Some of the world’s largest technology companies, including Uber, AirBnB, Square and Twitter, are joining forces to benchmark the cybersecurity standards of companies they do business with.
The Vendor Security Alliance launched Thursday and will unveil a questionnaire on Oct. 1. Companies seeking to do business with the alliance’s members — or seeking their stamp of approval — can fill in the questionnaire and submit it along with required documentation. Their responses will be assessed and scored by independent third party auditors, enabling businesses to streamline and standardize their vetting process for vendors’ cybersecurity risks.
“Ensuring the vendors you work with also have secure Internet practices is just as important as maintaining such practices at your own company,” said Uber Head of Compliance Ken Baylor, the alliance’s president, calling the process a “game-changer for businesses around the globe.”
In addition to Uber, AirBnB, Square and Twitter, other founding companies are Atlassian, Docker, Dropbox, GoDaddy and Palantir.
Baylor said the founding member companies’ cyber experts had spent 20 hours drawing up the questions, after consulting the NIST Cybersecurity Framework and other reference documents. The questionnaire will be revised each year, he said.
“We looked at all the frameworks and the many, many questionnaires we had seen. Then we took a risk-based approach and focused on the fundamental risks and how to address them,” he said.
Risk management “is key to everything.”
The alliance’s board will oversee the scoring system, Baylor said, adding it “will be weighted heavily on ensuring sound data protection is in place. The focus is on strong data security fundamentals, which involves classification, protection and access control,” he said in an email interview.
“Companies with strong fundamentals are much harder to breach,” he said.
The news was welcomed by Ari Schwartz, a former senior White House cyber official who now works for the Venable law firm and heads up the Coalition for Cybersecurity Policy and Law.
Schwartz said the alliance questionnaire was a needed alternative to compliance processes like ISO. “A lot of companies have focussed on ISO compliance, but that doesn’t address specific risks or security threats that the company might pose to buyers” or business partners, he said.
“ISO is a different beast,” explained Baylor. “We focus on measuring real cybersecurity practices within the whole scope of the service under evaluation. This allows us to measure relevant risk.”
He said the alliance was a non-profit, and would charge to recoup the cost of audits.
“The cost of the audit will be borne by the requester of the audit. We will ensure the cost is reasonable an proportionate to the amount of work required,” he said.
Baylor said he hoped to expand the alliance membership in due course. “We are happy to expand our membership and create better standards,” he said.
“Any company with a strong interest in improving the security of the internet is welcome to join,” he added, at a cost he said was “TBD.”