Security ratings are like credit ratings, but for the assessment of a company’s security risk rather than credit risk. Where a credit rating lets a company determine the risk of lending to a prospective debtor, a security rating lets a company decide how risky it will be to deal with another in handling data. The comparison becomes even more clear when we remember one of the key principles of cyber resilience: that cyber risk “is actually business risk, and always has been.”
How do they work?
Credit ratings and security ratings also work in similar ways. A credit rating will take information about the prospective debtor – provided and purchased, public and private – to produce a grade such as AAA or AA+ (which would be a great result) down to C or D (riskier to lend to).
A security rating obtains its data by assessing and aggregating an organization’s internet facing cyber risk profile, often incorporating other related technical and business data as well. Security ratings can also draw on databases of reported data breaches and vulnerabilities, as well as the outputs from security monitoring. The result is a total risk rating, usually represented as a numerical score or letter grade.
Why do we need them?
If the reminder that “cyber risk is business risk” is too broad, the importance of security ratings can be broken down further. First, your business needs to know the state of its own infrastructure. How is security performance across the enterprise? Can it withstand threats and attacks? Is it secure enough that other companies or customers will deal with it?
As part of a holistic vendor risk management strategy, your business should ensure that the security posture of every part of its supply chain is well understood. Security ratings help with third-party risk management, where functions have been outsourced to external service providers. Ratings allow companies to vet prospective vendors, and to inspect and recognize security issues in more opaque fourth-party vendor relationships.
The need for security ratings is becoming recognized throughout the organization. From your IT security team to your board of directors, building a robust cyber risk management culture has never been more important in the age of data breaches, and a security rating platform gives you the ability to run continuous risk assessments that help close the gap.
Finally, there is the growing need for cyber insurance. The cost of cyber insurance depends on many factors such as a cyber insurers' ability to understand your current cybersecurity posture and proof of a security program. The more risk is understood, the more accurate the price. Cyber insurers are improving their underwriting strategies by incorporating security ratings for continuous monitoring of a policyholder.
What else is there to know?
Security ratings are relatively new, and carry their own risks. As noted by the Chamber of Commerce’s Principles for Fair and Accurate Security Ratings, ratings rely on data from a dynamic environment with many sources. Organizations should beware outdated or irrelevant data, and inaccuracies or incompleteness in assessment. This is the reasoning behind the development of the Principles. They provide an industry standard to increase the value of security ratings across the board.
There’s much more to security ratings, especially in the technical details of how each score is calculated, what factors it includes or omits, and how it can help to reduce cyber risk for both primary and third-party organizations. Although independent technical risk assessments are necessary to understand risk, vendor questionnaires are also critical to the process, revealing important details not seen from the outside.