The Forrester Wave™: Cybersecurity Risk Ratings Platforms, Q2 2024

Case Study April 25, 2024




SecurityScorecard has been great for us. We’ve had a wonderful experience, and I’m a big evangelist.

My name is Brad Coppel. I work for Cintas Corporation out of Cincinnati, Ohio. I have responsibility for our GRC practices and our IT security verification and validation. So we run a relatively lean IT security organization.

We’ve grown significantly over the last couple years. We’ve really tried to build up the program, so risk management is not something that’s been a very mature practice at Cintas. We’ve been able to leverage SecurityScorecard to help us kinda establish a program and then use it to continue to grow. We evaluate our success and really by some key metrics that we’ve established.

So our chief information security officer is very close monitoring what we’re doing. He stays informed. He’s regularly looking at some of the key metrics we report out. And really, it’s really just helping to protect the enterprise.

It’s actually interesting the way we kind of became a security scorecard customer. Our chief information security officer was meeting with our CIO and cyber insurers. And one of the cyber insurers said, hey, Cintas, your SecurityScorecard score isn’t very good. And so our chief information security officer came back to me and said, go look at it, figure out why our score is bad, and figure out how we can go and improve it.

Really kind of made a concerted effort to focus on improving that just for the self monitoring. And within about two to three months, we had raised our score into the nineties. We’ve consistently been at a ninety six or ninety seven score over the last year now. Then when we said, okay, we are comfortable with the self monitoring and we’re ready to expand and grow and into the third party risk management, we actually went ahead and researched a number of tools.
So SecurityScorecard was one of them. We also looked at three of the competing products, put together a weighted scorecard to evaluate them, and then came out and ultimately selected security scorecards. So prior to having Scorecard, we really had a lot of manual processes. So in terms of our overall evaluation, we didn’t have a single pane of glass that you could look at and say, here’s how we’re doing overall as an enterprise.

We would have different vulnerability scans that we would run. We would periodically engage different vendors to do third party assessments. We would, of course, leverage our internal talent to look at how we thought we were doing, but there wasn’t that outside rubric that we could say, hey, we’re doing well and we can prove it because this third party group has evaluated everything and done that. So SecurityScorecard’s been really nice from that perspective, not just allowing us to figure out the it the items and the issues that need to be addressed, but it’s also been a great tool for us to be able to report that out to senior management.
From the time we became a paid customer, we were really able to hit the ground running very fast with Scorecard. So we started off essentially piloting it with a few of our IT security vendors, evaluated them, got their initial feedback to help us figure out how to better craft our message, and then have been expanding that over the last six months. And one of the things that I’ve really appreciated and and was kind of a nice win for us was when we started expanding the use of the third party risk management outside of just the IT security vendors. So we met with our supply chain division, had a conversation with them, said, hey. Can you please provide us a list of who your most critical vendors are? We’d like to be able to do some research on them. We were able to pull them up in SecurityScorecard, was able to get high level information as well as the details very quickly, and then had that conversation with our sourcing managers and sourcing directors to say, hey. You’ve listed this vendor as critical to Cintas. Do you realize their overall security posture is being scored as a d right now? And so we were then able to have that conversation with the business in terms they could understand and say, we’re not telling you you can’t do business with them. We’re just highlighting this as a risk of which you should be aware. And then our sourcing team were able to then engage their vendors because they already have that relationship and say, hey, Cintas IT Security is saying there are some concerns. Can you look into this? Can you address them? And we had a number of vendors who quickly respond and said, hey, we actually agree with those findings. Thanks for letting us know.

We’re already addressing them. If you check our score in two weeks, you should see an improvement. So that was a really nice win, not just from an IT security perspective, but organizationally as well.