Third-party security has become a primary objective for many CISOs. Consider the case of a large financial firm with tens of thousands of partners that include mortgage companies, banks and investors as well as vendors providing various business services. Many CISOs used to simply send out questionnaires to measure their partner security postures.
But questionnaires are subjective - they are a result of a vendor's best guess for many of the responses. They also merely capture postures at a particular moment-in-time. As we all know, things never stay the same regarding the level of required security in today’s world of rampant cybercriminal activity. And, simply put, it’s pretty much impossible for any organization to read through and understand the risk associated with every single response; so, the responses pile up on the credenza behind the desk.
In reaction to this development, many firms across all industries are now looking to use rating services to manage their third-party security programs. The ratings can provide a consistent, independent and on-going way of measuring third-party security risk.
Gaining this capability is key because many breaches often originate through third-party suppliers. Enterprises now realize…even if they deploy sufficient security controls, their partners may not. This is especially true when those partners are small- and medium-sized businesses with limited information security staff, technology and skills. It’s not in their DNA to meet the minimum security baseline you’d expect of them. And the majority of U.S. businesses—99.7 percent, according to SBA Office of Advocacy—fall into the category of “small business.” [NOTE: Link opens PDF in new window]
Ongoing Security Measurement—Just Like Consumer Credit Ratings
The best way to take on this challenge is to deploy an on-demand security ratings service that gathers data from a variety of sources. Similar to the way Equifax, Experian and TransUnion measure consumer credit and provide FICO scores, leading solutions—such as the DatumSec Vendor Assessment Program—analyze security attribute data, and then rate companies using standard scoring methodologies.
This enables companies to track, as a simple example, partner access and authentication methods and how well these vendors organize their Web Services that are facing the public Internet. Companies can also gather information regarding available services associated with a domain, checking to see if they are configured securely. They can also determine if a vendor shows up on the dark web, signaling the possibility that the vendor has been compromised.
These are just a few examples of what can be produced by an external assessment. The assessment provides an initial view into how an organization approaches its information security program from a public-facing perspective and if the vendor has already been compromised. But just as financial assessments must go beyond FICO scores to consider other financial and business stability measurements (think Better Business Bureau), so too must security assessments go beyond the external ‘indicators of compromise’ (IoC) and ‘indicators of posture’ (IoP) viewpoints.
To this point, it’s critical to conduct internal assessments, which include vendor self-evaluations of their data-sharing relationship and information security practices as well as an in-depth technical analysis of their information security policies and enforcement practices. The internal viewpoint helps determine if vendors are leaving themselves open to future attacks. [NOTE: Look for more about internal assessments in my next post]
Armed with a score AND information curated from both external and internal assessments, companies gain the ability to make better decisions on which partners and vendors to add or drop. This information is also extremely valuable when negotiating terms. As strong parallel to this, organizations can also use this score and information to determine if it makes sense to proceed with an acquisition of a business or what it will cost to raise the security posture across a wide range (and a large number) of potential acquisition targets prior to moving toward the final close of the deal.
A Market That’s Heating Up
A few years ago, a competitive security ratings market didn't exist. But today’s services offer a deeper view into the posture of vendors that helps companies prioritize security projects internally and gain better insights into third-party risk. The market is thus beginning to heat up—with many vendors providing solutions backed by a flood of venture capital.
The market is even seeing early consolidation among top solution providers. DatumSec, still running strong on its own, is one of the leading players and sees the market as primed for taking off as security ratings provide increasing business value.
Going forward, it will be important to develop an initial view of the state of security for your vendors and business partners. Eventually, it will become non-negotiable. The internal self-attested questionnaire approach can still be helpful—to put the vendors on the hook for what they claim their security posture is—but organizations will also require their business partners run an security ratings assessment comprised of both internal and external components to validate their statements.
In other words, trust your partners, but verify what they tell you. When decisions are made as to whom to do business with, or when negotiating a potential acquisition, a comparative security rating score will prove invaluable to determine a company’s true risk—and to make sure your own business is not exposed to unnecessary cyberattacks.
About Jonathan Niednagel
Jonathan Niednagel, CEO and co-founder of DatumSec, proved his flexibility in a variety of roles during his 7-year run at Symantec Corporation, starting with technical support, working his way up through the product management ranks. In 1997, Jonathan started Mobile Automation as their CEO, managing the company through to 1999, successfully raising several rounds of venture capital and taking the company to a successful exit.