Security ratings are like credit ratings, but for the assessment of a company's security risk rather than credit risk. Where a credit score lets a company determine the risk of lending to a prospective debtor, a security rating lets company perform due diligence and use objective decision making to determine how risky it will be to share data with another business partner or third-party vendor. The comparison becomes even more clear when we remember one of the key principles of cyber resilience: that cyber risk “is actually business risk, and always has been.”
The idea here is that a higher rating means lower cybersecurity risk.
The Problem of Digitization
The digitization of business has increased the speed of commerce, the scope of customers, the understanding of consumer habits, and the efficiency of operations across the board. It has also increased the risk surface of business, creating new dangers and obstacles for the business itself, not just its technology. This risk is compounded by the interrelations of digital businesses as data handling and technological infrastructure is outsourced, as each third party becomes a vector for breach or exposure for the primary company. The technical nature of this risk makes it inaccessible to those without advanced skills and knowledge, leaving organizations without visibility into an extremely valuable and critical part of the business.
Enter Security Ratings
A similar problem existed for lending money: the factors that go into whether someone is trustworthy as a debtor are complex and require skilled work to comprehend effectively. Credit scores outsource this work, in a sense, and return an easily understood aggregation of those efforts in a standardized and therefore comparable system. Security ratings solve the problem of cyber risk like credit ratings: specialists assess each company using a standardized collection of criteria and proprietary tools, and return a rating that can be understood in a business context by non-technical people.
What are Security Ratings?
The Internet Footprint
Every digital business has an internet footprint. This is the surface area of the domains, devices, and data belonging to the organization that is accessible from the internet. Security ratings analyze this footprint to determine a company’s posture. The great advantage of examining this footprint is that it can be assessed independently and remotely, making it an obtainable and objective source of information. Because every organization has a similar footprint, assessments can be compared and contrasted in a standardized system. The disadvantage of course is that the internet footprint is only a subset of the total digital surface of a business-- however, it often telegraphs the state of the internal infrastructure.
Independent External Assessment
Every assessor of cyber risk uses a different, proprietary set of criteria to determine their rating. Some systems are transparent in how they grade entities, while others obscure the mechanics in favor of simpler ratings. The core ground covered by these entities is mostly the same, but often the way in which it is covered varies greatly, and the factors considered within the rating process reflect the priorities of the assessor. In 2017, the US Chamber of Commerce announced their Principles for Fair and Accurate Security Ratings, which establishes standards security rating vendors should adhere to. The best assessments focus on the vectors through which cyber threats emerge and continuously monitor for vulnerabilities within them.
Aggregate and Symbolize
Once the assessment has been performed, the technical details gathered are analyzed according to proprietary algorithms and aggregated into a rating. This rating is usually a numeric value, like a credit score, or a letter grade, similar to a report card. These summarizations help to provide at-a-glance understanding into the relative security postures of companies and their vendors. It also provides a high level metric for remediation efforts when organizations launch initiatives to improve their resilience. Finally, ratings allow organizations to establish thresholds of risk and set standards to which vendors must comply to handle sensitive data or critical services.
- What does your company’s internet footprint look like?
- When choosing a security rating platform, what actually matters to you?
- Have any of your vendors suffered a past data breach or security incident?
How do Security Ratings Work?
Standards and Expectations
Security ratings only take on meaning when they can be used to create a standard by which vendor risk can be judged. This standard may differ from organization to organization, depending on their priorities and willingness to accept risk; but the overarching principle of setting standards remains the same. For example, when using a numeric rating, some companies may decide that vendors must have a total score over 600 (out of 950) to handle sensitive data. Others may have specific criteria that must be met, for example, proof of a security program and strong encryption on all web applications. Whether judging by the big picture or important details (or some combination of both,) security ratings help set expectations for vendor IT security and operations.
The Assessment Process
An independent external assessment is a matter of data gathering. The internet footprint of any company or vendor is a set of information that can be captured remotely. This includes technical details like how well the website is configured, whether they have email protection for their domain, and how vulnerable they are to common attacks like ransomware (think WannaCry). It also includes business factors, like any risk calculation, including the size of the organization, their history with data security, and approval or satisfaction ratings by employees of the company and its leadership. Understanding which factors a security rating covers is key to ensuring that the things you care about are not missing from the assessment.
Minimizing Vendor Risk
Ultimately, security ratings help companies minimize the risk of their data handling vendors by providing criteria by which they can be judged before entering into a contract, creating a competitive space where increased resilience equals more opportunity. As the stakes of cyber risk increase, this competitive edge will drive decisions about who is allowed to handle sensitive data and how they do it. Security ratings speed the process along, removing the friction encountered when technical details are necessary for the conversation. The goal is to reduce and hopefully prevent third and fourth-party data exposure and service interruption-- protecting both the business and the customers.
- What criteria should your vendors meet in order to handle your data?
- What cyber threats pose the most risk for your business?
- How do you currently assess your vendor’s data handling practices?
Why do Security Ratings Matter?
Consequences of Cyber Risk
Cyber risk may seem like an abstract concept, but when the ramifications of cyber incidents are considered, it becomes a simple matter of business risk. Third party data exposure, through breach, leak, or cyber attack, results in financial and reputational damage for the primary company. PR efforts, identity management solutions for affected customers, and ripping and replacing the vendor who exposed the data are expensive and time consuming efforts that detract from primary business goals. Reputational damages include the trust between primary company and customers, the questioned competency of an organization that would employ insecure vendors, and the media coverage of the incident, giving prospective customers a negative first impression.
Raising the Bar in The Digital Ecosystem
Security ratings help create a standard by which cyber risk can be measured, but their ultimate goal should be to raise the bar across the board for companies working in our digital ecosystem. No longer are digital businesses isolated nodes with a few connections between them, but instead form a tightly knit fabric of dependent services. The information of nearly every person on earth travels through this ecosystem, and its integrity as a whole will determine the future of digital business. Will we create a trustworthy environment, capable of handling sensitive information and critical social services, or will the risks involved with technology finally undermine it to the point of diminished value, creating a backlash among consumers? The way businesses handle their cyber risk, especially that of their vendors, will answer this question.
From Cybersecurity to Cyber Risk
As digital systems entered the business sphere, enterprise cybersecurity became the practice of establishing a defensible perimeter around your assets and data to protect them from outside attackers. Security was something layered around existing operations and processes to help shield them. Examples of this kind include commonplace tools like firewalls, intrusion detection and prevention systems, and endpoint security software such as virus scanners or malware detectors. The cybersecurity industry thrived during the dot com boom and into the 2000s, as businesses became fully digitized, with nearly every asset and service dependent on computer systems and networks.
Breaches and Exposure
But despite the significant investment in cybersecurity technologies, breaches, data exposure, and cyber attacks continued to rise. The stakes rose as well, as cyber attacks were no longer relegated to IT departments, but affected the business as a whole, the relationship of the business with its customers. E-commerce overcame the initial fear of privacy loss in transferring credit card numbers and other sensitive information across the internet. A padlock in the address bar of the browser gave confidence that a transaction was secure. But of course the complexity of digital business runs far deeper than whether a web connection is encrypted at the time of a transaction. As multi million record breaches made headlines, that initial distrust of the internet as a place for private commerce resurfaced, and companies were forced to contend with cyber risk once again.
Cyber Risk is a Business Issue
The critical failure of traditional cybersecurity was to silo cyber risk inside the IT department and act as though it happened in a vacuum, instead of within the context of the business. The pivot to cyber risk is first and foremost a change in perspective, led by the axiom that cyber risk is business risk, and therefore must be integrated into business strategy and understood as a product of business operations. Rather than just add technology on top of existing operations, companies aim to make their companies resilient by optimizing those operations--server deployment, migration, patching and updating, changing configurations-- all the day-to-day work of an IT department. By building security into the processes themselves, the assets and data produced by those processes are at much lower risk of compromise.
Another important inclusion into the cyber risk perspective was the risk taken on by third and fourth-party vendors who handled data or operated infrastructure. Many of the most severe breaches have happened to vendors of major companies, not on the company’s own infrastructure. Yet the impact of the breach is the same as if it had. This makes sense if you consider that the same data was lost-- people who trusted the primary company expect their privacy to be kept, and whether it was a server or a vendor, the primary company suffers the damage to that relationship. Companies need a way to assess their vendors before an incident, so that by trusting a vendor to handle data, they aren’t undermining their customers’ trust in them.
- Does your organization have a cyber risk strategy?
- How do you measure the success of your cybersecurity initiatives?
- What vendors have access to sensitive information and critical systems?
What else do I need to know about security ratings?
Security ratings are relatively new, and carry their own risks. As noted by the Chamber of Commerce’s Principles for Fair and Accurate Security Ratings, ratings rely on data from a dynamic environment with many sources. Organizations should beware outdated or irrelevant data, and inaccuracies or incompleteness in assessment. This is the reasoning behind the development of the Principles. They provide an industry standard to increase the value of security ratings across the board.
There’s much more to security ratings, especially in the technical details of how each score is calculated, different use cases, what factors it includes or omits, and how it can help to reduce cyber risk for both primary and third-party organizations. Although independent technical risk assessments are necessary to understand risk, vendor questionnaires are also critical to the process, revealing important details not seen from the outside.
The shift from traditional cybersecurity to cyber risk has many facets, but security ratings are a key element in that they make the work necessary to assess vendor risk feasible for existing organizations. The specialization necessary to master the myriad business technologies in use and on the horizon have always kept them siloed apart from other business concerns. The real value in security ratings is allowing the reintegration of technology as a primary business risk by aggregating technical details into business terms. This in turn creates a standardized model of risk by which companies can be measured, allowing businesses to make better decisions about who can access their data and infrastructure, which leads to a raising of the bar across the board for how digital business is practiced, protecting customers, businesses, and vendors from the inherent dangers of their technology.
To learn more about security ratings, and how UpGuard helps companies assess, manage, and mitigate vendor risk, see how UpGuard adheres to the Chamber of Commerce’s Fair and Accurate Security Ratings. To learn how to better secure your internet footprint, see our Website Security Checklist.