Some of the biggest names in technology have joined forces to create a coalition that aims to improve cybersecurity standards. The hope of the Vendor Security Alliance (VSA) is that it will help businesses assess how secure third-party providers are.
The scheme was founded by Uber’s head of compliance Ken Baylor, who will become the VSA’s president. The other founding companies include: Pivotal, Dropbox, Palantir, Twitter, Square, Atlassian, GoDaddy, Docker, and Airbnb.
The VSA says it will enable companies to ensure that the other companies they partner with are just as secure. The hope is that it will save time and money by removing the need for companies to evaluate each partner they work with. It will do this through a yearly security and compliance questionnaire which will be used to assess vendor risk using a predetermined set of criteria, controls and practices, the group said in a statement.
“Every day, industries across the globe depend on each other to embrace sound cybersecurity practices: yet in the past companies have not had a standardized way to assess the security of their peers. The VSA was formed to solve these issues and streamline vendor security compliance,” the VSA’s Mission Statement reads.
“We typically work on technology solutions for problems, but in this case we saw that the best way to contribute was to work on standards and processes,” said Nathan McCauley, Director of Security for Docker. “By contributing to a standardized set of best practices and guidelines, the Vendor Security Alliance will enable organizations to evaluate companies using common criteria while in turn providing vendors with a predictable set of requirements.”
Risks posed by third party vendors are often underplayed but they can have terrible consequences. The data breach at US retail company Target happened after cyber-criminals stole network credentials from a third-party vendor, specifically a heating, ventilation and air conditioning (HVAC) vendor.
The move has been greeted with cautious optimism by other security experts.
Ed Macnair, CEO of CensorNet, said: “The world’s businesses are moving online and that has its benefits, but it also presents a tremendous amount of risk. We have to place our trust in companies that their security practices are just as stringent as our own and ensuring that’s the case is not an easy process. The idea of the Vendor Security Alliance is a good one and will hopefully establish a baseline for security standards across industries.”
“However, we need to avoid a box ticking scenario where businesses do just enough to meet the baseline. Every organization will have different risk factors and shouldn’t rely on a standardized questionnaire to determine the protocols that should be in place. While the intentions behind the VSA are good, businesses should be encouraged to use the advice as a guide, not a Bible,” Macnair added.
“From a cloud security perspective, we’d like to laud the vision of these founding organizations, as cloud services are increasingly used to connect with third-party vendors, thereby creating significant risk,” said Rajiv Gupta, CEO at Skyhigh Networks.
“The cloud has made sharing data outside the company as simple as sharing a public link, or inviting a vendor to collaborate on a document. The average company connects to 1,555 partners through the cloud and 30% of corporate data is shared with partners that are high-risk. Evaluating vendors is one part of the equation, but it is just as important to be able to actually enforce policies to prevent data from being shared with high-risk partners,” Gupta added.
Photo © Syda Productions