Executive summary
- Why cyber risk security rating companies are important
- How security rating products work
- The short-term and long-term steps that can be taken to improve an organization’s score from a security rating company.
- Whether an organization should buy a product or service from a security rating company or not.
Why cyber risk security rating companies are important
Gartner calls this category of product “IT Vendor Risk Management” solutions, and that’s the first important point. Products offered by security rating companies are, first and foremost, third-party tools.
They are used by other interested organizations to assess the risks of doing business with your organization. Interested organizations can include your insurance underwriter or a potential customer. Additionally, security rating companies may also be used to assess your supply chain by those same parties.
Given that it can increase the cost of your insurance, reduce the scope of your insurance, or even stop a customer from working with you, you must pay attention to how the rating companies work.
How security rating products work
In theory, the concept is sound. They gather publicly available information about an organization’s estate, assess the security posture, and then provide a score or grade based on what they observe.
However, there are limitations to this approach.
1. The scoring or grading algorithms used are proprietary
There is no standard method used across the category. It’s not always clear how the score is calculated, and the algorithms change regularly—it’s a moving target. Customers tell us they have to spend time understanding how their score is going to be impacted by changes when they happen.
2. Scores are circumstantial
The score is based on a point-in-time snapshot. Although vendors may show how a score has changed over time, the reality is that a score is based on the here and now.
3. Asset attribution is difficult
It’s very difficult to decide whether an organization actually owns an asset or not. Often, security ratings get it wrong. They score the posture of an asset that doesn’t belong to the organization, and it’s difficult to correct this when it happens.
4. Reports are designed for non-technical audiences
As a result, issues that appear can appear to be more serious than they actually are and can be misinterpreted.
5. A high score does not equal a gold standard
Though there will be value in some issues that are uncovered, interpreting a high score as a gold standard is the wrong approach to managing risk in the estate.
6. Scores take time to update
When an issue is corrected, the score will take several weeks—or even months—to reflect the improvement in your estate.
How do I improve my security rating company score?
In the short-term
- You should begin to build visibility of your entire public-facing estate in an automated and continuous manner. Every time a new asset is deployed, it should be added to your inventory automatically.
- Decide which parts of your estate are business-critical and which are not. It’s impossible to fix every configuration problem, so you must be pragmatic. What assets are most important and should have resources committed to them?
- Check for DNS issues including dangling records and fix them when identified.
- Make sure that your asset configuration and application security policies align with the recommended best practices and that they are configured correctly.
- Monitor your IP addresses for ports and protocols that shouldn’t be visible to the public.
- Have a regular patching cadence. Your score will also be impacted by vulnerabilities in your assets, so make sure you have a patching policy in place and that end-of-life and end-of-service applications and products are managed correctly.
Then work on long-term best practice
Deploying applications that are secure by default must be the goal for organizations that take their security seriously. Security configuration checks must be embedded into the development and deployment pipeline so that issues are eliminated before they reach production environments.
- Integrate a security configuration policy check in your development and deployment process when deploying to staging.
- If the configuration isn’t correct, then provide advice to the developer that will help them fix it.
- Maintain a process to check if any configuration has changed.
Should I buy a product or service from a security rating company?
Some argue that security rating companies work in an unethical way. Oftentimes, they will try to sway you into buying their product by telling you that the score they’ve provided for you is also the score your prospects see when considering your organization. And if potential customers are using their tool to score you, then you should too!
You should take a step back and ignore the scaremongering tactics. Instead, you should assess security rating companies based on what they actually do.
- How fresh is the data that they provide, and how quickly does their score update after you have fixed a problem that they identify?
- Does the data they are providing actually belong to your organization?
- Do they provide accurate insight?
- When they tell you about a problem, do they help you understand why it’s a problem and if you should prioritize it?
- Can they help you to focus on improving security in the business-critical areas of your organization while still maintaining visibility of the configuration in less important areas?
- Do they provide advice on how you can fix a problem?
- Are they interested in helping you work to industry standards and to follow best practices, and in working with you because your organization takes security seriously?
- Do they have a DevOps view of the problem and are they interested in integrating their product into your ways of working?
- Is there a customer success function that will actively work with you to meet your security goals?
- Do they truly understand security standards and how they should be configured and what is important?
Watch our full webinar below, ‘Reduce risk and stop losing business by fixing cybersecurity configuration risks’ to learn more!