Insights | Case Study

What are Cybersecurity Risk Ratings?

What are Cybersecurity Risk Ratings?

If you’re familiar with a credit score, you already have a better understanding of cybersecurity risk ratings than you think. A credit score is a quick and easy way to tell lenders about your creditworthiness, providing a prediction of how likely you are to pay back a loan on time.

Similarly, cybersecurity risk ratings, or security ratings, provide a quick and easy way to communicate an organization’s cybersecurity posture to internal teams, executives, and existing or potential third-party vendors.

Why Cybersecurity Risk Ratings

In our increasingly digital world, Gartner, a global research and advisory firm, expects that security ratings will reach the status a credit score holds today when assessing the risk of existing and new business relationships. Soon, you may be as familiar with your organization’s security rating as you are with your own credit score; the future of your business may depend on it. Cybersecurity ratings are a useful tool to better understand or improve the cybersecurity posture of any organization, and to initiate risk-based discussions with company leadership or with third parties when establishing new business relationships.

Security Ratings Help Manage Internal Security and Third-Party Risk

Cybersecurity risk ratings are data-driven, quantifiable measurements of an organization’s overall cybersecurity performance and based off of a cybersecurity risk assessment. The scores are intended to provide organizations of all industries with an independent view into the security practices of the organization itself, as well as for their third-party vendors. Third-party vendors provide products and services to customers on behalf of an organization and as a result have access to sensitive company and customer data. When giving third parties access to sensitive data, it becomes crucial to consider their cybersecurity ratings so that the relationship does not become a vulnerability.

Organizations are increasingly intertwined with a growing number of third-party vendors. Not only do today’s third parties require more access to the primary organization’s data assets, but they are also increasingly working with their own third-parties. According to Gartner, this has multiplied the size and complexity of third-party networks. It is a critical challenge for organizational leaders to manage the risks associated with third-party networks while remaining efficient and productive with no hinderance to the speed of business. Obtaining security ratings for your organization and third parties helps to secure your internal environment, as well as mitigate the growing risk associated with third parties.

Where Security Ratings are Falling Short

As with credit score providers, there are currently several security rating providers on the market. Despite the benefits of cybersecurity ratings, the businesses and third-party vendors who currently use them are sometimes left dealing with ratings that fail to capture the true picture of their organizational cybersecurity posture. This is because there is currently no universal scoring method for cyber risk ratings, making it so different providers can potentially deliver different risk scores depending on the data chosen for assessment. If a company feels their score is not valid, the existing processes to dispute ratings are tedious and difficult to overturn. Current cyber risk ratings providers utilize open-sourced intelligence, or data gathered from publicly available sources. While this information is valuable to scoring, only assessing open-sourced data means a company’s score could be marked by the narrow scope of information available publicly or by information that is not updated regularly.

Current cybersecurity ratings providers also fail to utilize input from the companies and vendors that are being rated. When positioned as a benefit, this makes the ratings sound convenient and easy, as little input or resources are required from the company being scored.  Unfortunately, this also prevents the company being rated from being able to provide verifiable and valid data that could strengthen their score, furthering the potential for ratings that fail to depict the true organizational security posture.

The Data Makes the Score

Given the shortcomings in the current cybersecurity risk ratings market, myCYPR aims to help organizations accurately identify and manage risk internally and for their third-party vendors. While current security rating providers only score organizations based on a single data set, myCYPR offers organizations the choice of up to three data sets. These data sets range from open-sourced intelligence to a highly detailed next generation security assessment, backed by the expertise of a cybersecurity consulting team. The range of options allows organizations to customize a program to match their unique budget, organization size, risk profiles, or for multiple third-party vendors. The cybersecurity consulting power behind myCYPR also allows organizations to be involved with their own score by providing data for consultants to consider in the scoring process using an interactive web dashboard. Combined, myCYPR’s features allow organizations to be more involved in the risk rating process and deliver the most accurate risk score possible.

As cyber security ratings become increasingly vital to business operations, it will be equally as important to choose the right risk rating provider. See, score, and secure your organization with myCYPR.

Anchor to launch new product, myCYPR, at the RSA Conference in Feb. 2020

Event

Anchor Technologies will participate in the RSA Conference this year! We will be in the expo at booth 5355. This booth and conference will serve as the official launch for the myCYPR™ cybersecurity ratings platform.

myCYPRis the COMPLETE cybersecurity ratings platform. Combining multiple perspectives on risk data to mange your cybersecurity posture or manage a customized risk program for your vendors.

Make sure to check out our website, white papers and blog postings to gain a full understanding of what this new and revolutionary solution will offer.

Also stay tuned, as we will be announcing product details and several offers to get FREE conference expo passes over the next several weeks. If you will be at the conference, drop a comment below and let everyone know and make sure to come by the booth to say hello and get more details on the solution.

Why a Cybersecurity Ratings Platform?

Introduction

A cybersecurity ratings platform provides a quick and easily communicated perspective on an organization’s cybersecurity risk profile. A cybersecurity rating alone isn’t terribly new or revolutionary. Several security assessment vendors have offered a score as a method of communicating an overall risk profile. The addition of a web-based dashboard and interactive platform evolves the concept of a risk score into a risk management solution allowing for a much more advanced way to interact with the findings data and remediation requirements. The largest challenge of the traditional security assessment exercise is effectively remediating ALL of its findings. It can be a daunting task and often a percentage of the findings are not addressed due to a poorly communicated recommendations or remediation fatigue. A primary goal of the Cybersecurity Ratings Platform is to provide a solution which evolves the cyber risk management process improving effectiveness and complete remediation.

Many breaches today are the results of hackers exploiting weaknesses that had actually been identified previously in a security assessment. Well-known examples of this were the Home Depot 56 million credit card breach of 2014 and the crippling City of Baltimore ransomware compromise of 2019. In both cases evidence was made public that prior security assessments had identified the weaknesses exploited.

The cybersecurity ratings platform will provide multiple levels of perspective into the risk data through an easy to consume web-based dashboard. This platform will solve five significant issues with the current market ratings and assessment solutions.

Problem #1 Solved: Risk data is difficult to consume and remediate.
The web-based dashboard will allow the organization to see risk data at a high “10,000 foot” perspective first with an overall summary rating or score based on a FICO™-like and relatable score from 250 to 900. The dashboard will also break down the data into digestible categories of risk, such as technical vulnerabilities, operational maturity and application risk. The drill-down methodology will enable the user to drill into as much specific finding and remediation data as they are ready to consume. It will also provide a way to track progress and dynamically update the score based on the progress or remediation. At various points along the way a downloadable report is available.

Problem #2 Solved: Risk data used in legacy ratings solutions is unreliable.
Some vendors have decided that cheap is good in security and have created ratings systems based solely on free publicly available historical data, also known as open source intelligence (OSINT), to score an organization on their risk posture, others have added on self-assessment as a means to improve reliability. Both of these methods for data collection have some value, but should be implemented within a complete program where various levels of risk data accuracy and reliability can be married up with the organization’s data security requirements. Very often evaluating a vendor based on historical and uncontrollable independent public data may not produce a result reflective of the actual risk posture facts for the targeted organization. A reliable solution should included risk data from multiple sources, internal audited operational security (OPSEC) data as well as OSINT.

Problem #3 Solved: Risk planning, prioritization and budgeting is difficult and time-consuming.
Many organizations today have some sort of budget for cybersecurity risk remediation. However, the plethora of successful breaches has grown to epidemic proportions. One of the key issues is a misalignment of the security spend with the actual risk present in the organization. Many products are being implemented as the primary solution to cyber risk, when other areas of the risk landscape are prioritized lower in the budget and may never be implemented. Enter the need for better alignment between What to address first?, How much will it cost?, and What will improve my score the most? The best cybersecurity ratings platform will include a method of easily visualizing the highest risk findings and what remediation is estimated to cost, so that remediation can be prioritized based on largest risk remediation and effective budget management.

Problem #4 Solved: Defining risk posture between audits is unreliable.
Many organizations perform security assessments annually or at least every two years. Typically, remediation efforts extend past the deliverable presentation by a few months to even the next budget cycle. Often it quickly becomes very difficult to clearly define how much these efforts have improved the security posture without rerunning the assessment. A cybersecurity ratings platform provides a method of remediation tracking and dynamically updates an “unaudited” security posture rating so that the organization can understand its current risk state and communicate progress. The platform can also offer scenario based risk remediation planning so that remediation scenarios can be run prior to spending actual budget to determine how the risk posture would be impacted.

Problem #5 Solved: Regulatory and compliance goals are often a separate unconnected effort from the security assessment.
Cybersecurity standards and regulations are a part of almost every CIO’s playbook. Most organizations are required or have voluntarily chosen to comply with a cybersecurity standard or regulations, such as the NIST Cybersecurity Framework (NIST CSF), the Center for Internet Security’s Critical Security Controls (CIS CSC), or the Payment Card Industry’s Data Security Standard (PCI DSS), or ISO/IEC 27001. Publicly traded companies have SOX, Healthcare has HIPAA, banking has FFIEC, GLB and many others, Education has FERPA, the entire European Union has GDPR, Federal Contractors and sub-contractors have NIST 800-171, FISMA, CMMC, FedRamp and more. Many organizations also have to comply with multiple sets of standards, still more are mandated to comply with prime vendor questionnaires or the AICPA SOC2, AUP or SIG. Wouldn’t it be nice to bind all of these efforts into one effort? One platform? Most of the standards and regulations have overlapping security requirements by at least 80%. The cybersecurity rating and assessment effort already gathers data on most of these control implementations. The cybersecurity rating platform should offer mappings of the risk data to the appropriate standards and regulatory requirement. It would therefore be able to communicate a compliance gap analysis and remediation plan.

Just like a FICO™ credit score, data is collected, an analysis performed and a score produced. Cybersecurity risk ratings are exactly the same with different data. Key differences in solutions present themselves when you look at the data used to develop the rating. To date, solutions in the market have focused their data set on one or two of three groupings of data: Operational Security (OPSEC), Open Source Intelligence (OSINT), and Governance, Risk and Compliance (GRC).

OPSEC data is time consuming and detailed in its collection. It requires cooperation with the rated target organization to allow data collection access and provide key pieces of business related data. This is also historically similar to what is commonly called a Security Assessment, although market definitions of the standard security assessment vary widely in scope and cost. OPSEC data is the most accurate data available when evaluating an organization’s risk posture.

OSINT data is free and allows for a completely independent collection of data from the rated target. This data is collected from the public Internet and generally grouped along three categories: IT Hygiene, User Behavior and Public Disclosures. The organized collection of this data is newer to the market than the other two. The collection of this data is also highly automated reducing collection costs but reducing accuracy and reliability.

GRC data is collected typically as part of compliance management program or Gap Analysis. This data is also typically laborious to collect and document requiring the organization’s cooperation. Most data is organized in groupings of “controls” aligning to a published standard from CIS, NIST or ISO or a regulation such as HIPAA, FISMA, GDPR, CMMC or PCI.

Data acquisition of these various types are gathered in three categories. Collection be automated in some cases which is typical for OSINT data. It can also be gathered through a self-attestation or self assessment questionnaire which is a method used with portions of GRC and OPSEC data. Lastly and most commonly data is collected through a facilitated exercise with a security practitioner or auditor. The last method is most accurate and generally more expensive the the other methods.

The myCYPR solution is a complete cybersecurity ratings platform. It supports all three data types, provides multi-layered reporting and visibility and most importantly provides detailed findings and actionable recommendations for remediation.