The Vendor Security Alliance launched at the end of September 2016 with a questionnaire aimed at helping companies assess the security risk of their third-party vendors. It caught on more quickly than the VSA founders expected -- around 8,000 companies have already downloaded it. Now, the nonprofit coalition is ready to scale up its efforts, its leaders said February 16.
"Quite often with vendor risk management, it takes a long time to happen," Ken Baylor, VSA president and Uber's head of compliance, told ZDNet at the RSA conference in San Francisco. The nonprofit's goal, he said, is to create a fast and efficient vetting process that's "done within four minutes, not four months."
The questionnaire is available to anyone online, while VSA members have the extra benefit of having finished questionnaires reviewed by an independent auditor. To speed up the process, the VSA is going to assign vendors an auditor as soon as they fill out the questionnaire. Then the VSA will make the final audit available to any VSA member.
"The problem with just a questionnaire-only approach is you can quite often have every single company auditing that vendor," Baylor said. "So we're trying to say, how can we get rid of that bottleneck?"
The VSA launched with nine member companies -- Uber, Docker, Dropbox, Palantir, Twitter, Square, Atlassian, GoDaddy, and Airbnb -- that saw the need for a better vendor vetting process.
"When you do business with a company, you're no longer doing business with just that company, but all the other companies it interacts with," Baylor said. "A big focus on user privacy and brand safety is, how do I make sure the vendors I'm working with will keep my data safe and most importantly, that of my customers?"
When they got together, "every one of us were asking different questions" of vendors, Baylor said. "As we went out and talked to others in the Valley, we literally had hundreds of different companies asking hundreds of different questions." Meanwhile, he added, vendors were getting overburdened with different questionnaires from their potential customers, some of which didn't ask the right questions.
"The key questions start with what type of data are you accessing," Baylor said. "That gives you the inherent risk of the vendor. Then, what controls do you have in place to handle that data? That gives us a quick comfort level, that you know what you're doing and are implementing controls effectively."
The questionnaire isn't meant to serve as another compliance standard -- rather, it aims to give companies an easy way to assess the risk of each vendor and determine what level of risk they're comfortable with.
So far, the VSA has learned that small startups are at times better than larger vendors are integrating security into their products.
"In very large organizations, we have very competent security teams but then a lot of people in, say, engineering running the product, and they don't talk as well as they should," Baylor said. By contrast, the group has worked with companies "fresh out of Y Combinator," and they're taking the questionnaire to heart.
"Our big goal is to raise the bar for everybody," Baylor said.
Video: How Skybox is giving CISOs a bigger picture of their cybersecurity risks: