Insights | White Paper

Why a Cybersecurity Ratings Platform?

Introduction

A cybersecurity ratings platform provides a quick and easily communicated perspective on an organization’s cybersecurity risk profile. A cybersecurity rating alone isn’t terribly new or revolutionary. Several security assessment vendors have offered a score as a method of communicating an overall risk profile. The addition of a web-based dashboard and interactive platform evolves the concept of a risk score into a risk management solution allowing for a much more advanced way to interact with the findings data and remediation requirements. The largest challenge of the traditional security assessment exercise is effectively remediating ALL of its findings. It can be a daunting task and often a percentage of the findings are not addressed due to a poorly communicated recommendations or remediation fatigue. A primary goal of the Cybersecurity Ratings Platform is to provide a solution which evolves the cyber risk management process improving effectiveness and complete remediation.

Many breaches today are the results of hackers exploiting weaknesses that had actually been identified previously in a security assessment. Well-known examples of this were the Home Depot 56 million credit card breach of 2014 and the crippling City of Baltimore ransomware compromise of 2019. In both cases evidence was made public that prior security assessments had identified the weaknesses exploited.

The cybersecurity ratings platform will provide multiple levels of perspective into the risk data through an easy to consume web-based dashboard. This platform will solve five significant issues with the current market ratings and assessment solutions.

Problem #1 Solved: Risk data is difficult to consume and remediate.
The web-based dashboard will allow the organization to see risk data at a high “10,000 foot” perspective first with an overall summary rating or score based on a FICO™-like and relatable score from 250 to 900. The dashboard will also break down the data into digestible categories of risk, such as technical vulnerabilities, operational maturity and application risk. The drill-down methodology will enable the user to drill into as much specific finding and remediation data as they are ready to consume. It will also provide a way to track progress and dynamically update the score based on the progress or remediation. At various points along the way a downloadable report is available.

Problem #2 Solved: Risk data used in legacy ratings solutions is unreliable.
Some vendors have decided that cheap is good in security and have created ratings systems based solely on free publicly available historical data, also known as open source intelligence (OSINT), to score an organization on their risk posture, others have added on self-assessment as a means to improve reliability. Both of these methods for data collection have some value, but should be implemented within a complete program where various levels of risk data accuracy and reliability can be married up with the organization’s data security requirements. Very often evaluating a vendor based on historical and uncontrollable independent public data may not produce a result reflective of the actual risk posture facts for the targeted organization. A reliable solution should included risk data from multiple sources, internal audited operational security (OPSEC) data as well as OSINT.

Problem #3 Solved: Risk planning, prioritization and budgeting is difficult and time-consuming.
Many organizations today have some sort of budget for cybersecurity risk remediation. However, the plethora of successful breaches has grown to epidemic proportions. One of the key issues is a misalignment of the security spend with the actual risk present in the organization. Many products are being implemented as the primary solution to cyber risk, when other areas of the risk landscape are prioritized lower in the budget and may never be implemented. Enter the need for better alignment between What to address first?, How much will it cost?, and What will improve my score the most? The best cybersecurity ratings platform will include a method of easily visualizing the highest risk findings and what remediation is estimated to cost, so that remediation can be prioritized based on largest risk remediation and effective budget management.

Problem #4 Solved: Defining risk posture between audits is unreliable.
Many organizations perform security assessments annually or at least every two years. Typically, remediation efforts extend past the deliverable presentation by a few months to even the next budget cycle. Often it quickly becomes very difficult to clearly define how much these efforts have improved the security posture without rerunning the assessment. A cybersecurity ratings platform provides a method of remediation tracking and dynamically updates an “unaudited” security posture rating so that the organization can understand its current risk state and communicate progress. The platform can also offer scenario based risk remediation planning so that remediation scenarios can be run prior to spending actual budget to determine how the risk posture would be impacted.

Problem #5 Solved: Regulatory and compliance goals are often a separate unconnected effort from the security assessment.
Cybersecurity standards and regulations are a part of almost every CIO’s playbook. Most organizations are required or have voluntarily chosen to comply with a cybersecurity standard or regulations, such as the NIST Cybersecurity Framework (NIST CSF), the Center for Internet Security’s Critical Security Controls (CIS CSC), or the Payment Card Industry’s Data Security Standard (PCI DSS), or ISO/IEC 27001. Publicly traded companies have SOX, Healthcare has HIPAA, banking has FFIEC, GLB and many others, Education has FERPA, the entire European Union has GDPR, Federal Contractors and sub-contractors have NIST 800-171, FISMA, CMMC, FedRamp and more. Many organizations also have to comply with multiple sets of standards, still more are mandated to comply with prime vendor questionnaires or the AICPA SOC2, AUP or SIG. Wouldn’t it be nice to bind all of these efforts into one effort? One platform? Most of the standards and regulations have overlapping security requirements by at least 80%. The cybersecurity rating and assessment effort already gathers data on most of these control implementations. The cybersecurity rating platform should offer mappings of the risk data to the appropriate standards and regulatory requirement. It would therefore be able to communicate a compliance gap analysis and remediation plan.

Just like a FICO™ credit score, data is collected, an analysis performed and a score produced. Cybersecurity risk ratings are exactly the same with different data. Key differences in solutions present themselves when you look at the data used to develop the rating. To date, solutions in the market have focused their data set on one or two of three groupings of data: Operational Security (OPSEC), Open Source Intelligence (OSINT), and Governance, Risk and Compliance (GRC).

OPSEC data is time consuming and detailed in its collection. It requires cooperation with the rated target organization to allow data collection access and provide key pieces of business related data. This is also historically similar to what is commonly called a Security Assessment, although market definitions of the standard security assessment vary widely in scope and cost. OPSEC data is the most accurate data available when evaluating an organization’s risk posture.

OSINT data is free and allows for a completely independent collection of data from the rated target. This data is collected from the public Internet and generally grouped along three categories: IT Hygiene, User Behavior and Public Disclosures. The organized collection of this data is newer to the market than the other two. The collection of this data is also highly automated reducing collection costs but reducing accuracy and reliability.

GRC data is collected typically as part of compliance management program or Gap Analysis. This data is also typically laborious to collect and document requiring the organization’s cooperation. Most data is organized in groupings of “controls” aligning to a published standard from CIS, NIST or ISO or a regulation such as HIPAA, FISMA, GDPR, CMMC or PCI.

Data acquisition of these various types are gathered in three categories. Collection be automated in some cases which is typical for OSINT data. It can also be gathered through a self-attestation or self assessment questionnaire which is a method used with portions of GRC and OPSEC data. Lastly and most commonly data is collected through a facilitated exercise with a security practitioner or auditor. The last method is most accurate and generally more expensive the the other methods.

The myCYPR solution is a complete cybersecurity ratings platform. It supports all three data types, provides multi-layered reporting and visibility and most importantly provides detailed findings and actionable recommendations for remediation.