Information Security

Defending the digital infrastructure

Kurhan - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Cybersecurity risk profiles: Are FICO-like scores a good idea?

Metrics are the CISO's reporting mechanism. Security ratings services may offer a way to continuously monitor changes in vendors and business partners' security postures.

CISOs increasingly need to adapt security metrics to new business initiatives and technology, from cloud to DevOps to the internet of things. They're also responsible for monitoring the cybersecurity risk profiles of third-party vendors and service providers. Tools are emerging to help with some of these tasks.

FICO acquired QuadMetrics in June and aims to further develop an Enterprise Security Score to help organizations with board-level risk assessments, third-party vendor management and cyberinsurance underwriting. Startup SecurityScorecard offers security ratings on third-party vendors and enables companies to follow changes in cybersecurity risk profiles. BitSight Technologies is the traditional player in the category with a widely used security ratings platform.

Are these metrics likely to catch on and improve decision making when it comes to selecting vendors and business partners? Technology journalist Steve Zurier looks at new approaches to management and quantification of security risk that rely on cybersecurity risk profiles for measurable security outcomes.

"I get weekly emails on the scores that drop off by 10% or more, and I get notified why that happened," Christopher Porter, CISO at Fannie Mae, told Zurier. Porter said he then worked with the profiled company to help it get a higher security rating.

While security ratings services may provide another tool in the arsenal as a way to continuously monitor the security postures of third-party vendors, enterprises continue to struggle with governance and risk management in hybrid cloud environments and with recruiting staff with cybersecurity skills. We look at both issues this month. Jaikumar Vijayan reports on cloud GRC (governance, risk management and compliance) as business units and workgroups continue to flock to services.

Are these metrics likely to catch on and improve decision making when it comes to selecting vendors and business partners?

As the talk of automation of outsourced functions continues, security professionals in the public and private sectors are trying to come up with ways to address the cybersecurity skills shortage. If geeks are now cool -- go, Pokéman Go! -- why can't companies find enough people with cybersecurity skills? Developing this talent may involve some combination of "born this way" -- see Marcus Ranum's interview with ethical hacker Kevin Johnson -- education and even gaming and hacking contests. We look at the numbers on hard and soft skills from Intel Security's May 2016 report "Hacking the Skills Shortage."

"Now, when an attack occurs, the people who understand the attack have to be able to communicate," Candace Worley, Intel Security senior vice president and general manager told the audience at the Center for Strategic and International Studies when the report was presented earlier this year. "Building that communication skill set is more important today than it was in the early 2000s because those highly technical individuals have to go in front of the board given the high-profile nature of the attacks."

Article 4 of 6

Next Steps

The basics of risk assessment

Q&A: How to make the grade in security metrics

How to benefit from a simple, risk-based approach

This was last published in September 2016

Dig Deeper on Risk assessments, metrics and frameworks

Get More Information Security

Access to all of our back issues View All