Posted on Apr 26, 2018
As malicious attacks evolved in 2017, new attack vectors led security professionals, compliance managers, executives, and boards of directors to seek new ways of evaluating their ecosystems. Quantifying risks overtook qualifying risks. Security professionals drummed into their organizations the impossible dream of fully locking down environments. As the dawn of GDPR rises on the horizon, CISOs, CTOs, and the rest of the C-suite must work together to monitor and protect data.
The new Forrester Consulting report, Security Ratings Set the Standard: Security Ratings Are a Valued Strategic and Operational Component of a Robust Security Program, details the increased value of security ratings as a measure of both an organization's security and that of its vendors.
Its list of findings notes that the current threat landscape complexity matches its dangers. It also states that more companies incorporate security rating platforms, and their security ratings provide competitive advantages. The increased complexity of the threat landscape requires tools to help security professionals track infrastructure risks.
Competitive security mirrors competitive business practices. C-level executives know that market research drives better financial results. Thus, tools researching enterprise and vendor risk drive better security results. Security ratings platforms show organizational weaknesses, helping them better protect themselves and their customers. Moreover, security ratings platforms use machine learning, that allow them to update their metrics, thus better forecasting business risks and security investments.
Organizations can no longer base security strategies on guesswork alone. They must remain focused on their business operations to drive risk tolerance. They also need to be thoughtful about how they monitor the risks they accept or mitigate.
Identifying information assets and mapping controls to frameworks still matter. Companies need to show information protection, not just say it happens. Controls break. IT departments remain overwhelmed by large numbers of alerts. Managing the onslaught of information makes triage difficult.
In the last few years, organizations have turned to security ratings platforms to help fill these informational gaps. Forrester noted that 56% of respondents used security ratings services to track third-party risk. Interestingly, however, 53% used the metrics for Board reporting, and 53% used them to measure security program effectiveness. Security ratings platforms show companies how the outside world views their security posture using easy-to-digest reports.
These outside insights allow organizations to support their vulnerability monitoring. Most vulnerability scanners review problems with individual devices and their weaknesses. More expensive options help with ongoing reviews. At a minimum, organizations should annually or semi-annually run vulnerability scanners. For those who performcontinuous monitoring, vulnerability scanning often only reviews a segment of a company's environment.
Security ratings platforms cover more than just devices. Not only do they review patching cadence, but they also consider public information about the company's security stance. For example, SecurityScorecard identifies information exposed as part of a data breach along with social engineering risks including corporate account information used for social networks as well as marketing lists that attackers can exploit.
Vulnerability scanners see into individual devices. Some products, like Microsoft Baseline Security Analyzer, provide information regarding specific operating system insufficiencies. Security ratings platforms supplement those tools to indicate hidden weaknesses that might otherwise go unnoticed.
According to the Forrester report, 29% of companies not currently using security ratings platforms plan to test drive one within the next year. Moreover, 41% of respondents not using one yet plan to implement usage within the next two years.
Organizations currently using security ratings platforms unanimously affirmed the return on investment. While 91% noted that ROI met expectations, 55% felt ROI exceeded expectations. The 107 North American enterprise and compliance technology professionals agreed the platforms better-enabled threat intelligence, security posture, business resilience, and security investment prioritization.
As a newer technology, security ratings platforms may pose problems for organizations. Security professionals want to understand the gaps these platforms fill, as well as to hear peer use cases. The value-add discussed in the Forrester report indicates that security professionals using security ratings platforms feel the return on investment met their needs. Thus, as more professionals engage in discussions regarding platform usage, more will look to enable their security posture using them.
While professionals agree that security rating platforms add value, many may not be able to differentiate between platforms.
The Forrester report noted that predictive capabilities, third-party risk visibility, and compliance tracking tied for the most valuable feature. Security ratings platforms traditionally sell themselves based on vendor risk management capabilities because those make the most sense to customers. Looking at vendor security ratings allows the organization to determine risk tolerance and security management alignment.
However, compliance and predictive capabilities are on the path of becoming critical as GDPR may set a benchmark for future regulatory requirements. Whether or not additional regulations prove as burdensome as GDPR, more legislative actions are emerging, arising from the increased number of breaches over the past few years.
Compliance requirements traditionally incorporate ongoing monitoring. At present, many organizations are aware that using vulnerability scanning leaves gaps in monitoring. Annually, organizations undergo audits or penetration testing to verify security. However, those point-in-time reviews also create gaps in monitoring. Security ratings platforms help enable compliance efforts because they allow organizations to review and record their stance. The ongoing monitoring requirements become more burdensome as attack vectors increase. Therefore, automated tools to ease the compliance strain allow security professionals more time to focus on risk mitigation and vulnerability triage.
Thus, security insights and compliance are the future of security ratings platform usage. Platforms offering predictive or forecasting capabilities provide first-line defensive capabilities. For example, a platform should give insight not only into the correlated risks inside an ecosystem, but also into the uncorrelated dangers affecting it. When reviewing platforms, companies should determine whether their options incorporate small risks within the ecosystem that can aggregate into a more significant threat. Attackers monitor exploits that individually may be small, but which can be used to attack all companies vulnerable. If attackers can exploit multiple vendors, then any organization faces the imminent danger of data corruption and data loss of classified information..
With hackers finding new ways to attack third-parties in hopes of infecting a larger organization, the third-party ecosystem is more fragile than ever before.
The purpose of IT security risk assessment is to determine security risks to your company’s critical assets, and how much funding and effort should be used in their protection. Get started with SecurityScorecard’s step-by-step guide to managing your cyber risk.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.
Download our report on why security ratings will protect your business.