Applying the Churchill Knowledge Audit to Cybersecurity: The Importance of Security Ratings

When FedEx founder Fred Smith attended Yale in the mid-1960s, he wrote an economics paper describing the concept of overnight delivery of packages by air. His professor infamously gave him a “C” grade because he viewed it as implausible. But Smith knew something his professor didn’t—and it was an idea that would change the way the business world worked forever. I bring this story up for two reasons. For one thing, I worked for FedEx and learned a lot from my time there. But more crucially, the lesson of Smith’s paper is that that complacency gets us nowhere. We should always look for better ways to do things more efficiently.

As a CISO, I am frequently pitched by companies promising to transform or revolutionize my job. I shrug off most pitches because they don’t add any value to what I’m doing. But every once in a while, an organization comes along that offers something new.

An introduction to security ratings

When SecurityScorecard first introduced security ratings over a decade ago, it created an entirely new market—but one that needed creating. Before security ratings, it was difficult to measure cybersecurity in a tangible, consistent, and straightforward way. If I needed to know something about a vendor or prospective client, I’d have to ask them—and trust that they were telling me the truth.

Security ratings form conclusions about a company’s program, using observed and empirical data about a company’s security. They are analogous to financial credit ratings. Just as poor credit ratings are associated with greater probabilities of default, poor security ratings are associated with higher probabilities of sustaining data breaches or other adverse cyber events. SecurityScorecard “A to F” letter grades measure and validate organizations’ security posture and supply chains in real time. Factors affecting the score include externally observed network exposures, public breach records, potential malware exploits, patching cadence, encryption settings, DNS records, security configurations, and others. According to Security Scorecard, companies with an “F” rating are an order of magnitude more likely to sustain a data breach than companies with an “A.” This feels right to me, because if a company’s external network is a mess, it’s likely the rest of their program is too.

Some colleagues of mine in the CISO community are skeptical about the value of Security Ratings. They object that because a company’s security rating is driven primarily by publicly-available information, the entirety of the program isn’t well-represented. Some might dispute errors in attribution (“that’s not my IP address”) or timeliness (“we fixed that months ago”) that affect security scores. In the early days of security ratings, it was harder than it should have been to fix attribution or timeliness errors. But as someone who uses security ratings regularly, I can say with confidence that neither objection remains true.

Using security ratings to benefit your program

CISOs can benefit from security ratings if they know how to use them properly. How do I use them? In four ways:

• Benchmarking. In my sector, how am I doing relative to my peers? Bragging rights aren’t important. But if I know the sector average is B-, and I’m at an A or better, I’ve got something positive to tell my team. I can also feel a bit more confident that threat actors targeting my sector might rattle some other firms’ doors before they try mine.
• Tool calibration. Security Scorecard’s “digital footprint” helps me understand my external attack surface better because I can compare it to what I’m getting from other tools. For example, I may not know all of the microsite domains the business units are running. Having an independent check helps me ensure that my data is complete.
• Client relations. Many clients’ third-party risk teams use security ratings to screen their vendors or find obvious red flags. If I’ve removed external weaknesses and in so doing, received a good score, I can avoid needing to have distracting conversations with clients.
• Supplier oversight. A recent study found that 98% of organizations do business with third parties that have suffered breaches. Observable data about my suppliers’ own dependencies (“who’s using that version of NetScaler?”) means that follow-ups by my team can be more targeted and efficient.

In short, I use security ratings to help me better understand how my company appears to the outside world. It rounds out my knowledge of the firm’s external posture by making it more complete and accurate. It serves as an informal “knowledge audit,” similar to what Winston Churchill would ask himself when diagnosing surprises or failures:

• Why didn’t I know?
• Why didn’t my advisers know?
• Why wasn’t I told?
• Why didn’t I ask?

If Churchill were alive today, I think he’d be rather confused about the Internet, but I think he’d approve of Security Ratings.

Stay tuned here as my fellow advisors and I take turns offering our thoughts on the current state of cybersecurity.

CTA: Find out more about Security Ratings