View our guide, 'Cybersecurity 101: Security Ratings Explained' to learn all about security ratings.
Security Ratings 101: Interactive Guide
View our guide, 'Cybersecurity 101: Security Ratings Explained' to learn all about security ratings.
A brief history of security ratings
A brief history of security ratings
In the 1950s, the first automated systems for quantifying individual credit risk came to market. Their developers wanted to replace the qualitative, inaccurate, costly processes that lenders were using at the time. Today, credit scores are the primary measurement of creditworthiness used throughout the world.
In 2010, MIT researchers Stephen Boyer and Nagarjuna Venna set out to create a “credit score” for cyber risk. They identified similarities between the outdated risk assessment practices used by lenders in the 50s and the subjective, point-in-time risk assessment practices used by cybersecurity teams today.
In their initial National Science Foundation grant application, Boyer and Venna wrote: “Businesses typically rely on costly and time-consuming cybersecurity audits to inform them about the potential cyber and ensuing business risk of [a vendor] relationship.” Their objective was to “develop a scoring methodology that is credible, predictive, scalable and principally automatable.”
Funding in hand, Boyer and Venna founded BitSight — the company that would go on to pioneer security ratings.
Meanwhile, the importance of BitSight’s work was becoming clear. Massive, highly visible data breaches at companies like Target and The Home Depot were traced to a lack of third party cybersecurity controls. Regulatory pressure to do something about third-party risk increased in many industries.
Following these high-profile breaches, cybersecurity professionals started looking at their third-party risk management programs and realizing that the status quo wasn’t sustainable. They sought a solution that could fill the gaps in their programs. Today, security ratings are a core component of cybersecurity programs at many leading businesses and government agencies.
Importantly, security ratings have proven useful for more than just analyzing third-party vendor risk.
Many security and risk leaders find security ratings invaluable for reporting cybersecurity results to their Boards of Directors. Businesses have taken to using their own ratings as a measure of performance, and have used industry averages and competitor ratings to inform goal setting and decision making. Cyber insurance underwriters use security ratings to assess their applicants’ risk profiles. Private equity firms use ratings in their assessments of current investments and acquisition targets.
Increased adoption of security ratings has been followed by increased competition. BitSight remains the largest security ratings services (SRS) vendor, but other providers have begun vying for market share as well.
What are security ratings?
Video Url
What are security ratings?
Security ratings are a data-driven, dynamic measurement of an organization’s cybersecurity performance. Ratings are derived from objective, verifiable information and created by independent organizations.
Security ratings can be thought of as key performance indicators: one metric, typically a number, represents an organization’s overall cybersecurity performance. Some SRS providers make it possible to acquire more specific ratings for certain risk vectors as well.
Security ratings are a continuous monitoring solution. They’re automatically generated and updated frequently, so they represent a near-real-time analysis of cybersecurity posture.
Critically, security ratings are also a common language that can be spoken by both technical and non-technical individuals. In this way, security ratings enable conversations between cybersecurity/IT professionals and other members of an organization that can improve decision making.
Some security ratings have been proven to correlate with data breach risk. For example, independent research shows that BitSight Security Ratings correlate to data breaches — companies with a BitSight Security Rating of 500 or lower are nearly five times more likely to have a breach than those with a rating of 700 or higher.
Some SRS providers will only use data from one of the categories detailed above. Some will use all four. No matter how much data is used, all of it is collected via the internet, either through the SRS providers’ own research and systems or from vetted third-party sources. SRS providers do not perform penetration tests or malicious attacks on company networks in order to collect information.
Collecting data is only the first step in calculating a security rating; the data must then be mapped to individual organizations.
On the open internet, it’s not clear which data points belong to which business units, governments, or individuals. One critical function performed by any security ratings services provider is to analyze data using a combination of automated processes and manual techniques to create organizational maps.
These maps show the ratings algorithm which data points are relevant to which organization, enabling the creation of an accurate security rating.
Not all security ratings provide the same accuracy or level of risk insight. Each security ratings services provider has access to different data sets and different mapping techniques. Each providers’ ratings are also based on a unique mix of data points (e.g. 60% compromised systems, 30% diligence, 10% user behavior).
How are security ratings used?
Security ratings are used to assess the cybersecurity of external organizations like vendors, investment targets, or insurance applicants. They’re also used to assess internal risk and improve communication around cybersecurity performance.
THIRD-PARTY RISK MANAGEMENT (TPRM)
THIRD-PARTY RISK MANAGEMENT (TPRM)
The original application of security ratings was to improve third-party risk management (TPRM). In this area, quality security ratings give cybersecurity professionals the confidence to make faster, more strategic risk management decisions.
In TPRM, security ratings supplement and sometimes replace traditional vendor risk assessment techniques, such as questionnaires, on-site visits, and penetration tests. These techniques are relatively subjective, time-consuming, and (most importantly) only produce results for a single point in time.
In the increasingly connected global economy, the blind spots created by traditional third-party risk management techniques simply aren’t acceptable for many businesses.
As continuous, objective measures of an organization’s cybersecurity posture, security ratings introduce a new TPRM technique to increase visibility, improve monitoring capabilities, and add a layer of quantification. They reduce the burden on TPRM teams during vendor selection, onboarding, and monitoring, enabling more comprehensive and frequent analysis.
Security ratings give cybersecurity teams the ability to instantly identify the vendors they should be focusing on. Instead of applying the same amount of resources to assessing each vendor, they can quickly see a list of vendors with the lowest security ratings and target them for additional analysis. Many security ratings platforms can also be set to notify users in the event of a third party’s rating going above or below certain thresholds.
Another important note: security ratings can be shared with vendors to improve remediation efforts. Some SRS platforms offer users the ability to invite their third parties into the system to view their profiles and see which factors are negatively impacting their ratings. Users have reported massive improvements in the average cybersecurity posture of their vendors after sharing their security ratings.
OTHER THIRD PARTIES
Third-party risk management programs are typically charged with assessing and monitoring the security of vendors and data partners. However, some organizations have extended this sphere, using security ratings to assess other kinds of third parties.
Cyber insurance companies have adopted security ratings as a key component of the underwriting process. BitSight reports that nearly 50% of cyber insurance premiums in the market are currently written by its customers.
Many companies, especially those in the venture capital and private equity spaces, use security ratings as part of their M&A due diligence processes. This has significantly reduced the time it takes to complete assessments of potential M&A targets and portfolio companies. Firms also leverage security ratings to continuously monitor the security posture of their investments on an ongoing basis.
Discover our third-party risk management solutions.
SECURITY PERFORMANCE MANAGEMENT (SPM)
SECURITY PERFORMANCE MANAGEMENT (SPM)
Today, security is becoming a critical competitive issue, alongside classic differentiators like price and performance. Demonstrating strong cybersecurity is becoming critical to winning and maintaining business.
Perhaps as a result of this shift, security ratings have expanded beyond their original use case as a third-party risk management solution. Now, many organizations use security ratings to monitor and manage their own cybersecurity performance.
Security performance has historically been difficult to quantify. Specific technical metrics like the number of ports closed, software patches made, or botnet infections in a system are too narrow to reflect security performance as a whole. Meanwhile, overall metrics like number of confirmed incidents involve too many variables.
With security ratings, security and risk leaders finally have an objective, independent, and broadly adopted key performance indicator to continuously assess security posture, set goals, track progress, and report meaningful information to executives and the Board.
Using security ratings helps security leaders take a risk-based, outcome-driven approach to managing the performance of their organization’s cybersecurity program. Through broad measurement, continuous monitoring, and detailed planning and forecasting, organizations are able to measurably reduce their cyber risk.
Security ratings enable improved prioritization of cybersecurity tasks, resulting in more effective resource allocation. By diving into the individual risk vectors that make up a security rating, a CIO or CISO can determine (in near-real-time) which areas are exposing their organization to the greatest amount of cyber risk.
Rather than spend time and money receiving diminishing returns on areas where their performance is rated as good or excellent compared to their peers, security leaders can shift resources into areas with more critical need.
As an easy-to-understand, standardized language of cybersecurity, security ratings allow for data-driven conversations among key stakeholders, including the security team, executives, Board members, regulators, investors, and key business partners. Using security ratings, budgets and other key decisions can be made with clarity.
Security ratings can also be used for benchmarking. By comparing the organization’s current security rating to past performance, security leaders can accurately gauge whether or not their team’s efforts are paying off. This same technique can be used to assess the ROI of expensive cybersecurity technologies or services.
Because security ratings are standard and externally observable, they can also be used to compare an organization’s performance against peers, competitors, or industry averages. Some SRS providers make convenient industry benchmarks available in their platforms.
Discover our security performance management solutions.
Security ratings services vendors
Security ratings services vendors
Not all security ratings are equally effective at determining cyber risk. Each security ratings services provider has their own data, methodology, network, and service options.
Selecting a security ratings services provider requires going beyond standard vendor selection considerations like reviews and cost. An understanding of how security ratings work is necessary to determine which ratings will give you the most accurate picture of cyber risk.