The largest challenge of the traditional security assessment exercise is effectively remediating all of its findings. Poorly communicated recommendations or remediation fatigue can prevent the addressing of all findings, making the task seem daunting. A cyber security ratings platforms offer a new and advanced way to manage an organization’s cybersecurity risk profile. Cyber security ratings terribly new or revolutionary. However, myCYPR takes it a step further with its interactive web-based dashboard for managing findings and remediation. This evolves the concept of a cyber security rating into a risk management solution allowing for a more advanced way to address risk and remediate all findings.
Today, hackers often exploit vulnerabilities that were previously identified in security assessments. The Home Depot and City of Baltimore breaches are well-known examples of this, as evidence showed that prior assessments had identified the weaknesses that were exploited.
myCYPR provides multiple levels of perspective into risk data through its easy to consume web-based dashboard. This platform solves five significant issues with current market rating and assessment solutions, improving remediation efforts.
Problem 1: Risk data is difficult to consume and remediate.
The web-based dashboard provides a high-level overview of an organization’s risk data through an overall score ranging from 250 to 900, similar to a credit score. It also breaks down risk into categories like technical vulnerabilities, operational maturity, and application risk. Users can drill down into specific findings and remediation data as needed and track progress, which dynamically updates the score. A downloadable report of findings is available at various points.
Problem 2: Risk data used in legacy ratings solutions is unreliable.
Many risk rating vendors use free public data, or open-source intelligence (OSINT), to score an organization’s risk posture. Others separately include self-assessment to improve reliability. However, both methods should be used within a program that considers risk data accuracy and reliability. Relying solely on historical and uncontrollable public data may not reflect the actual risk posture. A reliable solution, like myCYPR, includes risk data from multiple sources, including internal audited operational security (OPSEC) data and OSINT.
Problem 3: Risk planning, prioritization and budgeting is difficult and time-consuming.
Organizations have a cybersecurity risk remediation budget, but successful breaches are still prevalent due to misaligned spending. The issue is prioritizing some areas of the risk landscape over others, resulting in ineffective implementations. The platform can better align priorities by visualizing the highest risk findings and estimated remediation costs for effective budget management.
Problem 4: Defining risk posture between audits is unreliable.
Organizations often perform security assessments annually or biennially, and remediation efforts can last beyond the presentation period. Without rerunning the assessment, it’s difficult to gauge the extent of improvement in security posture. A cybersecurity ratings platform, like myCYPR, can track remediation progress and update the security posture rating dynamically, offering scenario-based remediation planning to determine the impact on risk posture before spending the budget.
Problem 5: Regulatory and compliance goals are often a separate unconnected effort from the security assessment.
Organizations must comply with various cybersecurity standards and regulations, such as NIST CSF, CIS CSC, PCI DSS, and ISO/IEC 27001. Compliance is mandatory for publicly traded companies (SOX), healthcare (HIPAA), banking (FFIEC, GLB), education (FERPA), EU (GDPR), federal contractors (NIST 800-171, FISMA, CMMC, FedRamp), and more. Compliance with multiple sets of standards can be challenging, but the myCYPR platform can consolidate these efforts. The platform maps risk data to appropriate standards and regulations to provide a compliance gap analysis and remediation plan.
Behind the Cyber Security Ratings: The Data
Similar to a credit score, cybersecurity risk ratings involve collecting data, performing an analysis, and generating a score. However, the quality of the solution depends on the data used to calculate the rating. Currently, solutions in the market focus on one or two of three data groupings: Operational Security (OPSEC), Open Source Intelligence (OSINT), and Governance, Risk and Compliance (GRC).
Operational Security (OPSEC)
Collecting OPSEC data is a time-consuming and detailed process, requiring the cooperation of the rated organization to provide key business-related data and access to collect it. This process is similar to a security assessment, but definitions of the standard security assessment can vary in scope and cost. Despite the effort required, OPSEC data is considered the most accurate data for evaluating an organization’s risk posture.
Open Source Intelligence (OSINT)
The collection of OSINT data is completely independent and freely available, making it a cost-effective option. The data is typically grouped into three categories: IT hygiene, user behavior, and public disclosures. Compared to Operational Security (OPSEC) data, collecting OSINT data is less time-consuming and more automated. However, the accuracy and reliability of the data can be lower due to the lack of cooperation from the rated target organization. Nonetheless, OSINT data remains a valuable source of information for evaluating an organization’s risk posture.
Governance, Risk, & Compliance (GRC)
The collection of GRC data is usually part of a compliance management program or gap analysis, and it requires the organization’s cooperation. It is typically organized into groupings of controls that align with published standards from CIS, NIST, or ISO, or with regulations such as HIPAA, FISMA, GDPR, CMMC, or PCI. The collection and documentation of this data can be a laborious process.
The data acquisition process for these types of data falls into three categories. OSINT data can be collected through automation, while self-attestation or self-assessment questionnaires are used for parts of GRC and OPSEC data. The most accurate method is data collection through a facilitated exercise with a security practitioner or auditor, although it is generally more expensive than the other methods.
myCYPR is a comprehensive cybersecurity ratings solution that incorporates all three data types, allowing for detailed and multi-layered reporting and visibility. The platform also offers detailed findings and actionable recommendations to address identified cybersecurity gaps and improve an organization’s overall security posture.