alphaspirit - Fotolia
The security ratings game grades third-party vendors
Can security ratings services patterned on consumer credit scores offer insight into the security postures of third parties and other business partners?
When Christopher Porter became Fannie Mae's CISO earlier this year, the company started digging into third-party security.
"Think of the scope of Fannie Mae," Porter said. "We have tens of thousands of business partners that include mortgages sellers and servicers, banks, investors and our vendors for software and other related business services."
The mortgage financing company used to send out multi-page security questionnaires, but they were often subjective and not based on quantitative analysis. The other problem was that the questionnaires mostly captured a moment in time. Fannie Mae now uses security ratings services to manage its third-party program.
"The security ratings tools give us a consistent and independent way of measuring third parties," Porter said.
Third-party wake-up call
The 2013 Target Corp. breach thrust the issue of third-party risk management into the open. It was after the executive resignations and colossal payouts that large enterprises started to appreciate that, even though they may have internal security controls in place, business partners and other third parties may not meet the same levels of security. After all, it was not Target's systems that were out of compliance -- it was the lack of proper security measures at an HVAC supplier.
Before the landmark retail breach, there really was no such thing as third-party risk management tools for IT security.
Now, companies such as BitSight Technologies, SecurityScorecard and QuadMetrics, which was acquired by FICO in June, offer continuous security ratings services. The ratings services gather data from a variety of public and private sources, including the public internet, then analyze the data using proprietary analysis and rate companies using their own standard scoring methodologies.
John Wheelerresearch director, Gartner
"The system tracks if the company has been in the news, it tracks its SSL certificate practices as well as how they organize domain name servers," Porter explained. "I get weekly emails on the scores that drop off by 10% or more, and I get notified why that happened. For example, it tells me if there was a malware outbreak or if they added new equipment that changed the company's security posture."
Porter said once he gets the report, he works with the company to help get them back to the higher security rating.
"I don't think that tools like this are a silver bullet," he said. "They are more like a Swiss Army knife for managing third parties."
The security rating services -- in this case, the BitSight Security Rating Platform -- give Fannie Mae the ability to make better decisions on which companies to add as business partners, plus it offers the continuous monitoring capability that had been missing.
Digital footprint, higher risk
John Wheeler, a research director at Gartner who covers risk management, said the security ratings services are filling a void for under-the-gun security managers who need an easy-to-understand way of explaining the security postures of business partners to top managers.
"Security ratings services are highlighting the growing need for digital risk management as organizations' digital footprint includes a wider array of third-party technology," Wheeler said. "Fair Isaac's recent acquisition of security ratings service provider QuadMetrics is a testament to the demand for these FICO-like scores for digital risk."
Are the enterprise security ratings services akin to what Equifax, Experian and TransUnion do in the financial sector to provide credit ratings for individual consumers for credit cards and home loans? Although security ratings services are still very new, it's possible that a similar system may emerge in the years ahead, with companies assessing multiple cyber-risk profiles to measure the security levels of third parties.
"People 'get' what the security ratings services do, how they are patterned after the credit ratings agencies," BitSight's CTO Stephen Boyer said. "Companies also find that they can use the data to make decisions on mergers and acquisitions. They can find out if it makes sense to make an acquisition or what they'll really have to pay to raise the security posture of a potential acquisition."
Use cases for enterprise security ratings
Security ratings services are not widely adopted yet, but they are catching on. Gartner recommends that companies consider them for the following uses:
- Communicate more effectively with top management. CISOs can provide an independent assessment of the organization's security posture and compare it to that of industry peers or competitors.
- Practice continuous monitoring. Organizations can use the security ratings services to deliver continuous monitoring and alerting for important business partners or service providers.
- Foster closer business relationships. Cloud service buyers and organizations considering a closer relationship with a business partner can use security ratings services as an efficient way to evaluate their security posture.
- Show service providers in a better light. Service providers can demonstrate their relative security posture to prospective customers. But keep in mind that -- the way licensing deals are structured -- a provider can probably share their score but not the scores of their competitors.
- Integrate insurance company processes. Insurance companies offering cyberinsurance are increasingly using security ratings services as part of their insurance underwriting process.
-- S.Z.
Jason Brown, CISO at Merit Network, a non-profit organization in Michigan that provides internet services to universities, other non-profits, local and state government, libraries and hospitals, said he's not sure organizations will ultimately need three different security ratings services because it takes a lot of effort to just use one.
Merit Network has used QuadMetrics for a little under two years. Brown runs Signet Scope to prioritize internal security projects and Signet Profile to evaluate which third parties his company wants to do business with.
The non-profit organization also offers QuadMetrics to its member companies. For instance, all of the 12 universities that have representatives on Merit's board of directors use QuadMetrics, according to Brown.
"People are starting to see the value, especially as it becomes clear that 70% of cyberattacks go undetected," he said. "Companies will wake up and start looking for what is available."
Impact on insurance ratings
How accurate are these cyber-risk profiles? What recourse do you have if your company gets an unfair (high risk) security rating? That may become a growing concern as insurance companies begin to adopt these tools.
"Ideally, we will now have information that can be made available to third-party insurance providers based on ongoing risk monitoring," Doug Clare, the vice president who heads up the FICO Analytic Cloud Initiative, said. "Today, the insurance industry lacks common metrics or risk tools."
Meghan Hannes, product manager at global insurer AXIS Capital, said insurance companies used to develop risk profiles by directly communicating with individual organizations and the brokerage community.
Today, the security ratings services offer automated insight into an organization's risk profile, which lets AXIS research and identify how a specific threat vector -- a botnet, for example -- affects its security defenses. AXIS uses the BitSight platform to enhance its existing models by providing technical visibility into an organization's risk profile without requiring direct outreach.
"Security ratings services afford carriers the ability to quickly and easily compare their portfolio performance against various static benchmarks," Hannes explained. "From there, the ability to drill down on specific granular details on the company's security risk posture is quite extensive. The security ratings service lets us compare and model remediation effectiveness against an organization's peers within its own industry profile, providing another modeling perspective or evaluating relative risk."
According to Hannes, BitSight lets AXIS remotely view how its clients are specifically affected by malware and ransomware, and the insurance provider can examine individual infections and vulnerabilities. The platform compares an organization's security performance through company-specific diligence vectors such as configurations, open ports and patching cadence against its peers using an A through F grading scale.
"The ability to quickly and easily view an organization's grade provides better risk visibility from a peer comparison perspective, and it enhances our ability to quickly model the performance of our existing portfolio more efficiently on a broader scale," Hannes said. "Simply put, it improves the speed at which we are able to examine risk."
Keeping score
Investors are also looking at this category. SecurityScorecard -- a startup co-founded in 2013 by Aleksandr Yampolskiy, the former CISO at luxury fashion e-commerce retailer Gilt Groupe who has a Ph.D. in cryptography, and Sam Kassoumeh, the former head of security and compliance at Gilt -- received $12.5 million in funding in March 2015, according to the company.
After an organization enters the domain name of the vendor that it wants to monitor, the platform develops overall security scores by analyzing data from 10 critical security factors: web application, network and endpoint security, IP reputation, social engineering, hacker chatter, domain name system (DNS) health, cubit score, patching cadence and password exposure.
"We analyze every IP address across the internet," Sean Goldstein, vice president of global marketing at SecurityScorecard, claimed. "And through a series of honeypots and sinkholes, we have compiled a database of vulnerabilities around the world. From that data, we run reports on business partners and deliver a score."
The "scorecards" can be used to interact with vendors and help them resolve potential security issues. Alerts can also be set up to advise security teams of critical issues with vendors.
Your portfolio of companies is only visible to you and others at your organization. The vendors can be filtered based on overall security grades, 30-day changes and Common Vulnerability and Exposures. If poor security ratings are noted in the 10 categories, the technology allows you to "dig deeper" into the issues that led to lower scores. The platform also incorporates security frameworks -- the Health Insurance Portability and Accountability Act, the International Organization for Standards, the Payment Card Industry and Standardized Information Gathering -- to help you review your vendors' compliance and answers to security questionnaires, which won't go away with these ratings services.
Two or three years ago, a competitive market for security ratings services didn't exist. The security ratings services offer a deeper view on the security posture of vendors, according to proponents, one that can help companies prioritize security projects internally and get better insight into third-party risk.
While savvy security managers understand that most organizations have been under attack every day since the internet exploded in the 1990s, the Target breach was a call to action. Merit Network's Brown has the right idea: No matter the work involved, organizations need to wake up and do something about third-party security.