Information Security

Defending the digital infrastructure

alphaspirit - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

The security ratings game grades third-party vendors

Can security ratings services patterned on consumer credit scores offer insight into the security postures of third parties and other business partners?

When Christopher Porter became Fannie Mae's CISO earlier this year, the company started digging into third-party security.

"Think of the scope of Fannie Mae," Porter said. "We have tens of thousands of business partners that include mortgages sellers and servicers, banks, investors and our vendors for software and other related business services."

The mortgage financing company used to send out multi-page security questionnaires, but they were often subjective and not based on quantitative analysis. The other problem was that the questionnaires mostly captured a moment in time. Fannie Mae now uses security ratings services to manage its third-party program.

"The security ratings tools give us a consistent and independent way of measuring third parties," Porter said.

Third-party wake-up call

The 2013 Target Corp. breach thrust the issue of third-party risk management into the open. It was after the executive resignations and colossal payouts that large enterprises started to appreciate that, even though they may have internal security controls in place, business partners and other third parties may not meet the same levels of security. After all, it was not Target's systems that were out of compliance -- it was the lack of proper security measures at an HVAC supplier.

Before the landmark retail breach, there really was no such thing as third-party risk management tools for IT security.

Now, companies such as BitSight Technologies, SecurityScorecard and QuadMetrics, which was acquired by FICO in June, offer continuous security ratings services. The ratings services gather data from a variety of public and private sources, including the public internet, then analyze the data using proprietary analysis and rate companies using their own standard scoring methodologies.

Security ratings services are highlighting the growing need for digital risk management as organizations' digital footprint includes a wider array of third-party technology.
John Wheelerresearch director, Gartner

"The system tracks if the company has been in the news, it tracks its SSL certificate practices as well as how they organize domain name servers," Porter explained. "I get weekly emails on the scores that drop off by 10% or more, and I get notified why that happened. For example, it tells me if there was a malware outbreak or if they added new equipment that changed the company's security posture."

Porter said once he gets the report, he works with the company to help get them back to the higher security rating.

"I don't think that tools like this are a silver bullet," he said. "They are more like a Swiss Army knife for managing third parties."

The security rating services -- in this case, the BitSight Security Rating Platform -- give Fannie Mae the ability to make better decisions on which companies to add as business partners, plus it offers the continuous monitoring capability that had been missing.

BitSight Security Ratings Report

Digital footprint, higher risk

John Wheeler, a research director at Gartner who covers risk management, said the security ratings services are filling a void for under-the-gun security managers who need an easy-to-understand way of explaining the security postures of business partners to top managers.

"Security ratings services are highlighting the growing need for digital risk management as organizations' digital footprint includes a wider array of third-party technology," Wheeler said. "Fair Isaac's recent acquisition of security ratings service provider QuadMetrics is a testament to the demand for these FICO-like scores for digital risk."

Are the enterprise security ratings services akin to what Equifax, Experian and TransUnion do in the financial sector to provide credit ratings for individual consumers for credit cards and home loans? Although security ratings services are still very new, it's possible that a similar system may emerge in the years ahead, with companies assessing multiple cyber-risk profiles to measure the security levels of third parties.

"People 'get' what the security ratings services do, how they are patterned after the credit ratings agencies," BitSight's CTO Stephen Boyer said. "Companies also find that they can use the data to make decisions on mergers and acquisitions. They can find out if it makes sense to make an acquisition or what they'll really have to pay to raise the security posture of a potential acquisition."

Use cases for enterprise security ratings

Security ratings services are not widely adopted yet, but they are catching on. Gartner recommends that companies consider them for the following uses:

  • Communicate more effectively with top management. CISOs can provide an independent assessment of the organization's security posture and compare it to that of industry peers or competitors.
  • Practice continuous monitoring. Organizations can use the security ratings services to deliver continuous monitoring and alerting for important business partners or service providers.
  • Foster closer business relationships. Cloud service buyers and organizations considering a closer relationship with a business partner can use security ratings services as an efficient way to evaluate their security posture.
  • Show service providers in a better light. Service providers can demonstrate their relative security posture to prospective customers. But keep in mind that -- the way licensing deals are structured -- a provider can probably share their score but not the scores of their competitors.
  • Integrate insurance company processes. Insurance companies offering cyberinsurance are increasingly using security ratings services as part of their insurance underwriting process.

 -- S.Z.

Jason Brown, CISO at Merit Network, a non-profit organization in Michigan that provides internet services to universities, other non-profits, local and state government, libraries and hospitals, said he's not sure organizations will ultimately need three different security ratings services because it takes a lot of effort to just use one.

Merit Network has used QuadMetrics for a little under two years. Brown runs Signet Scope to prioritize internal security projects and Signet Profile to evaluate which third parties his company wants to do business with.

The non-profit organization also offers QuadMetrics to its member companies. For instance, all of the 12 universities that have representatives on Merit's board of directors use QuadMetrics, according to Brown.

"People are starting to see the value, especially as it becomes clear that 70% of cyberattacks go undetected," he said. "Companies will wake up and start looking for what is available."

Impact on insurance ratings

How accurate are these cyber-risk profiles? What recourse do you have if your company gets an unfair (high risk) security rating? That may become a growing concern as insurance companies begin to adopt these tools.

"Ideally, we will now have information that can be made available to third-party insurance providers based on ongoing risk monitoring," Doug Clare, the vice president who heads up the FICO Analytic Cloud Initiative, said. "Today, the insurance industry lacks common metrics or risk tools."

Meghan Hannes, product manager at global insurer AXIS Capital, said insurance companies used to develop risk profiles by directly communicating with individual organizations and the brokerage community.

Today, the security ratings services offer automated insight into an organization's risk profile, which lets AXIS research and identify how a specific threat vector -- a botnet, for example -- affects its security defenses. AXIS uses the BitSight platform to enhance its existing models by providing technical visibility into an organization's risk profile without requiring direct outreach.

"Security ratings services afford carriers the ability to quickly and easily compare their portfolio performance against various static benchmarks," Hannes explained. "From there, the ability to drill down on specific granular details on the company's security risk posture is quite extensive. The security ratings service lets us compare and model remediation effectiveness against an organization's peers within its own industry profile, providing another modeling perspective or evaluating relative risk."

According to Hannes, BitSight lets AXIS remotely view how its clients are specifically affected by malware and ransomware, and the insurance provider can examine individual infections and vulnerabilities. The platform compares an organization's security performance through company-specific diligence vectors such as configurations, open ports and patching cadence against its peers using an A through F grading scale.

"The ability to quickly and easily view an organization's grade provides better risk visibility from a peer comparison perspective, and it enhances our ability to quickly model the performance of our existing portfolio more efficiently on a broader scale," Hannes said. "Simply put, it improves the speed at which we are able to examine risk."

Keeping score

Investors are also looking at this category. SecurityScorecard -- a startup co-founded in 2013 by Aleksandr Yampolskiy, the former CISO at luxury fashion e-commerce retailer Gilt Groupe who has a Ph.D. in cryptography, and Sam Kassoumeh, the former head of security and compliance at Gilt -- received $12.5 million in funding in March 2015, according to the company.

After an organization enters the domain name of the vendor that it wants to monitor, the platform develops overall security scores by analyzing data from 10 critical security factors: web application, network and endpoint security, IP reputation, social engineering, hacker chatter, domain name system (DNS) health, cubit score, patching cadence and password exposure. 

Financial Industry Security Performance Compared to All Industries

"We analyze every IP address across the internet," Sean Goldstein, vice president of global marketing at SecurityScorecard, claimed. "And through a series of honeypots and sinkholes, we have compiled a database of vulnerabilities around the world. From that data, we run reports on business partners and deliver a score."

The "scorecards" can be used to interact with vendors and help them resolve potential security issues. Alerts can also be set up to advise security teams of critical issues with vendors.

Your portfolio of companies is only visible to you and others at your organization. The vendors can be filtered based on overall security grades, 30-day changes and Common Vulnerability and Exposures. If poor security ratings are noted in the 10 categories, the technology allows you to "dig deeper" into the issues that led to lower scores. The platform also incorporates security frameworks -- the Health Insurance Portability and Accountability Act, the International Organization for Standards, the Payment Card Industry and Standardized Information Gathering -- to help you review your vendors' compliance and answers to security questionnaires, which won't go away with these ratings services.

Two or three years ago, a competitive market for security ratings services didn't exist. The security ratings services offer a deeper view on the security posture of vendors, according to proponents, one that can help companies prioritize security projects internally and get better insight into third-party risk.

While savvy security managers understand that most organizations have been under attack every day since the internet exploded in the 1990s, the Target breach was a call to action. Merit Network's Brown has the right idea: No matter the work involved, organizations need to wake up and do something about third-party security. 

Article 3 of 6

Next Steps

Gain better control of third-party risk

White House proposes ratings system for cyber attacks

Increased use of risk assessment frameworks

This was last published in September 2016

Dig Deeper on Risk assessments, metrics and frameworks

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Can security ratings predict the likelihood that a company will be breached?
A new set of eyes, as it were, can usually help. That's generally true in most any environment. And it's helpful that security ratings are available. The real questions are (1) why isn't your site more secure and (2) what are you going to do about it (beyond patching the immediate problem). Playing Whack-a-Mole with corporate security should not be an option.

These ratings are an absolute disaster for the security community. The metrics gathered by examining tiny sections of the security landscape such as spam and SSL issues, this is not indicative of general security practice. If these ratings take hold, it will be very easy for a company to appear secure when they are infact terrible and vice-versa.

For example, if all your websites have valid SSL and SPF records but are riddled with hundreds of critical vulnerabilities; BitSight will give you the green light. Whereas if the only thing left is to update SHA-1 certificates across the estate and everything else is exceptionally good, you will appear to have a lower rating. This is not a problem with a given vendor, it is a systemic problem which cannot disappear until running Vulnerability Assessments and deep Penetration Tests on machines you do not own and without authorisation becomes legal - so never.

In addition these ratings are not independent, you have to take their services to have a realistic chance of improving them. Once you take their services faking a secure rating is relatively very easy - you just point fix the random bits they see and tell you and point out false positives.

I'm vehemently opposed to this, and it's clear to any serious practitioner of security there is no value whatsoever in these ratings. If they are only used to judge how good a company's SSL hygiene is, fair enough. But the way it is suggested they are used is a large nail in the coffin of a sensible approach to security.  It is not just harmless grabbing of money from unsuspecting victims, it can force the security investment into the wrong places just to clear up a pointless artificial magic invented rating which bears no resemblance at all to the security posture of an organisation.


Get More Information Security

Access to all of our back issues View All