by Ewen O’Brien, VP of EMEA, BitSight
The security ratings market is still relatively immature but it is fast growing and as such there is quite a bit of hype from the vendors that play in this space who are all jostling for position. So now with a number of offerings to choose from – some of which are marketed in misleading ways – it can be tough for decision makers to cut through the noise and put in place a ratings platform that will truly make a difference to their business.
As someone who has worked in this industry for many years, with deep expertise in ratings, I thought it would be helpful for me to dispel some of those myths about security ratings, honing in on a number of key areas that I think are important for organisations to consider. Here in the first of a series of articles, I’m putting a spotlight on the importance of integrity and context.
What I hear often in this market is that it is all about getting the highest rating. At a basic level this is true, but these ratings must be robust, stand up to scrutiny, have integrity and without context the ratings may not be meaningful to your stakeholders and/or your customers.
But before diving into what I mean about context, first off let me provide an explanation around security ratings.
Security ratings are a data-driven, objective and dynamic measurement of an organisation’s security performance. Thousands of organisations around the world use security ratings tool to address a variety of critical interconnected internal and external use cases at scale, in order to enable more effective decision making throughout their business ecosystem.
Security ratings are useful to manage cyber risk in any inter-organisational interaction where transparency has historically been lacking. Likewise, security ratings improve an organisation’s ability to manage cyber risk from business partners and understand the risk posed by a third party or supply chain business relationship. They can be used for insurance underwriting pricing, and risk management, allowing carriers to gain better visibility into the security performance of insurers in order to assess and price risk. Ratings can also be used for investment in or acquisition of a company, allowing organisations to perform enhanced cybersecurity due diligence and ongoing monitoring of the investment or the M&A target. And they enable governments to better understand and manage the cybersecurity performance of critical organisations.
Additionally, security ratings are useful for managing an organisation’s internal cyber risk by continually assessing the security posture of one’s own organisation and providing transparency to key stakeholders. They can be used to benchmark and compare performance with peers in the industry and ratings provide greater assurance to customers, insurers, regulators and other third-party stakeholders about your cybersecurity performance.
In short, security ratings provide a comprehensive, outside-in view of a company’s overall cybersecurity posture. Similar to credit ratings for individuals, security ratings deliver much more value to an organisation than simply correlating them to data breaches, for example. They are dynamic and are constantly monitored and measured, rather than being just a point in time assessment. This means that ratings can quickly highlight any changes in security posture. However, there are a number of vendors in this space who essentially enable organisations to ‘mark their own homework’ allowing them to remove legal entities, divisions, or parts of the business that might negatively impact on their rating.
Security ratings are based on the digital footprint of a company with strict governance wrapped around it and we rate everyone in a consistent way. This is important because there is no point in ‘gaming’ ratings to suit your needs as this is a short-sighted approach to the value of ratings and isn’t a true reflection of your security posture. Think about this from a personal perspective and how credit ratings work. Imagine if someone, applying for a new mortgage, was allowed to exclude those two recent mortgage defaults to improve their credit score. This in effect makes a mockery of having a credit rating and exactly the same principles apply in security ratings. This kind of disingenuous approach might enable the security group to reduce workload in the short-term i.e. you got the rating the organisation wanted, but will it make the business any more secure and will it reduce risk? To this point, we lost a large customer a few years back because the security group wanted us to remove certain parts of their business that were not 100 percent owned by them but were absolutely part of their offering and were causing them significant pain. We declined to do this and we lost the customer, but we sustained our obligation to the industry around maintaining the integrity of our ratings.
The great advantage of examining externally observable data associated with domains and IPs mapped to a rated company is that it can be assessed independently and remotely. Furthermore, because every organisation has a similar footprint, assessments can be compared and contrasted in a standardised way. The disadvantage is that this digital footprint is only a subset of the total digital surface of a business and this is where context and other factors come into play. Security ratings should be chosen on the basis that they provide contextual ratings which are not about gaming the system, but about giving true context to particular scenarios.
Most organisations don’t operate as one big silo but rather align their infrastructure to match product lines, geographic regions, divisions and segments. So we have a global or primary rating which can be combined with a self-published rating whereby companies can monitor and manage segments of their business whose structure they only have visibility into. For example, a company can monitor regional offices and compare these, or break out ratings for specific product lines.
These self-published ratings can be used for internal purposes or they can be shared with other users. Combined with primary ratings they provide a level of context no one else in the security ratings industry can match. However, where competitors often take the word of a company that an identified issue shouldn’t be a concern and remove the item from their records, it’s important to remain objective, create mechanisms for businesses to communicate context. This ultimately helps companies make better informed, risk-averse decisions.
Security ratings enable organisations to manage their own risk and the organisations that they do business with. This in turn creates a standardised model of risk by which organisations can be measured, allowing for better business decisions. But if a vendor suggests that you can manipulate data yourself to improve your ratings, then understand that this won’t improve your own security posture, and it could in fact create threat vectors that you are currently blind to.