Uber, Airbnb, others launch Vendor Security Alliance

Led by Uber's head of compliance, the VSA will focus on sharing cybersecurity best practices

Editor's note: Our 6th Annual Vator Splash LA conference is coming up on October 13 at the Loews Hotel in Santa Monica. Speakers include Mark Cuban (one of the hosts of Shark Tank and owner of the Dallas Mavericks); Brian Lee (Founder & CEO, Honest Company); Leura Fine (Founder & CEO, Laurel & Wolf ); Nick Green (Co-Founder and Co-CEO, Thrive Market); Tri Tran (CEO & Co-founder, Munchery); Adam Goldenberg (Founder & CEO, JustFab); Andre Haddad (CEO, Turo); Mike Jones (Founder, Science) and many more. Join us! REGISTER HERE.

There’s a classic quote about the secretly unstable, insecure nature of the internet:

“The internet from every angle has always been a house of cards held together with defective duct tape. It’s a miracle that anything works at all. Those who understand a lot of the technology involved generally hate it, but at the same time are astounded that for end users, things seem to usually work rather well.”

Well, now a few big tech companies are trying to do something about it.

Led by Uber, some of the most prominent names in tech—including Airbnb, Atlassian, Docker, Dropbox, GoDaddy, Palantir, Square, and Twitter—today announced the launch of the Vendor Security Alliance (VSA), a coalition of companies dedicated to fostering more cohesive, collaborative conversations and action around internet security.

In its mission statement, the VSA argues that for one company to have robust cybersecurity, they must trust that their peers do the same. This makes sense given both the direct integrations and indirect relationships that exist between major technology companies. And yet, the argument continues, these same companies have done very little to ensure that their security practices are standardized across the industry.

The VSA is intended to be a solution to that problem, regularly convening security experts and compliance officers to compile a yearly questionnaire, which companies can then use to analyze their own cybersecurity risk.

“Sharing expertise and standardizing acceptable cybersecurity practices will create a baseline of acceptable security for all vendors, as well as reduce vendor risk,” wrote Ken Baylor, Uber’s head of compliance. “Companies belonging to the VSA can draw on the collective expertise across the industry, gaining trust and verification of vendors’ security practices.”

Though the first questionnaire won’t be unveiled until October 1, the overarching topics have been shared:

• Service Overview
• Policies and Standards
• Software Supply Chain
• Data Protection and Access Controls
• Proactive Security
• Reactive Security
• Compliance

Of course, the VSA is far from the first organization to commit itself to establishing cybersecurity standards. Today there exist over a dozen major groups that issue guidances and adopt standards related to technology and cybersecurity, from international bodies like the European Union (EU), the Group of Eight (G8), and the United Nations (UN) to tech-centric ones like the Internet Engineering Task Force (IETF), the Internet Corporation for Assigned Names and Numbers (ICANN), and the Institute of Electrical and Electronic Engineers (IEEE).

Given the crowded field, I wonder whether the formation of the VSA will only serve to complicate matters. After all, standardization requires unity, and a new organization technically only makes the field a bit more fragmented. Furthermore, the fact that the VSA’s membership is led exclusively by a coalition of for-profit businesses raises questions about the objectivity of the group and its overall intention.

Regarding the first question, Baylor told me that he believes the VSA is unique because it's not dealing with the general problem of cybersecurity "but on the narrow area of vendor cybersecurity i.e. How do you know the company you contract with will keep data secure?"

As for my question about the motives for Uber, Airbnb, and other for-profit businesses, Baylor pointed out for me that the VSA itself is a non-profit organization. And given the focus of the group, it makes sense that members would come from companies that would classify as "vendors." According to Baylor:

"The questionnaire also serves to help startups who now know what will be asked of them by their larger customers, and they can start building products with security built in from the very start. They get sales faster, and we get past the era of insecure software. It's a win-win."

True, it certainly benefits for-profit businesses to be able to promise the best in security for their customers. Yet I imagine the broader tech community will still have a vested interest in independent organizations and watchdogs making sure those businesses are delivering on their promises.

Ed. note: Our 6th Annual Vator Splash LA conference is coming up on October 13 at the Loews Hotel in Santa Monica. Speakers include Mark Cuban (one of the hosts of Shark Tank and owner of the Dallas Mavericks); Brian Lee (Founder & CEO, Honest Company); Leura Fine (Founder & CEO, Laurel & Wolf ); Nick Green (Co-Founder and Co-CEO, Thrive Market); Tri Tran (CEO & Co-founder, Munchery); Adam Goldenberg (Founder & CEO, JustFab); Andre Haddad (CEO, Turo); Mike Jones (Founder, Science) and many more. Join us! REGISTER HERE.