Security ratings are like credit ratings, but for the assessment of a company’s web-facing applications. Where a credit rating lets a company determine the risk of lending to a prospective debtor, a security rating lets it decide how risky it will be to deal with another in handling data. The comparison even flattens out when we remember one of the key principles ofcyber resilience: that cyber risk “is actually business risk, and always has been.”
How do they work?
Credit ratings and security ratings also work in similar ways. A credit rating will take information about the prospective debtor – provided and purchased, public and private – to produce a grade such as AAA or AA+ (which would be a great result) down to C or D (riskier to loan to).
A security rating obtains its data by assessing and aggregating an organization’s internet facing cyber risk profile, often incorporating other related technical and business data as well. Security ratings can also draw on databases of reported breaches and vulnerabilities. The result is a symbolic representation of total risk, usually a numerical score or letter grade.
Why do we need them?
If the reminder that “cyber risk is business risk” is too broad, the importance of security ratings can be broken down further. First, your business needs to know the state of its own infrastructure. How is security performance across the enterprise? Can it withstand threats and attacks? Is it secure enough that other companies or customers will deal with it?
Organizations also need every part of the supply chain to be secure. Security ratings help assess and manage third-party risk, where functions have been outsourced. Ratings allow companies to vet prospective vendors, and to inspect and recognize issues within their existing network of relationships.
Finally, there is the growing need for cyber insurance. The cost of cyber insurance will ultimately depend on a company’s cyber risk strategies. The more risk is mitigated, the better the price. Organizations can improve their strategies by incorporating security ratings, tracking their improvement, and demonstrating an achievement of the highest rating possible.
What else is there to know?
Security ratings are relatively new, and carry their own risks. As noted by the Chamber of Commerce’s Principles for Fair and Accurate Security Ratings, ratings rely on data from a dynamic environment with many sources. Organizations should beware outdated or irrelevant data, and inaccuracies or incompleteness in assessment. This is the reasoning behind the development of the Principles. They provide an industry standard to increase the value of security ratings across the board.
There’s much more to security ratings, especially in the technical details of how each score is calculated, what factors it includes or omits, and how it can help to reduce cyber risk for both primary and third-party organizations. Although independent technical assessments are necessary to understand risk, vendor questionnaires are also critical to the process, revealing important details not seen from the outside.