Security Rating Services, an essential tool for IT risk management
Strengths and shortcomings of digital risk management tools
Security rating services such as SecurityScorecard and Bitsight are anything but the umpteenth “nice-to-have” platform for security monitoring of your IT environment. Although they can be used for that purpose, they are primarily intended as a risk management tool to gain insight into the (public) security profile of other parties.
This means that an organization can use this tool both to improve its own profile and to get an idea of that of third parties. Given that governments, business partners, and competitors will also use it to get an idea of where you stand, the only possible conclusion is that this is by no means a non-committal fact. Any organization that has a market position or reputation to defend will have to include security rating services as an essential tool in its IT risk management and will have to take the necessary actions to get the most positive results from third-party evaluations.
What are Security Rating Services?
Security rating services are independent assessments of an organization’s externally observable safety and security profile based on publicly available information. This data comes from sources around the world, is correlated based on certain algorithms, and then divided into several categories from which an overall cybersecurity profile and associated scores are distilled.
They are the cyber equivalent of known credit ratings published by S&P, Moody’s, and Fitch, among others, and used in financial risk management for the credit rating of organizations, services, products, and nations. Security rating services are a risk management tool.
The market for providers of these services is still developing. The main players are currently SecurityScorecard, Bitsight, UpGuard, and Fico. Although all four offer demos and “light” subscriptions, this is a commercial service, i.e. paying.
What are they used for?
The purpose of security rating services is twofold: on the one hand, they can be used by organizations to understand and improve their own cybersecurity based on highly detailed information about observed strengths and shortcomings. On the other hand, they can also be used by third parties who wish to gain insight into the cyber profile of partners, suppliers, customers, and prospects.
For example, companies that offer cybersecurity insurances will rely on this type of service for the risk analyses and associated premiums for their customers.
Last but not least, they will also be used by governments and umbrella organizations to gain a better picture of the cybersecurity posture of critical national infrastructure and the organizations that fall under it.
Security ratings are therefore a particularly useful tool for any department that deals directly or indirectly with cybersecurity risk management.
Strengths and shortcomings
The main advantage of security rating services is that companies can get a quasi-immediate picture of the public cybersecurity profile of their own or third party organizations without time-consuming (and expensive) investigations, penetration tests, and/or audits. All you need is a subscription, a domain name, and you’re in business.
For the subscriber’s own organization it gives an abundance of details via handy dashboards and very detailed reports where and how things can be improved.
The main limitation of security rating services is that they only give an external “outside-in” view of an organization’s cybersecurity profile, and this can lead to a distorted picture of the real situation because there is no data known about the internal security, protocols, and procedures. In addition, the results are “point in time” snapshots that provide little or no insight into history or progress.
This is a knife that cuts both ways: a negative picture can emerge of some highly secure organizations because of a number of external elements that weigh heavily in the assessment, but have never been given high priority, or are themselves perfectly covered internally by other measures. Other companies may have focused attention on such criteria (“window dressing”) but may be a complete mess internally.
From this point of view, security ratings are no different from credit ratings: at the time of the financial crisis in 2007-2008, they were also completely off track in their assessment of certain CDOs or creditworthiness of nation-states.
Given the increasing weight of public security ratings in cyber risk management by governments, watchdogs, insurers, and business partners, no organization will in practice be able to avoid making the necessary efforts to prevent financial risks or damage to reputation and image. And where public security rating, in addition to compliance with laws and regulations, becomes an additional element in the – correct or incorrect – image of an organization’s digital safety and security profile.
Belgian companies can gain access to two of the previously mentioned security rating platforms, Security Scorecard and Bitsight, via a cyber insurance with AIG, among others, or via the Centre for Cyber Security Belgium (CCB). The latter offers companies that are not yet familiar with security rating services temporary access to the Bitsight platform until September 2020 in the context of the Corona crisis. Both platforms offer similar dashboards, particularly detailed reports and comparisons, scores in various categories, recommendations for mitigation and improvement, and how an organization is doing compared to other sector peers. The information provided is highly technical, making it unsuitable in practice for analysis and remediation by non-IT people. This access is not only temporary but also does not offer the full possibilities of a full subscription.
Security rating services can be used within an organization in several areas as an additional tool for IT security and digital risk management:
Perimeter IT security enhancement
Based on the detailed technical findings in rating dashboards and reports, targeted actions can be taken to improve IT security and reduce the external attack surface. This not only contributes to its own security but also, as an organization with an important social function, to the general level of cybersecurity (CSR) in Belgium.
Compliance and digital reputation
It is only a matter of time before governments, umbrella organizations, trading partners and other parties will require minimum security ratings, and this question will also be included in operating conditions, partnerships, and other agreements. This applies in particular to organizations that fall under the heading of critical infrastructure.
Today, security rating services are already being used by the CCB to map out the Belgian cybersecurity landscape. For this purpose, they work together with technology organization Agoria and the Federation of Enterprises in Belgium (Verbond van Belgische Ondernemingen, VBO).
For important purchases and suppliers, in addition to the classic financial credit checks on solvency, consideration could also be given to including certain minimum cybersecurity profile requirements in contract award conditions. Of course, it should be discussed with the departments involved in which cases and for which dossiers this could provide added value.
At Toreon, we have extensive experience working in both ICS and ICT environments and can bridge the gap between your IT and your OT . Want to know more? Get in touch with our experts.