Do you know how secure your organization really is? Request a Security Rating Snapshot report to find out.Get Your Rating
In the 1950s, the first automated systems for quantifying individual credit risk came to market. Their developers wanted to replace the qualitative, inaccurate, costly processes that lenders were using at the time. Today, credit scores are the primary measurement of creditworthiness used throughout the world.
In 2010, MIT researchers Stephen Boyer and Nagarjuna Venna set out to create a “credit score” for cyber risk. They identified similarities between the outdated risk assessment practices used by lenders in the 50s and the subjective, point-in-time risk assessment practices used by cybersecurity teams today.
Stephen Boyer (left) and Nagarjuna Venna (right)
In their initial National Science Foundation grant application, Boyer and Venna wrote: “Businesses typically rely on costly and time-consuming cybersecurity audits to inform them about the potential cyber and ensuing business risk of [a vendor] relationship.” Their objective was to “develop a scoring methodology that is credible, predictive, scalable and principally automatable.”
Funding in hand, Boyer and Venna founded BitSight — the company that would go on to pioneer security ratings.
Meanwhile, the importance of BitSight’s work was becoming clear. Massive, highly visible data breaches at companies like Target and The Home Depot were traced to a lack of third party cybersecurity controls. Regulatory pressure to do something about third-party risk increased in many industries.
Following these high-profile breaches, cybersecurity professionals started looking at their third-party risk management programs and realizing that the status quo wasn’t sustainable. They sought a solution that could fill the gaps in their programs. Today, security ratings are a core component of cybersecurity programs at many leading businesses and government agencies.
Importantly, security ratings have proven useful for more than just analyzing third-party vendor risk.
Many security and risk leaders find security ratings invaluable for reporting cybersecurity results to their Boards of Directors. Businesses have taken to using their own ratings as a measure of performance, and have used industry averages and competitor ratings to inform goal setting and decision making. Cyber insurance underwriters use security ratings to assess their applicants’ risk profiles. Private equity firms use ratings in their assessments of current investments and acquisition targets.
“By 2022, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships…Over the next five years, these services will become a precondition for business relationships and part of the standard of due care for providers and procurers of services. Additionally, the services will have expanded their scope to assess other areas, such as cyber insurance, due diligence for M&A and even as a raw metric for internal security programs.”
Increased adoption of security ratings has been followed by increased competition. BitSight remains the largest security ratings services (SRS) vendor, but other providers have begun vying for market share as well.
Security ratings are a data-driven, dynamic measurement of an organization’s cybersecurity performance. Ratings are derived from objective, verifiable information and created by independent organizations.
Security ratings can be thought of as key performance indicators: one metric, typically a number, represents an organization’s overall cybersecurity performance. Some SRS providers make it possible to acquire more specific ratings for certain risk vectors as well.
Security ratings are a continuous monitoring solution. They’re automatically generated and updated frequently, so they represent a near-real-time analysis of cybersecurity posture.
Critically, security ratings are also a common language that can be spoken by both technical and non-technical individuals. In this way, security ratings enable conversations between cybersecurity/IT professionals and other members of an organization that can improve decision making.
Some security ratings have been proven to correlate with data breach risk. For example, independent research shows that BitSight Security Ratings correlate to data breaches — companies with a BitSight Security Rating of 500 or lower are nearly five times more likely to have a breach than those with a rating of 700 or higher.
All security ratings are based on objective, externally observable, continuously available information. Each security ratings services provider uses different data to generate their ratings. However, these data points can be categorized broadly into four categories: compromised systems, diligence, breach events, and user behavior.
This category includes factors like botnet infections, potentially exploited machines, and malware servers. Compromised systems data shows what’s actually going on within an organization’s IT infrastructure, and is therefore some of the most important information for determining how secure an organization is at any moment.
Diligence data, also called hygiene data, includes data points like patching cadence, TLS/SSL certificates, and open ports. SRS providers compare these data points to best practices to determine whether an organization is being diligent or delinquent when it comes to cyber risk reduction.
Security ratings take into account information about publicly disclosed breaches. This information is gathered from news sources, breach aggregators, credit card investigations, internal breach disclosures, and sometimes chatter on the dark web. Companies that have experienced one or more publicly disclosed breaches typically have a lower security rating.
This category includes information on file sharing activity, leaked usernames and passwords, and other user-related risk vectors. Certain user behaviors contribute to an increased risk of data breach.
Some SRS providers will only use data from one of the categories detailed above. Some will use all four. No matter how much data is used, all of it is collected via the internet, either through the SRS providers’ own research and systems or from vetted third-party sources. SRS providers do not perform penetration tests or malicious attacks on company networks in order to collect information.
Collecting data is only the first step in calculating a security rating; the data must then be mapped to individual organizations.
On the open internet, it’s not clear which data points belong to which business units, governments, or individuals. One critical function performed by any security ratings services provider is to analyze data using a combination of automated processes and manual techniques to create organizational maps.
These maps show the ratings algorithm which data points are relevant to which organization, enabling the creation of an accurate security rating.
Not all security ratings provide the same accuracy or level of risk insight. Each security ratings services provider has access to different data sets and different mapping techniques. Each providers’ ratings are also based on a unique mix of data points (e.g. 60% compromised systems, 30% diligence, 10% user behavior).
Security ratings are used to assess the cybersecurity of external organizations like vendors, investment targets, or insurance applicants. They’re also used to assess internal risk and improve communication around cybersecurity performance.
THIRD-PARTY RISK MANAGEMENT (TPRM)
The original application of security ratings was to improve third-party risk management (TPRM). In this area, quality security ratings give cybersecurity professionals the confidence to make faster, more strategic risk management decisions.
In TPRM, security ratings supplement and sometimes replace traditional vendor risk assessment techniques, such as questionnaires, on-site visits, and penetration tests. These techniques are relatively subjective, time-consuming, and (most importantly) only produce results for a single point in time.
In the increasingly connected global economy, the blind spots created by traditional third-party risk management techniques simply aren’t acceptable for many businesses.
As continuous, objective measures of an organization’s cybersecurity posture, security ratings introduce a new TPRM technique to increase visibility, improve monitoring capabilities, and add a layer of quantification. They reduce the burden on TPRM teams during vendor selection, onboarding, and monitoring, enabling more comprehensive and frequent analysis.
Security ratings give cybersecurity teams the ability to instantly identify the vendors they should be focusing on. Instead of applying the same amount of resources to assessing each vendor, they can quickly see a list of vendors with the lowest security ratings and target them for additional analysis. Many security ratings platforms can also be set to notify users in the event of a third party’s rating going above or below certain thresholds.
Another important note: security ratings can be shared with vendors to improve remediation efforts. Some SRS platforms offer users the ability to invite their third parties into the system to view their profiles and see which factors are negatively impacting their ratings. Users have reported massive improvements in the average cybersecurity posture of their vendors after sharing their security ratings.
OTHER THIRD PARTIES
Third-party risk management programs are typically charged with assessing and monitoring the security of vendors and data partners. However, some organizations have extended this sphere, using security ratings to assess other kinds of third parties.
Cyber insurance companies have adopted security ratings as a key component of the underwriting process. BitSight reports that nearly 50% of cyber insurance premiums in the market are currently written by its customers.
Many companies, especially those in the venture capital and private equity spaces, use security ratings as part of their M&A due diligence processes. This has significantly reduced the time it takes to complete assessments of potential M&A targets and portfolio companies. Firms also leverage security ratings to continuously monitor the security posture of their investments on an ongoing basis.
SECURITY PERFORMANCE MANAGEMENT (SPM)
Today, security is becoming a critical competitive issue, alongside classic differentiators like price and performance. Demonstrating strong cybersecurity is becoming critical to winning and maintaining business.
Perhaps as a result of this shift, security ratings have expanded beyond their original use case as a third-party risk management solution. Now, many organizations use security ratings to monitor and manage their own cybersecurity performance.
Security performance has historically been difficult to quantify. Specific technical metrics like the number of ports closed, software patches made, or botnet infections in a system are too narrow to reflect security performance as a whole. Meanwhile, overall metrics like number of confirmed incidents involve too many variables.
With security ratings, security and risk leaders finally have an objective, independent, and broadly adopted key performance indicator to continuously assess security posture, set goals, track progress, and report meaningful information to executives and the Board.
Using security ratings helps security leaders take a risk-based, outcome-driven approach to managing the performance of their organization’s cybersecurity program. Through broad measurement, continuous monitoring, and detailed planning and forecasting, organizations are able to measurably reduce their cyber risk.
Security ratings enable improved prioritization of cybersecurity tasks, resulting in more effective resource allocation. By diving into the individual risk vectors that make up a security rating, a CIO or CISO can determine (in near-real-time) which areas are exposing their organization to the greatest amount of cyber risk.
Rather than spend time and money receiving diminishing returns on areas where their performance is rated as good or excellent compared to their peers, security leaders can shift resources into areas with more critical need.
As an easy-to-understand, standardized language of cybersecurity, security ratings allow for data-driven conversations among key stakeholders, including the security team, executives, Board members, regulators, investors, and key business partners. Using security ratings, budgets and other key decisions can be made with clarity.
Security ratings can also be used for benchmarking. By comparing the organization’s current security rating to past performance, security leaders can accurately gauge whether or not their team’s efforts are paying off. This same technique can be used to assess the ROI of expensive cybersecurity technologies or services.
Because security ratings are standard and externally observable, they can also be used to compare an organization’s performance against peers, competitors, or industry averages. Some SRS providers make convenient industry benchmarks available in their platforms.
Not all security ratings are equally effective at determining cyber risk. Each security ratings services provider has their own data, methodology, network, and service options.
Selecting a security ratings services provider requires going beyond standard vendor selection considerations like reviews and cost. An understanding of how security ratings work is necessary to determine which ratings will give you the most accurate picture of cyber risk.
Three important criteria to consider when choosing an SRS vendor are data quality, community size, and customer experience.
As discussed above, different security ratings services providers have access to different data sets. The data points they do collect must then be accurately mapped to individual organizations. Additionally, the recipe that makes up the security rating will vary from vendor to vendor.
Of the four categories of cyber risk data (compromised systems, diligence, breach events, and user behavior), compromised systems is the most difficult category to track. Collecting and analyzing this information requires a sinkhole — a system that can capture communications from infected machines on their way to their command and control servers.
Capturing enough traffic to deliver meaningful results on malware and other infections for individual organizations is complicated and expensive, and it's not something every SRS provider has the ability to do. BitSight, for example, controls the largest sinkholing infrastructure in the world, processing over 12.2 billion events every day. Some of their competitors have no visibility into infections on organizations’ networks, relying instead on diligence vectors and reported breaches to create their ratings.
There are also differences between vendors regarding mapping — the attribution of data to unique organizations. A provider can take in mountains of data, but without the resources and processes for mapping that data back to specific organizations accurately, it won’t do the end user any good.
The goal of security ratings is to keep organizations continuously informed about cyber risk. A rating being “accurate” or “high-quality” depends on its ability to reflect true cyber risk (i.e. the potential for a successful cyber attack or data breach).
While some organizations claim to have correlated their ratings with true cyber risk, not all have had those claims verified by independent research. Independent verification of accuracy is a major differentiator for leading SRS providers like BitSight.
Another data quality indicator is length of rating history. To accurately assess the relative cybersecurity performance of an organization or its third parties, one must be able to see how they performed in the past. Some SRS providers include up to a year of historical data for the mapped organizations in their databases, while others can only promise data from the time a user purchases their services.
Security ratings are subject to the network effect — that is, they become more valuable as more users take advantage of them.
In any security ratings platform, end users may verify the results of their own organization and the organizations they work with, as well as flagging potential errors or adding clarifying notes. The more users actively engaged with a platform, the better the data becomes.
For this reason, the size of an SRS providers’ user base is an important factor in determining rating quality. BitSight, the creator of security ratings, has the largest and most productive user base among SRS providers by a wide margin, with more than 1500 users as of Q1 2019. They have over 100,000 pieces of user-generated data in their system, each of which is contributing to a wider and more accurate database.
PLATFORM & SERVICE
Finally, SRS providers are differentiated by the usability of their software, the methods by which they deliver security ratings, and the quality of their customer service.
Security ratings are data products, but they’re also SaaS products. The usability (or unusability) of a platform can affect the value one gets from the data. It’s important to test out the front end of these various platforms before choosing an SRS provider.
Many SRS providers offer certain features as part of their software, such as automated alerts, risk management tools, and network mapping. API availability is also important for integrating ratings into an existing risk management software ecosystem. To get maximum ROI from a security ratings service, it’s important to align available features with one’s organizational priorities.
When deciding on an SRS provider, it’s also critical to keep in mind their level of knowledge and experience. Longstanding security ratings services providers with a history of excellent service are now able to offer much more than tech support, and some even package assistance starting or optimizing cyber risk management programs as part of their services. BitSight, for example, has leveraged its experience working with some of the world’s most complex organizations and created a program to help onboard new customers and develop their risk management capabilities.
SBIR Phase I: Enterprise Cyber Security Scoring
Gartner Innovation Insight for Security Rating Services
BitSight: What Are Security Ratings?
BitSight Security Ratings Datasheet
How BitSight Calculates Ratings
The Forrester New Wave™: Cybersecurity Risk Rating Solutions, Q4 2018
Deloitte Third-party governance and risk management Global Survey 2016