A response to Security Ratings - Love, Loathe or Live With Them

Jay Roxe | December 21, 2020 | tag: Security Ratings

A week ago (which seems like a world ago given everything that’s happened with SolarWinds) Phil Venables -- formerly CISO of Goldman Sachs and now CISO of Google Cloud -- posted an interesting expose on security ratings this week. Phil has a better perspective than most on the value and challenges of ratings not only because of the positions that he’s held but also because he is one of the authors of the Principles of Fair and Accurate Security Ratings. These principles also guide how BitSight thinks about our rating overall.

Phil’s post is excellently written and I agree with almost all of it. I wanted to take a few minutes and add some additional thoughts and things for people to think about.

The security industry has changed dramatically over the past week with the announcement of the SolarWinds breach and the focus on the importance of the supply chain as a vector of attack. It’s certain to continue to evolve. Security leaders, executives and boards of directors are already starting to evaluate how to assess the damage and what solutions they need to put in place to enhance the security of their environment. Visibility into 3rd and 4th party risk and a common language to communicate the impact to all stakeholders need to be a part of that solution.

Security is missing a common language

Phil starts his post by asking if ratings are necessary and cites many examples of ratings -- imperfect and improving -- in other industries. Ratings are necessary both for the quantification aspect and because security has a fundamental challenge: We lack a common language that can be understood by all constituents, not just the technically sophisticated.

Let’s take an example from another industry: The balance sheet was created in 1494 by Luca Pacioli, a friend of Leonardo da Vinci’s, and was one of the first ways of communicating the financial health of a company. More than 500 years later, this tool is well-embedded in our financial conversations -- it’s a common language that boards, investors, and operators can use to understand the health of a company. Security is not more complicated than finance (as anybody who has had to model a t-account can tell you!) However, we have not given those outside of the security domain a language for communicating with other stakeholders. This language -- and that understanding -- is a fundamental requirement to help to assess, monitor, quantify, and accept a certain level of cyber risk. There is never perfection but we, as a security industry, owe it to our constituents to make it possible to manage cyber risk in the same way that the business is empowered to manage other risks.

Ratings are one way of delivering that common language, giving people a degree of benchmarking, insight, and guidance on which changes are going to make the largest difference to a company’s performance as a whole.

A solid signal, but not the only signal

One milepost for success for any rating is whether it helps to create, advance or reduce friction in a given market. Phil cites the examples of credit ratings (more about that later) which allow for trade and risk understanding in the massive consumer credit market. We’re starting -- but only starting -- to see security ratings take on that same importance.

One only needs to spend a few minutes with the news over the past months to see an increase in cyber attacks from ransomware, phishing, and third-party breaches. All of these are being pushed to the background by the SolarWinds breach highlighting supply chain risk, but they’re all still important.

According to AON, U.S. cyber insurers saw a 10% loss ratio increase due to ransomware in 2019. Cyber insurers are forced to pay out more in claims than they had anticipated, leading to worsening loss ratios and ultimately, diminishing profitability. Security performance ratings are one of the tools which will -- in the long run -- help to guide insurance premiums and to guide the insureds on how to adjust their programs to manage these ratings. Changes in insurance have forced substantial changes in other industries such as the addition of seat belts, and the low costs of “well visits.” As cyber insurance becomes a bigger piece of the insurance pie, executive interest in security is sure to grow.

BitSight is also seeing examples that companies with well-run security performance management programs perform well in other areas as well. In conjunction with Solactive -- a German financial index provider -- we’ve found that companies that do well on their cyber ratings outperform their stock market peers by an average of 7% with lower volatility.

Phil is right that this is not the only signal to which companies should pay attention. Without visibility into the inside of an organization, we can’t see everything that a company may have implemented. However, it’s also axiomatic that security has a nearly 0% unemployment rate. Teams are overwhelmed, overstressed and possibly unfocused. BitSight -- and presumably the other ratings vendors -- can help to provide insights into where to really spend time to improve overall performance.

This can help to elevate security within an organization. We’ve seen examples of where customers have managed to reduce vendor onboarding time from 16 weeks down to a few days. That enables security to be a part of the conversation and to be a business enablement function.

Useful view into population security

One of the advantages of the data that the cyber security ratings industry collects is that we can provide a birds-eye-view on the current state of security across the industry. BitSight has demonstrated this recently with our research into the NSA warning of weaponized attacks, our research into CMMC and into the security of vaccine manufacturers, among others. Other vendors in the industry have also published their own research.

This research is more than just marketing fluff -- it provides a point of view on the most significant issues that companies need to prioritize on their cybersecurity programs. It’s the weather report or ADP jobs report for various countries, sectors, regions and attacks -- what’s the prognosis and how severe is the issue.

Ratings are Not Perfect -- we continue to evolve; publicly

Phil rightly calls out that no rating is perfect and we all need to continue to improve. It’s not just in security ratings: For more than 20 years, 2 of the major credit bureaus thought that I had a credit card that had been opened the better part of a decade before I was born. I guess that’s the challenge of having the same first name and last name (although not the same middle initial) as my father!

BitSight has had an Ombudsman since the early days of the company and recently announced our Policy Review Board to promote the Principles of the Fair and Accurate security ratings. This re-emphasizes our ability to get your free security report, the right to appeal, and the ability to understand the policy decisions that we’re making. False positives are an issue for this industry and something that we always need to improve. While our system is automated, we have a team of more than 40 people dedicated to hand curation (and continual improvement) of the data. We find that our false positive rate is extremely low (which is impressive on paper, but is little consolation to people who find information that’s wrong.) One of the reasons that we announced the policy review board is that we wanted to continue to express our desire for transparency -- and your help in improving and maintaining the rating. When we have a common and accurate language, we are best positioned to help the security industry better allocate the $300B that is spent annually on managing overall security risk.

Eliminate Sketchy Marketing

Sketchy marketing is the reason that any industry can fail or significantly fail to get traction. As CMO, I’m personally connected to this one. I completely agree with Phil and absolutely don’t believe in sketchy marketing. If you think we’re too close to the edge or we’re making a claim you can’t believe...mail me at j a y dot r o x e at bitsight dot com. I’ll either explain how we’re backing the claim or we’ll take it down. This industry is about establishing the trust to create a market and sketchy marketing -- or the perception of it -- does nothing to advance that cause.

Wrapping it Up

Security ratings will never be an absolute rating of security -- even with an external point of view, internal sensors and cloud monitors there could never be enough data. But they do provide a consistent, impartial, quantified language of trying to measure risk. This will be incredibly important as leaders try to evaluate how to secure their supply chain and communicate that throughout the organization. Without that conversation, we will remain the land of geeks and wizards where CVSS scores and phishing results drive confusion and fail to make us better as a market and as an industry. Let’s make this the language of business and managing risk.

New call-to-action

Suggested Posts

Celebrating 10 Years of BitSight: A Co-Founder Looks Back

It’s hard to believe, but BitSight is celebrating our 10 year anniversary this week! I co-founded BitSight in 2011 with my friend and grad school classmate, Nagarjuna Venna. When I think back at our original idea of creating a global...

READ MORE »

Use the right cybersecurity analytics to make a business case for risk management

Not long ago, corporate executives would give only passing thoughts to their organization’s cybersecurity postures. Leadership and board members would take notice in the wake of a major data breach, for example, or a couple of times a...

READ MORE »

A response to Security Ratings - Love, Loathe or Live With Them

A week ago (which seems like a world ago given everything that’s happened with SolarWinds) Phil Venables -- formerly CISO of Goldman Sachs and now CISO of Google Cloud -- posted an interesting expose on security ratings this week. Phil...

READ MORE »

Get the Weekly Cybersecurity Newsletter.