Information technology has changed the way people do business. For better, it has brought speed, scale, and functionality to all aspects of commerce and communication. For worse, it has brought the risks of data exposure, breach, and outage. The damage that can be done to a business through its technology is known as cyber risk, and with the increasing consequences of such incidents, managing cyber risk, especially among third parties, is fast becoming a critical aspect of any organization. The specialized nature of cyber risk requires the translation of technical details into business terms. Security ratings and cyber risk assessments serve this purpose, much like a credit score does for assessing the risk of a loan. But the methodologies employed by solutions in this space vary greatly, as do their results.
In June of 2017 the U.S. Chamber of Commerce posted the “Principles for Fair and Accurate Security Ratings,” a document supported by a number of organizations interested in the emerging market for measuring cyber risk. The principles provide a starting point for understanding the current state of security ratings and for establishing a shared baseline for assessing vendors in that market.
Cyber resilience is a fundamental change in understanding and accepting the true relationship between technology and risk. IT risk (or cyber risk, if you prefer) is actually business risk, and always has been. And the cybersecurity industry, for what it's worth, has generally avoided this concept because it goes against the narrative that their respective offerings—whether it's a firewall, IDS, monitoring tool, or otherwise—would be the one-size-fits-all silver bullet that can keep businesses safe. But reality tells a different story.