The Evolution of CISOs and Security Ratings

In the CISO community, security ratings are usually loved or hated—there’s rarely a middle ground. I have many friends who want nothing to do with security ratings and others that use them as part of their core strategy. This is understandable in some sense because in the early days of ratings, many CISOs were frustrated by the huge number of false positives attributed to their company when they would do an assessment.

The ratings maturity curve

As with any technology however, security ratings have grown in maturity over the past decade. And companies like Security Scorecard have evolved their technologies and scoring methodologies to address unique market needs and resolve CISO frustration with security ratings. SecurityScorecard has worked diligently to ensure that its rate for false positives is less than 1%, so that customers and non-customers alike can be confident in their security ratings. And recently, Security Scorecard unveiled the industry’s first security ratings developed exclusively for Telecommunications, Internet Service Providers, and Cloud Providers that addresses industry feedback and requests for more tailored approaches to their unique digital ecosystem.

The evolving role of the CISO

Just like security ratings, the role of the CISO has evolved to become more strategic at prioritizing threats and vulnerabilities, especially in the wake of the SEC charges against SolarWinds and their CISO for defrauding investors.

This SEC action highlights the increased scrutiny on corporate cybersecurity practices and holding C-Suite officers personally liable for gaps in those practices. CISOs have always shouldered a great deal of responsibility, but we haven’t always had the authority to go along with that responsibility. I think we are now going to see a seismic shift in how security issues and investments are prioritized, especially when the CISO presents them to an executive team or board. Things will be messy for a while—which may even create friction between the CISO and the CEO—but I believe these recent enforcement trends will be largely positive and move the industry forward.

Navigating third-party risk

SecurityScorecard’s report with the Cyentia Institute found that 98% of organizations have a relationship with at least one third party that has experienced a breach in the last two years. That’s incredibly important because third-party cyber risk has become a major cybersecurity issue, causing some of the biggest breaches in recent history—SolarWinds, Log4j, and MOVEit, just to name a few.

Cyber criminals are evolving their techniques to undermine companies’ bottom lines and reputations, while nation states are capitalizing on geopolitical uncertainty to launch their own cyberattacks targeting critical infrastructure. We saw several massive supply chain attacks last year, whose effects will likely be reverberating well into 2024, and organizations globally must pivot accordingly. As a result, organizations must not only re-examine their own security practices, but those of their vendors and third-party suppliers as well. Staying proactive is the key to staying cyber resilient.

Speaking the same language

Last year, the White House launched its National Cyber Strategy, which promises to take a data-driven approach to cybersecurity. To that end, cybersecurity leaders across both the public and private sectors need to ensure they have trustworthy, reliable data that measures not only their cyber resilience, but the effectiveness of their cybersecurity programs. Implementing cybersecurity frameworks, such as the NIST CSF, is an excellent starting point. Frameworks can help CISOs communicate more effectively with boards and executives, by making cyber risks both tangible and understandable

Security ratings are another way to speak a common language. A standardized metric for measuring cyber health is in high demand in today’s digital landscape. Cybersecurity ratings serve as that universal measurement, by enabling board members and security practitioners to communicate effectively.

For a deeper dive into these topics, listen to my interview on the Cybercrime Magazine Podcast.