Technology has increased the speed and scale of commerce and communication, and in turn, has increased your organization's exposure to cybersecurity risk, particularly cyber threats that lead to data breaches and cyber attacks.
Whether you're the CISO, Vice President of Security or just an individual contributor, you are likely looking to understand the reasons why many organizations are investing in security ratings tools to help them manage, scale, and automate their vendor risk assessment processes.
Part of the reason is the increasing average cost of data breaches globally, which reacted $3.92 million in 2019 according to research done by the Ponemon Institute. In the United States, this number balloons to $8.19 million and health care organizations globally have the highest industry cost at just shy of $6.5 million likely due to the large amounts of personally identifiable information (PII) and protected health information (PHI) they process.
It's safe to say that an investment in a security ratings tool can help your organization save money, protected customer data, and save your reputation. The best of these tools have very robust evidence of their abilities to prevent data breaches and data leaks.
In addition to the reputational and financial impact, there is increasing global regulation that demands the protection of personal information and the public disclosure of security breaches. Examples include GDPR, PIPEDA, FIPA, the SHIELD Act, CCPA, and LGPD. Many of these regulations are extraterritorial and apply to your organization regardless of whether you operate in their jurisdiction.
This means there is no excuse for the mismanagement of your first and third-party risk. For many industries, due to increased on-sourcing, you will be expected to assess the security performance of vendors who are deeper in your supply chain, i.e. your fourth-party risk and fifth-party risk.
The issue is risk management often requires the translation of technical details like security postures, cybersecurity risk assessments, vendor questionnaires, and information security policies into terms non-technical stakeholders can comprehend.
Security ratings (or cybersecurity ratings) are an increasingly popular way to do this, as they provide an instantaneous assessment of cyber risk, much like a credit score does for assessing credit risk.
The issue for those assessing which security ratings tool to pick is there are a lot (BitSight, SecurityScoreCard, RiskRecon, CyberGRX, Panorays, etc), and the methodologies they employ vary greatly, as do their results.
For example, BitSight, SecurityScorecard, and RiskRecon focus primarily on the assessment of business partners, vendors, and service providers. Read our guides on BitSight Technologies vs SecurityScorecard or RiskRecon vs BitSight to learn more about how these services compare.
In contrast, UpGuard has a complete continuous monitoring risk management solution that handles behind-the-firewall risk with UpGuard Core, vendor risk management with UpGuard Vendor Risk, and data leak detection and cybersecurity performance management with UpGuard BreachSight.
In this post, we'll help you understand what to look for in a security ratings solution, so you can make an informed decision about whether to go with SecurityScorecard, RiskRecon or UpGuard.
But before we dive into the specifics, it's important to understand what security risk ratings are and why they are important.
What are security ratings?
Security ratings or cybersecurity ratings are a data-driven, objective, and dynamic measurement of an organization's security posture. They are created by a trusted, independent security rating platform making them valuable as an objective indicator of an organization's cybersecurity performance.
Just as credit ratings and FICO scores aim to provide a quantitative measure of credit risk, security ratings aim to provide a quantitative measure of cyber risk.
The higher the security rating, the better the organization's security posture.
Security ratings are used to assess the cybersecurity rating of external organizations like vendors, investment targets, or insurance applications, as well as assessing internal risk and improving communication about cybersecurity performance.
According to Gartner, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships…these services will become a precondition for business relationships and part of the standard of due care for providers and procurers of services. Additionally, the services will have expanded their scope to assess other areas, such as cyber insurance, due diligence for M&A and even as a raw metric for internal security programs.
SecurityScorecard is a New York-based company that uses data gleaned from traffic to/from an organization, as well as other publicly accessible data to build security ratings for evaluating vendors, pricing cyber insurance policies, among other use cases.
The platform also monitors "hacker chatter", social networks, and public data breach feeds for indicators of compromise.
SecurityScorecard's last funding round was a Series D from Nokia Growth Partners, Moody's, AXA Strategic Ventures, Intel, Google Ventures, Boldstart Ventures, Two Sigma Ventures, and Evolution Equity Partners.
RiskRecon is headquartered in Salt Lake City, UT with a presence in Boston, MA and representatives around the world. RiskRecon was founded in 2015 by Kelly White to make it easy to gain deep, risk contextualized insight into the cybersecurity risk performance of all third-parties by continuously monitoring across 11 security domains and 41 security criteria.
Like SecurityScorecard, it can be used for third-party risk management, enterprise risk management, and mergers & acquisitions. RiskRecon is now owned by MasterCard and prior to its acquisition received investment from included Accel, Dell Technologies Capital, General Catalyst and F-Prime Capital.