Short answer: security due diligence is the number one thing slowing SaaS deals down. A shared, standardized security questionnaire and rating (like the Vendor Security Alliance) can let a vendor prove its security posture once and close faster.
The VSA is a group called the Vendor Security Alliance. As soon as I read about it, I realized it was a great idea for Software as a Service (SaaS) companies and could help get cloud service contracts signed. And as attorneys who help SaaS companies get SaaS contracts signed, we were excited. Here is our thinking.
1. What Is the VSA?
- In their words: “In collaboration with the VSA, top security experts and experienced compliance officers will release a yearly questionnaire to benchmark their risk. Companies can leverage this questionnaire to qualify vendors and ensure the appropriate controls are in place to improve security for everyone.”
- The questionnaire is only stage 1. They also plan a VSA-certified score, and a scoring system like that could really help SaaS companies communicate their security practices.
2. Security Issues Are the Number One Due Diligence Item We See in SaaS Deals.
- Security due diligence is really slowing deals down, and the level of detail required to close keeps increasing. Info-sec managers and directors on the customer side are on more and more calls during contracting, asking lots of questions.
- That is not a bad thing. It is a good thing. But we need a faster, more efficient way to get through it. Hello, VSA.
3. Done Well, the VSA Process Could Be an Efficient Way for SaaS Vendors to Explain Their Security Practices.
- If the VSA develops an accepted rating system, potential customers can use it as the main part of their info-sec due diligence and more quickly decide who to work with and who to skip.
- It is hard, if not impossible, to tell anything about info-sec from the outside, so customers have to get under the covers quickly and reliably. The goal is a trusted framework.
4. Long Term, SaaS Services Could One Day Communicate Their Security Ratings to Each Other.
- That helps every SaaS company, since nearly all of them rely on third-party integrated web services for more of their offering as they move from point products to solutions.
- This is not far-fetched. It is roughly what the Cloud Security Alliance has predicted about security practices in the future.
If you are a SaaS company, keep up with the VSA and frameworks like it. Anything that lets you prove your security posture once, in a form buyers trust, is a tool for closing your next enterprise cloud services deal faster. For where those security commitments belong (the contract versus a policy you can update), see Contract or Policy?
Disclaimer:
This post is for informational and educational purposes only, and is not legal advice.
Discover more from Aber Law Firm
Subscribe to get the latest posts sent to your email.