With major leaders in the tech industry getting hacked frequently in recent years, it has become clear that companies must take cybersecurity more seriously. In an effort to accomplish this, a new organization called the Vendor Security Alliance has been formed. Composed of major companies including Twitter, Dropbox, Docker, and Uber, the VSA seeks to create a uniform cybersecurity standard among companies.
The way the Vendor Security Alliance works, according to a blog post by Uber, is by measuring “vendor cybersecurity risk, covering areas such as policies, procedures, privacy, vulnerability management and data security.” This process will consist of a publicly available questionnaire to be answered by every company belonging to the VSA. The next step is involving independent cybersecurity professionals to determine what can be improved upon and set in place as a uniform standard.
As the Uber post states, “sharing expertise and standardizing acceptable cybersecurity practices will create a baseline of acceptable security for all vendors, as well as reduce vendor risk.” This begs the question, however, as to how companies outside of the Vendor Security Alliance can benefit from these practices. At the moment it doesn’t seem as though the VSA has an answer for this. In another blog post, Atlassian stated that “having an independent entity manage this process for all its members will provide an efficient, common, and credible way of evaluating the vendors we all use.” Notice that they stated “members,” rather than “all companies.” I worry that the VSA will still lead to lopsided security protocols among vendors.
Even though the Alliance’s mission is standardizing all business cybercsecurity practices, you really have to wonder just how public its information will be. These questions should be answered as, at least right now, only major companies seem to be benefiting from this new group. It is simply a fact that the more revenue a corporation makes, the greater its access will be to upper-tier cybersecurity resources. My hope is that the upstarts and other companies will gain the same knowledge and standards that major companies like Twitter will get, but I’m not going to hold my breath.
The VSA is a step forward, but more must be done to ensure a universal cybersecurity standard.