Cybersecurity scoring is similar in many respects to scoring for credit risk. Credit scores are widely used to underwrite loans large and small, and are trusted by both lenders and regulators as reliable, quantitative tools for assessing risk at both the loan level as well as the portfolio level. They enable lenders to price for risk, and have served not only to expand the availability of credit to consumers of all stripes, but also add valuable elasticity to the economy.
As with credit scores, the best cybersecurity scoring solutions use empirically derived predictive analytics to profile business systems and the environment they operate in – including inferred behavioral and policy indicators – to derive a score. These scores can tell you how likely your organization is to suffer from a data breach – they provide a forward-looking assessment of an organization’s overall cybersecurity posture.
Cybersecurity scoring is a relatively new concept and all solutions are not the same. So what should you ask to help you to get the right scoring solution for your organization?
1. Will it help me to understand my risk of a breach in the next 12 months?
Cybersecurity scoring is a relatively new concept and not all solutions are the same. So what should you ask to help you to get the right scoring solution for your organization?
It is relatively easy to use penetration testing to get a snapshot of your cybersecurity posture at the present point in time. This is informative, but won’t necessarily help you understand the likelihood of a breach happening in the next 12 months. Some of the scores on the market are not forward-looking, but point-in-time assessments. These help spot transient risks, but to really understand your future risk of a significant breach event, you need a solution with underlying analytics designed to produce a stable, forward-looking indication of security risk in a relevant future time window.
2. My organization is complicated — can I get a risk profile relevant to my areas of concern?
Having an overall risk picture of an organization is important, but transparency in defining the organization and the ability to drill-down into the risk of constituent parts (subsidiaries, locations and networks) is equally important in ensuring the correct and complete definition of the evaluated entity. To trust the score, you need to know that the scope of the assessment is correct. To make the results actionable, you need to understand the contribution of risk from each of the organization’s constituent parts.
3. Will it help me to continually improve our cybersecurity posture?
To support best practice for cybersecurity, you need a solution that can easily inform and support your processes. A solution that quantifies risk with a score will help you prioritize action and take a risk-based approach. This takes into account what risk will be over time, rather than just at a given point in time.
In order to improve you need to understand your starting point, and a score provides a benchmark to support continuous improvement. To measure and improve, the score you use needs to respond to changing conditions, but not flit with the wind. All organizations suffer from network issues and transient risk conditions – which, if remediated in a timely way, don’t impact long-term risk. The score needs to properly balance responsiveness to new risk conditions and long-term score stability that enables its use in decision making around investments, vendor relationships and other impactful business decisions regarding security risk.
4. Can I use the information derived from the score to take appropriate action?
With cybersecurity very much on the boardroom agenda, you need a solution that helps you to express risk in an understandable way that informs action and can justify investment. You need to be confident that the scores provided will help you to explain the likelihood of a breach at your organization to your customers and your insurers. You also need to be able to use the score to inform the decisions you make regarding your suppliers – by understanding their score you can identify if they are introducing risk to you. This is particularly important if the vendors will have access to your data or systems.
To understand more about how cybersecurity for your organization can be better understood with scoring, read our Executive Briefing Understanding Your Cybersecurity Posture.