Why CEO Approval Ratings Matter for Risk Assessments

Posted by UpGuard

UpGuard and CSTAR

Our new digital reputation scan provides a fast and easy way to get a risk assessment for your (or any) business. We look at the same stuff that other external risk assessment tools do– SSL configurations, breach history, SPF records and other domain authenticity markers, blacklists and malware activity. We're happy to offer this service for free, because that information is public and we believe that it's what's inside that really matters. Most of the elements we include in our external assessment are not controversial, but one resulted in arguments lasting several days: the CEO approval rating.

In selecting which checks would go into our risk assessment, we here at UpGuard looked at similar site assessment tools and selected only the checks that we thought were relevant to our goal: risk assessment, which overlaps with, but isn't identical to, website best practices. Plus, there are already fine tools for performing those best practices functions, so why duplicate them? We also intentionally omitted checks we thought would not be significant for calculating the risk of data breach and the damage it would cause.

On the other hand, we chose to include information that is outside the scope of a technical assessment, but which is profoundly important for assessing risk. Headquarters location, market capitalization, revenue, number of employees: these are all factors that contribute to the risk of a breach and how damaging that breach would be. Breach history, similarly, is not something that you can change by editing a configuration file or buying a certificate, but it is part of the set of facts that deserve to be considered when determining the risk posed by a given property. We included CEO approval rating for the same reason.

As Ashley Madison and Edward Snowden have reminded the world, insider activity is still a very real cause of data breaches. How can we assess the likelihood of a secretive attack by a privileged individual? It seems to follow that employees who feel a sense of loyalty to their company and who believe in its mission will be less likely to harm it intentionally. Vice versa, those who really don't like their employer will be more inclined to harm it. Even unintentional harm caused by circumventing security policies can be attributed in part to whether an employee believes in the leadership. One's feeling about the CEO, as well as senior management more generally and the job itself, all provide insight into a critical vector for the loss of data confidentiality.

That's the case for including this particular check. The case against including CEO approval and employee satisfaction information is that those feelings are subjective and potentially skewed by angry employees. We pull our data from Glassdoor, and at small companies you will often get a disproportionately rosy picture when the only reviews are from the first five employees. For that reason, we include the number of reviews in the risk scan to make it apparent when this is happening. But what's really frustrating for an IT or security manager is that this is a problem they can't fix. Github, a site we and millions of other developers use, has impeccable security controls and a lousy CEO rating. Unlike technical risks, which have the pleasing simplicity of being either present or not and have a logical path to resolution, risks posed by human subjectivity are inherently messy, probabilistic, and without a known solution.

Unfortunately, that's just how it is with information security. The adversaries are humans, which means behavior is not strictly deterministic. Only checking factors that have a reassuringly Boolean value does a disservice to our scoring and to the people who use it. Just as one might fall into a risk class that seems unfair– for example, paying more for car insurance as a single young man when you know you drive more safely than your friends– is a necessary evil of using data to price risk. The good news is that we are trying to make it possible for companies to demonstrate that they have a lower risk than is externally apparent through our digital reputation assessment. Just as a car insurance company might allow young drivers to lower their rates by demonstrating safe practices, we provide an assessment to show that internal systems are sufficiently hardened to counter the appearance of external risks.

Long story short: the CEO approval rating has stayed. If senior leadership are serious about becoming digitally resilient, it's not something they can just push down to Security and Ops. Everyone needs to be on board.

More Articles

How CSTAR Works

All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Article >

What's In the Website Risk Grader?

The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Article >

Understanding Risk in the 21st Century

And as we enter 2016, the risk of data breaches in particular threatens to hamper business innovation.
Read Article >

Topics: CSTAR

UpGuard Customers