating and pushing out a security and compliance questionnaire that companies can use to assess vendor risks based on a set of predetermined criteria (Note that only members of VSA can go through an independent auditing of vendors). Once scored, vendors can then use their VSA rating when offering their services, effectively skipping the process of verification done by prospective businesses.
VSA will make the first questionnaire available to the public on the 1st of October 2016.
Ken Baylor, President of VSA and Head of Compliance in Uber, explains why this alliance is an industry game changer:
Companies belonging to the VSA can draw on the collective expertise across the industry, gaining trust and verification of vendors’ security practices. The VSA will also enable companies to save time and money through the use of a standardized cybersecurity evaluation with real-time answers. The current way of evaluating cybersecurity risks and approving vendors can take several months – the new VSA process cuts the process down to minutes.
It’s important to mention that VSA is only one of several created security groups we have now that aim to address one part—particularly, third-party security compliance and risks—of a whole complicated cybersecurity problem we all face.
In March of 2009, eBay and ING announced the formation of the Cloud Security Alliance in order to promote best practices to assure secure cloud computing. Then in September of 2015, AirWatch formed the Mobile Security Alliance together with 10 other companies, aiming to mitigate the growing threat within the mobile threat landscape.