VSA. Why this is Great for SaaS Companies!

VSA. Why this is Great for SaaS Companies!

2016-09-18_17-40-10

The VSA is a super new group called the Vendor Security Alliance. As soon as I read this article about it Link,  I realized it was a great idea for all Software as a Service (SaaS companies) and will help get cloud service contracts signed. And hey, as attorneys that help SaaS companies get SaaS contracts signed, we were very excited.  So here is our thinking:

  1. What is the VSA?
    • Here is their quote: “In collaboration with the VSA, top security experts and experienced compliance officers will release a yearly questionnaire to benchmark their risk. Companies can leverage this questionnaire to qualify vendors and ensure the appropriate controls are in place to improve security for everyone.”
    • The questionnaire is only stage 1, as it appears that they plan to come up with a VSA certified score. This scoring system could really help SaaS companies communicate their security practices.
  1. Security issues are the #1 due diligence item we see in SaaS deals.
    • Security due dilligence is really slowing deals up, and the level of detail required to close a deal keeps increasing. In fact, info sec managers and directors at customers are on more and more conference calls during the contracting process and asking lots of questions.
    • It is not a bad thing, in fact it is a good thing, but we have to find a technological way to speed this process up. Hello VSA!
  1. The VSA process (if it works and is executed well), could provide an efficient and effective way for SaaS vendors to explain their security practices.
    • In essence, if the VSA develops an accepted rating system, potential customers can use this rating system as the main part of their info sec due diligence, and more quickly figure who to work with and (more importantly) who to skip over.
    • It is really hard, if not impossible, to tell anything about info sec from the outside, so customers have to get under the covers quickly and reliably.
    • The whole goal here is to create a trusted framework.
  1. If your project the role of the VSA out long term, SaaS services could one day (maybe) talk to each other and electronically communicate their VSA ratings and security practices.
    • This can help every SaaS company, as nearly all of them are relying on third party integrated web based services for more and more of their offerings, as they move from point offerings to solutions.
    • I am not making this up, as it is exactly what the Cloud Security Alliance is predicting regarding security practices in the future. https://cloudsecurityalliance.org

If you are a SaaS company, you should keep up with the VSA as they are just getting started. If they do it right, they may help you close your next cloud services contract with an enterprise customer.

Resources.

See this ‘related’ WSJ article re closing enterprise SaaS deals. https://goo.gl/kN4cvW

Categories
2 Comments
  1. Thanks for the interesting article. How do the VSA standards relate to the SOC (service organization control) standards promulgated by AICPA (http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/serviceorganization'smanagement.aspx)? I recently came across this when an SaaS client of mine was confronted with a request for SOC-2 compliance from a significant prospective customer. Are the VSA standards self-certified by organizations that join the alliance, or will VSA – or someone appointed by them – conduct a review?

0 Pings & Trackbacks

Leave a Reply