Connect with us

Top 10

SECURITY RATINGS 101: WHY INTEGRITY AND CONTEXT ARE SO IMPORTANT

by Ewen O’Brien, VP of EMEA, BitSight

 

The security ratings market is still relatively immature but it is fast growing and as such there is quite a bit of hype from the vendors that play in this space who are all jostling for position.  So now with a number of offerings to choose from – some of which are marketed in misleading ways – it can be tough for decision makers to cut through the noise and put in place a ratings platform that will truly make a difference to their business.

 

As someone who has worked in this industry for many years, with deep expertise in ratings, I thought it would be helpful for me to dispel some of those myths about security ratings, honing in on a number of key areas that I think are important for organisations to consider. Here in the first of a series of articles, I’m putting a spotlight on the importance of integrity and context.

 

What I hear often in this market is that it is all about getting the highest rating. At a basic level this is true, but these ratings must be robust, stand up to scrutiny, have integrity and without context the ratings may not be meaningful to your stakeholders and/or your customers.

 

But before diving into what I mean about context, first off let me provide an explanation around security ratings.

 

Security ratings are a data-driven, objective and dynamic measurement of an organisation’s security performance. Thousands of organisations around the world use security ratings tool to address a variety of critical interconnected internal and external use cases at scale, in order to enable more effective decision making throughout their business ecosystem.

 

Security ratings are useful to manage cyber risk in any inter-organisational interaction where transparency has historically been lacking. Likewise, security ratings improve an organisation’s ability to manage cyber risk from business partners and understand the risk posed by a third party or supply chain business relationship. They can be used for insurance underwriting pricing, and risk management, allowing carriers to gain better visibility into the security performance of insurers in order to assess and price risk. Ratings can also be used for investment in or acquisition of a company, allowing organisations to perform enhanced cybersecurity due diligence and ongoing monitoring of the investment or the M&A target. And they enable governments to better understand and manage the cybersecurity performance of critical organisations.

 

Additionally, security ratings are useful for managing an organisation’s internal cyber risk by continually assessing the security posture of one’s own organisation and providing transparency to key stakeholders. They can be used to benchmark and compare performance with peers in the industry and ratings provide greater assurance to customers, insurers, regulators and other third-party stakeholders about your cybersecurity performance.

 

In short, security ratings provide a comprehensive, outside-in view of a company’s overall cybersecurity posture. Similar to credit ratings for individuals, security ratings deliver much more value to an organisation than simply correlating them to data breaches, for example. They are dynamic and are constantly monitored and measured, rather than being just a point in time assessment. This means that ratings can quickly highlight any changes in security posture. However, there are a number of vendors in this space who essentially enable organisations to ‘mark their own homework’ allowing them to remove legal entities, divisions, or parts of the business that might negatively impact on their rating.

 

Security ratings are based on the digital footprint of a company with strict governance wrapped around it and we rate everyone in a consistent way. This is important because there is no point in ‘gaming’ ratings to suit your needs as this is a short-sighted approach to the value of ratings and isn’t a true reflection of your security posture. Think about this from a personal perspective and how credit ratings work. Imagine if someone, applying for a new mortgage, was allowed to exclude those two recent mortgage defaults to improve their credit score. This in effect makes a mockery of having a credit rating and exactly the same principles apply in security ratings. This kind of disingenuous approach might enable the security group to reduce workload in the short-term i.e. you got the rating the organisation wanted, but will it make the business any more secure and will it reduce risk? To this point, we lost a large customer a few years back because the security group wanted us to remove certain parts of their business that were not 100 percent owned by them but were absolutely part of their offering and were causing them significant pain. We declined to do this and we lost the customer, but we sustained our obligation to the industry around maintaining the integrity of our ratings.

 

The great advantage of examining externally observable data associated with domains and IPs mapped to a rated company is that it can be assessed independently and remotely.  Furthermore, because every organisation has a similar footprint, assessments can be compared and contrasted in a standardised way. The disadvantage is that this digital footprint is only a subset of the total digital surface of a business and this is where context and other factors come into play. Security ratings should be chosen on the basis that they provide contextual ratings which are not about gaming the system, but about giving true context to particular scenarios.

 

Most organisations don’t operate as one big silo but rather align their infrastructure to match product lines, geographic regions, divisions and segments. So we have a global or primary rating which can be combined with a self-published rating whereby companies can monitor and manage segments of their business whose structure they only have visibility into. For example, a company can monitor regional offices and compare these, or break out ratings for specific product lines.

 

These self-published ratings can be used for internal purposes or they can be shared with other users. Combined with primary ratings they provide a level of context no one else in the security ratings industry can match. However, where competitors often take the word of a company that an identified issue shouldn’t be a concern and remove the item from their records, it’s important to remain objective, create mechanisms for businesses to communicate context. This ultimately helps companies make better informed, risk-averse decisions.

 

Security ratings enable organisations to manage their own risk and the organisations that they do business with.  This in turn creates a standardised model of risk by which organisations can be measured, allowing for better business decisions.  But if a vendor suggests that you can manipulate data yourself to improve your ratings, then understand that this won’t improve your own security posture, and it could in fact create threat vectors that you are currently blind to.

 

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Finance

THE OUTPERFORMER’S APPROACH TO FINANCIAL PROCESS AUTOMATION

By Michelle Trapani, Director of Product Marketing at Kofax

 

Achieving more with less is the mantra of our times. C-suite leaders demand greater efficiency. CFOs are looking to reduce costs. Customers and employees expect stellar experiences. The ability to outperform these expectations hinges on your financial operations, a vital area impacting every facet of your business.

For instance, if vital master data is incorrect, it’ll have a negative impact on service level quality, as well as the reputations of the finance and purchasing departments. Without accurate and timely visibility into processes, transparency is reduced, and it’s more difficult and time-consuming to manage compliance. The combination makes it harder to please executives, CFOs, customers, and vendors.

That’s why financial process automation is the key to operational efficiency and the overall success of your business. Even small- and medium-sized businesses are investing in process automation to optimise the financial processes within enterprise resource planning (ERP) systems, such as SAP.

For many, accounts payable is the first financial process to be automated. Like many other financial areas, Accounts Payable (AP) is mired in paper and consumed by highly manual tasks. For these reasons, once AP is automated, the benefits become quickly apparent, leading firms to immediately consider which other financial processes they can optimise. However, outperformers know the approach that yields the greatest return is automation of the entire purchase-to-pay process chain.

Why? Let’s consider what benefits can be gained from automating document-driven and transactional processes tied to an SAP ERP system – in AP and beyond.

 

Why a high-level of automation is an advantage

We don’t have to look far to see how end-to-end automation eliminates labour-intensive work, reduces costs, and increases process efficiency. Organisations with high levels of automation provide indisputable proof of the advantages of the outperformers’ approach.

According to research by Shared Services Link and Kofax, just 12 percent of organisations with high levels of automation manually process their invoices compared to 74 percent of those with low levels of automation. In addition, only 41 percent of highly automated companies experience problems with purchase orders, 24 percent have poor visibility into spend, and 8 percent fail to capture early payment discounts. By comparison, those with low-level automation report these same problems significantly more often: 68 percent, 23 percent, and 24 percent, respectively.

In an age when process automation has become table stakes, there are clear advantages for organisations that optimise processes across the business. “Best-in-class” firms – those with high levels of automation – don’t only become more competitive, they save time and resources as well.

Comparing “best-in-class” organisations to others illustrates the sharp differences. According to Ardent Partners, a “best-in-class” organisation processes 57.1 percent of all invoices “straight-through,” in just 3.9 days at an all-inclusive cost of $2.87 per invoice. By contrast, the gap with other organisations – those with low levels of automation – is wide: Only 16.1 percent of invoices are processed straight-through, and a single invoice takes 17.1 days to close and costs $15.38. Further, “best-in-class” organisations experience 81 percent lower invoice processing costs and 77 percent faster invoice processing cycle times.

 

Why ERP optimisation?

Another reason to follow the outperformers’ approach is to increase the return on investment of Enterprise Resource Planning (ERP) software. Many organisations haven’t fully leveraged their investments in ERP software, like SAP, giving them plenty of hidden opportunities to exploit.

“ERPs are not optimised for all the complex activities occurring today, such as matching printed or electronic invoices with supplier master data, purchase orders, shipping, tax and discount data,” says consultancy The Hackett Group. “Since it can be cost-prohibitive to replace a legacy ERP, companies often augment them instead with document management systems.”

When processes are paper-driven and manual, financial teams struggle to meet the volume-based performance requirements set by their CFOs. Meeting the high bar for raw numbers of invoices and payments processed is exceedingly difficult without automation. Think back to the pain points listed above. Every time the process is interrupted because the PO number is wrong, there’s an invoice exception or an early pay discount is missed, the process slows appreciably – or breaks down entirely.

One option is to use a certified add-on solution providing a single software platform to automate a series of processes directly within the ERP system. For SAP users, this type of solution offers more than integration with the ERP system; it provides the exact same look and feel as any other SAP transaction. It can be presented inside of the SAP GUI, providing non-SAP users an intuitive interface, and offering a real-time view of workloads, pending tasks, document inflow, ongoing transactions, and up-to-the-moment validation against SAP data. Solutions like this are proven to help users become more cost efficient, improve control over financial processes and shorten total processing times.

 

How to dominate your financial process

As the examples above show, expanding process improvement from AP to the entire purchase-to-pay process chain allows you dominate your financial processes in SAP, realise maximum efficiency and take your current ROI to the next level. Whether you’re just starting your automation journey or want to expand past AP, a full-scale strategy for end-to-end financial process automation will enable you to begin working like tomorrow, today.

 

About the author

In her role as Director of Product Marketing, Michelle Trapani delivers market positioning, strategic narratives and go-to-market strategies driving awareness, preference, and growth – bringing an increased level of insight, leadership, and overall execution discipline to Kofax’s growing business. Michelle was most recently with Cinch Connectivity Solutions where she reduced product launch times from eight months to eight-12 weeks. Previously, Michelle was with Adobe, Equinix, IBM, Infogix, iPass, Macrovision and Vision Solutions. Michelle earned a Bachelor of Arts degree at Illinois State University.

Continue Reading

Technology

WHY TECHNOLOGY IS KEY TO THE FUTURE OF AUDITING

By Piers Wilson, Head of Product Management at Huntsman Security

 

The Financial Reporting Council (FRC), which is responsible for corporate governance, reporting and auditing in the UK, has been consulting on the role of technology in audit processes. This highlights growing recognition for the fact that technology can assist audits, providing the ability to automate data gathering or assessment to increase quality, remove subjectivity and make the process more trustworthy and consistent. Both the Brydon review and the latest AQR thematic suggest a link between enhanced audit quality and the increasing use of technology. This goes beyond efficiency gains from process automation and relates, in part, to the larger volume of data and evidence which can be extracted from an audited entity and the sophistication of the tools available to interrogate it.

As one example, the PCAOB in the US has for a while advocated for the provision of audit evidence and reports to be timely (which implies computerisation and automation) to assure that risks are being managed, and for the extent of human interaction with evidence or source data to be reflected to ensure influence is minimised (the more that can be achieved programmatically and objectively the better).

However, technology may obscure the nature of analysis and decision making and create a barrier to fully transparent audits compared to more manual (yet labour intensive) processes. There is also a competition aspect between larger firms and smaller ones as regards access to technology:

Brydon raised concerns about the ability of challenger firms to keep pace with the Big Four firms in the deployment of innovative new technology.

The FRC consultation paper covers issues, and asks questions, in a number of areas. Examples include:

  • The use of AI and machine learning that collect or analyse evidence and due to the continual learning nature, their criteria for assessment may be difficult to establish or could change over time.
  • The data issues around greater access to networks and systems putting information at risk (e.g. under GDPR) or a reluctance for audited companies to allow audit firms to connect or install software/technologies into their live environments.
  • The nature of technology may mean it is harder for auditors to understand or establish the nature of data collection, analysis or decision making.
  • The ongoing need to train auditors on technologies that might be introduced, so they can utilise them in a way that generates trusted outputs.

Clearly these are real issues – for a process that aims to provide trustworthy, objective, transparent and repeatable outputs – any use of technology to speed up or improve the process must maintain these standards.

 

Audit technology solutions in cyber security

The cyber security realm has grown to quickly become a major area of risk and hence a focus for boards, technologists and auditors alike. The highly technical nature of threats and the adversarial nature of cybers attackers (who will actively try and find/exploit control failures) means that technology solutions that identify weaknesses and report on specific or overall vulnerabilities are becoming more entrenched in the assurance process within this discipline.

While the audit consultations and reports mentioned above cover the wider audit spectrum, similar challenges relate to cyber security as an inherently technology-focussed area of operation.

 

Benefits of speed

The gains from using technology to conduct data gathering, analysis and reporting are obvious – removing the need for human questionnaires, interviews, inspections and manual number crunching. Increasing the speed of the process has a number of benefits:

  • You can cover larger scopes or bigger samples (even avoid sampling all together)
  • You can conduct audit/assurance activities more often (weekly instead of annually)
  • You can scale your approach beyond one part of the business to encompass multiple business units or even third parties
  • You get answers more quickly – which for things that change continually (like patching status) means same day awareness rather than 3 weeks later

Benefits of flexibility

The ability to conduct audits across different sites or scopes, to specify different thresholds of risk for different domains, the ease of conducting audits at remote locations or on suppliers networks (especially during period of restricted travel) are ALL factors that can make technology a useful tool for the auditor.

 

Benefits of transparency

One part of the FRC’s perceived problem space is that of transparency, you can ask a human how they derived a result, and they can probably tell you, or at least show you the audit trail of correspondence, meeting notes or spreadsheet calculations. But can you do this with software or technology?

Certainly, the use of AI and machine learning makes this hard, the learning nature and often black box calculations are not easy to either understand, recalculate in a repeatable way or to document. The system learns, so is always changing, and hence the rationale that a decision might not always be the same.

In technologies that are geared towards delivering audit outcomes this is easier. First, if you collect and retain data, provide an easy interface to go from results to the underlying cases in the source data, it is possible to take a score/rating/risk and reveal the specifics of what led to it. Secondly, it is vital that the calculations are transparent, i.e. that the methods of calculating risks or the way results are scored is decipherable.

 

Benefits of consistency

This is one obvious gain from technology, the logic is pre-programmed in.  If you take two auditors and give them the same data sets or evidence case files they might draw different conclusions (possibly for valid reasons or due to them having different skill areas or experience), but the same algorithm operating on the same data will produce the same result every time.

Manual evidence gathering suffers a number of drawbacks – it relies on written notes, records of verbal conversations, email trails, spreadsheets, or questionnaire responses in different formats.  Retaining all this in a coherent way is difficult and going back through it even harder.

Using a consistent toolset and consistent data format means that if you need to go back to a data source from a particular network domain three months ago, you will have information that is readily available and readable.  And as stated above, if the source data and evidence is re-examined using a consistent solution, you will get the same calculations, decisions and results.

 

Benefits of systematically generated KPIs, cyber maturity measures and issues

The outputs of any audit process need to provide details of the issues found so that the specific or general cases of the failures can be investigated and resolved.  But for managers, operational teams and businesses, having a view of the KPIs for the security operations process is extremely useful.

Of course, following the “lines of defence” model, an internal or external “formal” audit might simply want the results and a level of trust in how they were calculated; however for operational management and ongoing continuous visibility, the need to derive performance statistics comes into its own.

It is worth noting that there are two dimensions to KPIs:   The assessment of the strength or configuration of a control or policy (how good is the control) and the extent or level of coverage (how widely is it enforced).

To give a view of the technical maturity of a defence you really need to combine these two factors together.  A weak control that is widely implemented or a strong control that provides only partial coverage are both causes for concern.

 

Benefits of separation of process stages

The final area where technology can help is in allowing the separation and distribution of the data gathering, analysis and reporting processes.  It is hard to take the data, evidence and meeting notes from someone else and analyse it. For one thing, is it trustworthy and reliable (in the case of third-party assurance questionnaires perhaps)? Then it is also hard to draw high-level conclusions about the analysis.

If technology allows the data gathering to be performed in a distributed way, say by local site administrators, third-party IT staff or non-expert users BUT in a trustworthy way, then the overhead of the audit process is much reduced. Instead of a team having to conduct multiple visits, interviews or data collection activities the toolset can be provided to the people nearest to the point of collection.

This allows the data analysis and interpretation to be performed centrally by the experts in a particular field or control area. So giving a non-expert user a way to collect and provide relevant and trustworthy audit evidence takes a large bite out of the resource overhead of conducting the audit, for both auditor and auditee.

It also means that a target organisation doesn’t have to manage the issue of allowing auditors to have access to networks, sites, data, accounts and systems to gather the audit evidence as this can be undertaken by existing administrators in the environment.

 

Making the right choice

Technology solutions in the audit process can clearly deliver benefits, however if they are too simplistic or aim to be too clever, they can simply move the problem of providing high levels of audit quality. A rapidly generated AI-based risk score is useful, but if it’s not possible to understand the calculation it is hard to either correct the control issues or trouble shoot the underlying process.

Where technology can assist the audit process, speed up data gathering and analysis, and streamline the generation of high- and low-level outputs it can be a boon.

Technology allows organisations to put trustworthy assurance into the hands of operations teams and managers, consultants and auditors alike to provide flexible, rapid and frequent views of control data and understanding of risk posture. If this can be done in a way that is cognisant of the risks and challenges as we have shown, then auditors and regulators such as the FRC can be satisfied.

 

Continue Reading

Magazine

Partner Events

Trending

Finance3 hours ago

THE OUTPERFORMER’S APPROACH TO FINANCIAL PROCESS AUTOMATION

By Michelle Trapani, Director of Product Marketing at Kofax   Achieving more with less is the mantra of our times....

Banking3 hours ago

WHY BANKS NEED TO EMBRACE WELLBEING IN THE DIGITAL EXPERIENCE

Howard Pull, Head of Digital Transformation Strategy at MullenLowe Profero   The impact of the COVID-19 crisis on the economy...

Finance13 hours ago

SAFEGUARD YOURSELF FROM FINANCIAL STRUGGLE AND UNCERTAINTY IN THE CASE OF DEMENTIA

Despite the rising incidence of dementia globally – The World Health Organization (WHO) estimates one new case every three seconds...

Technology13 hours ago

WHY TECHNOLOGY IS KEY TO THE FUTURE OF AUDITING

By Piers Wilson, Head of Product Management at Huntsman Security   The Financial Reporting Council (FRC), which is responsible for corporate...

Finance2 days ago

BOOM OR BUST: HOW THE FINANCIAL SERVICES SECTOR IS COPING

by Simon Black, CEO, Awaken Intelligence   Covid-19 has had an impact across all industries and businesses are feeling the...

Business2 days ago

BACK TO SCHOOL – CEOS NEED TO LEARN A NEW LANGUAGE, FAST!

By Simon Axon, Financial Services Industry Consulting practice lead in EMEA, Teradata   Chief Executive Officers of banks know all...

Business2 days ago

REVITALISING THE TOKEN MARKET

By Gavin Smith, CEO at Panxora   With interest rates near zero and fears that whipsawing stock markets are set for...

Business2 days ago

A SLEEPING DIGITAL GIANT WAKES? 4 KEY TRENDS ACCELERATING PAYMENTS TRANSFORMATION IN THE US

Lauren Jones, International Payments Ambassador, Icon Solutions   The US payments industry is undoubtedly ripe for change. Before the unprecedented...

Finance2 days ago

CAN ACCOUNTING DEPARTMENTS WIN THE FIGHT AGAINST FRAUD?

Magali Michel, Director, Yooz   Despite the implementation of increasingly sophisticated security systems, corporate fraud continues to gain ground: half...

Finance2 days ago

REMOTE INVOICE CAPTURE: ADAPTING TO THE NEW WAY OF WORKING

Author: James Adie, Vice President EMEA Sales at Ephesoft   When the government announced a country-wide lockdown on March 23,...

News2 days ago

GALA TECHNOLOGY SELECTS NUAPAY TO ENABLE OPEN BANKING PAYMENTS

Nuapay, powered by Sentenial, today announces it has been chosen by Gala Technology, a payment security solution specialist, to provide Open...

Top 103 days ago

THE ROLE OF OPEN SOURCE IN UNCERTAIN TIMES

Kris Sharma, Finance Sector Lead, Canonical   Financial services are an important part of the economy and play a wider...

Wealth Management3 days ago

SIMPLIFYING THE RETIREMENT FUND DEATH CLAIMS PROCESS

By Dolana Conco, Regional Executive at Alexander Forbes   Losing a loved one is one of the most difficult experiences...

News3 days ago

THE EMBEDDED BENEFITS IN ESEF DIGITAL FINANCIAL REPORTING

The inclusion of a simple link delivers serious gains in transparency, trust and real time verifiability for the whole financial...

News3 days ago

YAPILY AND OZONE API PARTNERSHIP MARKS TURNING POINT IN OPEN BANKING ADOPTION FOR BANKS

Open banking leader Yapily has today announced a strategic partnership with Ozone API, the leading API standards-based platform, to enable banks and...

News4 days ago

PROGRESSIVE SCENARIO PLANNING FOR THE LIBOR TRANSITION

James Gannaway, Head of Financial Services, Board International   The Financial Stability Board have announced that disruption to markets caused...

News4 days ago

AS DIGITAL TRANSFORMATION ACCELERATES, ENTRUST DATACARD BECOMES “ENTRUST”

Entrust name and identity reflect the critical need for trust at the heart of the digital transformation – and the...

Finance4 days ago

HOW TO TAME YOUR FINANCES TO REGAIN CONTROL OF YOUR MONEY

Credit, combined with bad spending habits, means many South Africans find themselves living from payday to payday, but you can...

Business4 days ago

HOW DATA VIRTUALISATION CAN HELP THE FS INDUSTRY REGAIN COMPLIANCE CONTROL

Charles Southwood, Regional VP – Northern Europe and MEA at Denodo    In recent years, the financial services (FS) sector has witnessed a...

Finance5 days ago

HOW TECHNOLOGY IS CHANGING ACCOUNTING

Mike Whitmire is Co-founder and CEO of FloQast,   The fundamentals of accounting have been around for hundreds of years....

Trending