Security ratings or cybersecurity ratings are a data-driven, objective, and dynamic measurement of an organization's security posture and cybersecurity performance. To learn more about the benefits of security ratings, we speak to Christos Kalantzis, Chief Technology Officer at SecurityScorecard.
Security magazine: What is your title and background?
Kalantzis: As CTO at SecurityScorecard, I’m responsible for driving the company’s technology vision and development of its cybersecurity risk rating and management solutions. Previously, I built and led engineering teams for FireEye, Tenable, Netflix, and YouSendIt. I grew up in Montreal, Canada, where I started my career as a DBA for companies such as Matrox, CGI, Sync, and InterTrade.
Security magazine: Can you explain the concept of security ratings?
Kalantzis: Security ratings grade an organization’s security performance by how well it protects information while providing key indicators of their internal and third-party risk, enabling companies to be more cyber resilient.
Similar to where a consumer credit reporting agency reviews financials to assign a credit score, security ratings organizations take an “outside-in” view of a company's security posture and assign a security score by evaluating whether or not the company can protect its data assets from data breaches. Organizations with a higher security rating have a lower risk profile and organizations with low ratings need to mitigate the potential risks to increase their score. To translate an organization’s security effectiveness into a quantifiable score, security rating companies use a combination of data points collected organically or purchased from public and private sources, and then apply machine-learning algorithms.
At SecurityScorecard, for instance, we continuously monitor 10 groups of risk factors to deliver an A-F rating for more than 1,000 companies daily. Risk factors include application security, network security, DNS health, patching cadence, endpoint security, IP reputation, web application security, cubit score, hacker chatter, leaked credentials, and social engineering.
Using machine learning, we’re able to optimize the correlation between our security ratings and the relative likelihood of a data breach. This provides scores with more meaningful risk insights so that our users can make smarter business and security decisions. We’ve found that companies with a low score are more than seven times as likely to be breached or face compliance penalties than companies with a high rating.
Security magazine: What is the power of security ratings?
Kalantzis: Security is an ever-moving landscape and continuously monitoring an organization’s cybersecurity posture and supply chain ecosystem has never been more critical. Even though the majority of enterprise data breaches are now attributed to third-parties (think of the recent SolarWinds attack and FireEye breach), most security and risk teams still don’t have the tools necessary to continuously monitor and collaboratively manage the security posture of their suppliers and partners. Today’s leaders are increasingly asking for a simple, objective way to measure cybersecurity risk.
Enter: security ratings; a critical security tool rapidly gaining respect and acceptance in light of today's surge of third-party related breaches. In fact, just a few weeks ago, the Cybersecurity and Information Security Agency (CISA) identified security ratings as a key cyber risk metric as part of its new systemic risk reduction initiative. This is significant because CISA is seen as the “department of cybersecurity” and its role is to provide best practices or the “de facto standard level of care” for organizations, specifically CSOs, CISOs, and their counterparts. As an authoritative voice in the industry, this recognition implies that all digital enterprises should employ security ratings technology as part of their security structure as a best practice.
The technology enables organizations to monitor their security posture on an ongoing basis and can ensure they are proactively addressing cyber risk as it emerges. With increased visibility of their cyberhealth, organizations can make more informed decisions and perform proper cybersecurity due diligence. Most importantly, security ratings help businesses manage third-party risk by allowing them to identify and address pertinent cybersecurity vulnerabilities across their vendor ecosystem.
Security magazine: Can security ratings help with compliance/new privacy frameworks?
Kalantzis: Companies are drawn to security ratings for this exact reason. The ever-evolving and expanding threat landscape mandates continuous monitoring of enterprise and partner security posture to ensure sustained compliance with shifting regulations.
Enterprises can use our platform to show auditors how they continuously track adherence and detect potential gaps with current mandates. Our compliance mapping module actually reveals issues that pertain to the specific checkpoints of security standards -- including PCI, NIST, ISO, SIG, HIPAA, and GDPR. Users can demonstrate how they manage compliance by using the platform to capture, report, and remediate real-time vendor and partner security risks.
Security magazine: Can security ratings help CISOs communicate cybersecurity strategies and risk to the Board and C-Suite?
Kalantzis: Absolutely. CISOs and security managers can use security ratings to monitor the effectiveness of their processes and controls over time, evaluate team performance, and show ROI of security spending at the board level. They can utilize security ratings between audits to prove that new security measures work. And with continuous monitoring of vulnerabilities and risk signals, as soon as new protection measures are incorporated, the data analysis engine recalibrates the score.
Further, companies hiring third parties can incorporate the same review to gain confidence in a vendor. If your vendor is at risk, there is a high chance you are at risk. However, if you cannot break that contract immediately, then you might be worried about your organizations’, and your customers', security. Using security ratings allows CISOs to prove their ongoing due diligence to customers, Board of Directors, and regulators.
The ability to distill large amounts of data into at-a-glance, easy to consume information has always been a strategic advantage. Applying that capability to security is a logical step. The simplicity of the grading helps security leaders communicate risk in universally understood terms which drives productive, fact-based conversations across teams and business units, and at the board level.