Security ratings are like credit ratings, but for the assessment of a company's security risk rather than credit risk. Where a credit score lets a company determine the risk of lending to a prospective debtor, a security rating lets company perform due diligence and use objective decision making to determine how risky it will be to share data with another business partner or third-party vendor. The comparison becomes even more clear when we remember one of the key principles of cyber resilience: that cyber risk “is actually business risk, and always has been.”
The idea here is that a higher rating means lower cybersecurity risk.
Table of contents
- How do security ratings work?
- Why do we need security ratings?
- What else do I need to know about security ratings?
Security ratings work in a similar way to a credit rating. A credit rating will take information about a prospective debtor - provided and purchased, public and private - and product a grade such as AAA or AA+ (which would be a great result) down to C or D (riskier to lend to).
A security rating is determined through data by assessing and aggregating an organization's internet facing cyber risk profile, incorporating other related technical and business data as well. Security ratings platforms can also draw on databases of reported data breaches and vulnerabilities, as well as the outputs from security monitoring of web applications, network security, security controls, endpoint security, security systems and malware protection.
The result is a total risk rating that is represented as a numerical score or letter grade. The better your cyber security rating, the lower your organization's risk of successful cyber attacks.
If cyber risk is business risk is too broad for you, the importance of security ratings can be broken down further.
First, your business needs to know the state of its own infrastructure. How is security performance across the enterprise? Can it withstand threats and attacks? Is it secure enough that other companies or customers will want to deal with you? How do you compare to industry peers?
As part of a holistic vendor risk management strategy, your business should ensure that the security posture of every part of its supply chain is well understood. Security ratings help with third-party risk management, where functions have been outsourced to external service providers. Ratings allow companies to vet prospective vendors, and to inspect and recognize security issues in more opaque fourth-party vendor relationships.
“The third-party risk management is the one we see growing the most rapidly,” says Jeffrey Wheatman, research director, security and privacy, at Gartner. “We think that at some point in the near term, a cybersecurity score will be as important as a credit score when organizations look to sign up for a partnership.”
The need for security ratings is becoming recognized throughout the organization. From your IT security team to your board of directors, building a robust cyber risk management culture has never been more important in the age of data breaches, and a security rating platform gives you the ability to run continuous risk assessments that help close the gap.
Finally, there is the growing need for cyber insurance. The cost of cyber insurance depends on many factors such as a cyber insurers' ability to understand your current cybersecurity posture and proof of a security program. The more risk is understood, the more accurate the price. Cyber insurers are improving their underwriting strategies by incorporating security ratings for continuous monitoring of a policyholder.
Security ratings are relatively new, and carry their own risks. As noted by the Chamber of Commerce’s Principles for Fair and Accurate Security Ratings, ratings rely on data from a dynamic environment with many sources. Organizations should beware outdated or irrelevant data, and inaccuracies or incompleteness in assessment. This is the reasoning behind the development of the Principles. They provide an industry standard to increase the value of security ratings across the board.
There’s much more to security ratings, especially in the technical details of how each score is calculated, different use cases, what factors it includes or omits, and how it can help to reduce cyber risk for both primary and third-party organizations. Although independent technical risk assessments are necessary to understand risk, vendor questionnaires are also critical to the process, revealing important details not seen from the outside.