Simplifying Vendor Selection Criteria Using Security Ratings

Debunking Security Rating Myths

Ponemon Institute’s study, Data Risk in the Third-Party Ecosystem, highlights the challenges that companies face in protecting sensitive and confidential information shared with third parties.

  • Of the respondents surveyed, 37 percent do not believe their primary third-party vendor would notify them if it experienced a data breach involving sensitive and confidential information.
  • 73 percent of respondents do not believe an Nth party vendor would notify them if they had a data breach.
  • 49 percent of respondents said that they had already experienced a data breach caused by a vendor that resulted in a loss and misuse of sensitive or confidential information.

With that said, there is little doubt why the study also found a lack of confidence in third-party data safeguards, security policies and procedures, and whether their security posture is sufficient to respond to data breaches or cyber-attacks.

But as a company's reliance on outsourcing grows while building a successful business, 73 percent of respondents see the number of cybersecurity incidents involving third parties increasing as well. Therefore, it’s become more important than ever for a company to understand the risk a vendor poses to the company's business before it creates a relationship and allows access to its networks and data. And a proven strategy that has been around since 2011 is using vendor security ratings as part of the vendor selection process.

Measuring Supplier Selection Criteria

A rating system analyzes the potential risks that a prospective vendor poses to your company and then generates an easy-to-understand rating. For example, with Bitsight, companies with a rating of 400 or lower are five times more likely to have a breach than those companies with a rating of 700 or more. Rating systems provide data-driven clarity on the security performance of the companies and their vendors, insureds, acquisition targets and more. It also lets companies see which of its vendors are doing a better job overall regarding the subcategories measured by the rating system.

A Security Managers Guide to Third-Party Risk Management guide

Security Ratings have become integral for vendor risk management programs. In the case of vendor selection, these ratings allow organizations to get a sense of a third party’s security posture without prior engagement. Other assessments such as vulnerability scans and penetration tests usually require prior consent from the third party. As regulations around third party risk management have increased in numerous industries, organizations are increasingly turning towards automated security ratings as a means of monitoring third party security.

Other security rating uses cases include:

  • Reporting To The Board: A company's board must do its part to secure the future of the organization. In Cybersecurity: What the Board of Directors Needs to Ask, a 2014 study by The Institute of Internal Auditors Research Foundation, they found that only 14 percent of board respondents said they were actively involved in the company's cybersecurity preparedness. Vendor ratings have made it easier to present risk assessment to boards in an easy-to-understand format.
  • Benchmarking Security Performance: Organizations, such as universities and private companies, are using security ratings to improve their security posture and mitigate cyber risk, especially against peer-to-peer file sharing networks.
  • M&A Due Diligence: A data breach can happen right before or right after a company is acquired. But a rating can help you monitor the company until networks are combined, showing that the acquired company is in the same state of security from when you first started the acquisition process.

Security Ratings also offer a benchmark upon which a company and its vendors can improve, as well as create rating mandates that a company can ask a vendor to meet or exceed to keep the business they are contracted to do.

Some of the questions that a rating system should be able to answer, thereby helping you to better select vendors, include:

  • Does the organization have controls in place to identify and prevent botnet infections?
  • Is spam being sent from the organization’s mail servers?
  • Has the organization prevented malware infections that can be designed to harvest data, abuse company resources and spread across a network?
  • Are devices with potentially unwanted software, such as adware, spyware and remote access tools, on a network?
  • Is the host trying to contact other services in an irregular manner?
  • Are disclosed credentials circulating across the internet?

Ratings Provider Selection Process

When choosing a provider and its security rating service, you should look for three things:

  • Objectivity — a rating should always be objective and unbiased and not tailored to any one particular business, company or industry.
  • Verifiable Data— The data and all the underlying aspects behind the rating should be confirmable so that a company receiving a rating can understand what that rating means. Ratings should provide an accurate picture of an organization’s security posture, and this should be able to be verified by a neutral third party if necessary.
  • Actionable Information— The rating should be able to be used to make critical business decisions, such as on-boarding a vendor, selecting a vendor or terminating an existing vendor relationship.

When looking at the rating system itself, the data quality is the first component to consider. Ask the ratings provider what kind of data feeds it is leveraging to create a rating and how sound they are.

Also, find out what kind of information is made available to customers, as well as other parties involved. A ratings provider should be responsibly disclosing data and not sharing any unwanted data that could put companies at risk.

Make sure the ratings platform is easy to use and allows for collaboration. If you are looking at a vendor’s security rating and it shows it had a security event on the network, you should be able to collaborate within the rating platform to ask why the infection occurred. Or perhaps a company using a ratings vendor notices an infection on its guest network and wants to convey the explanation of how its guest network is segregated from its core network to the companies with whom it does business. That too should be possible and is an essential part of the ratings platform. This kind of clarity is invaluable for the vendor selection process. Without this context, businesses may be making vendor selection decisions with a limited or inaccurate view of a company’s security posture.

Along with excellent customer service to answer any security ratings questions, the rating system should have an appeals process. If a business sees a rating that it believes is inaccurate, perhaps due to an IP mapping issue, it should be able to ask to have the rating reviewed.

A rating service platform should be easily understood and intuitive. The platform should be easy for anyone using it, whether you are a risk professional talking to your board or a board-level executive talking to your security engineers.

For more information about security ratings, visit, or download its guide: A Security Manager’s Guide to Vendor Risk Management.