Black Kite (formerly known as NormShield) and RiskRecon are two popular security ratings services (SRS). Security ratings services focus on the analysis of publicly accessible, external data sources to perform vendor assessments, security benchmarking, and risk analysis.
Security ratings provide a data-driven, instantaneous, and always up-to-date measurement of an organization's external security posture. You can read our complete guide on security ratings here.
Most security ratings providers use similar resources and techniques to collect data, but different approaches to analyze and evaluate that data, and how it determines a company's security posture. This means that the predictive capacity of each service can vary.
For reference, common data sources include the Internet, hacker sites, social media, Internet-wide scanners, reputation services, dark web, and sinkholes.
Security ratings are becoming increasingly popular, as they can help prevent data breaches and other cyber attacks. Data breaches, according to a recent study by IBM and the Ponemon Institute, have an average cost of nearly $4 million globally.
This is why vendor risk management has become a top priority for CISOs, senior management, and frequently the Board. In addition, to financial costs, regulatory and reputational costs are on the rise too.
Governments have brought in new laws and regulations that promote or require the establishment of third-party cyber risk management programs to identify, assess, and mitigate risks created by vendors, fourth-parties, and customers.
While the United States does not have a nation-wide equivalent to GDPR, California has CCPA, Florida has FIPA, and New York has the SHIELD Act to protect the personally identifiable information of its constituents.
Outside of the United States, Brazil has introduced a very similar law to GDPR called LGPD.
Alongside the protection of PII and PHI, these laws introduce mandatory data breach notification requirements, significantly increasing the impact of inadequate vendor and cybersecurity risk management practices.
The job of a security professional encompasses much more than improving security postures and writing information security policies. One of the most sought after skills is the ability from cybersecurity risk assessments and vendor questionnaires into terms that non-technical stakeholders can understand.
And that's what many third-party risk management tools claim to do. The issue is not all security ratings platforms are equal in terms of capabilities, usability, community, pricing, releases, integrations, customers, or predictive threat intelligence capabilities.
We hope this post gives you the context you need to make an informed decision about Black Kite vs. RiskRecon, so you can decide on which tool is right for you.
Black Kite overview
Black Kite is a cyber risk rating platform that uses open-source threat intelligence and non-intrusive scanning to provide information about your vendor risk at scale.
It collects data from a wide range of places without touching any sensitive data, leveraging advances in data science and machine learning to provide high frequency and precise real-time risk assessments.
Like other security ratings providers, its data collection provides continuous risk monitoring of third-parties.
RiskRecon is a Salt Lake City-based company with a presence in Boston, MA, and representatives globally. Kelly White founded RiskRecon in 2015 to make it easy to gain deep, contextualized insights into the cybersecurity risk performance of all third-parties by using continuous monitoring and machine learning to monitor 11 security domains and 41 security criteria.
RiskRecon was recently acquired by MasterCard.