Advancing Beyond Security Ratings

Until recently, the default solutions to the challenge of reducing third-party cyber risk have focused on Security Ratings Services (SRS), which provide cyber risk assessments of third parties by utilizing various kinds of data to give a rating or score to organizations (usually with a numeric or letter grade) within their customers’ supply chain. In theory this allows for an SRS’s customer organizations to know which vendors’ risk mitigation or governance to prioritize, albeit without any direct support to address false positives or aid vendors remediation challenges.

While SRS have long served to monitor organizations’ cybersecurity posture, they also have a number of notable limitations that true risk reduction solutions have moved beyond. Modern businesses focused on third-party cyber risk reduction require both a more in-depth and extensive solution to third-party cyber risk, one that fully manages risk and rapidly identifies and resolves critical cybersecurity issues in your third-party ecosystem. Below we examine five ways that security ratings services come up short, and how you should work to enhance your supply chain risk strategy today.

1. Uncurated Findings and False Positives

Traditional security ratings services have long relied on limited public data sources and, because their outputs are not curated and validated by human analysts, often provide a high number of false positives, leading to information overload and wasted resources. As a result, many SRS users have become jaded to the overwhelming number of negative scores for vendors that far too often are caused by imperfect data or analytics that do not accurately account for what might be risky in the context of a vendor’s ecosystem. In addition, uncurated data results in a data validation exercise for clients and third parties that takes up valuable time and resources.

2. Unmeasurable Risk Reduction and “Box-Checking"

Often when organizations employ Security Ratings Services as a solution to third-party risk management (TPRM), they are often looking to ensure that compliance requirements and governance rules are being enforced. In practice this works because security ratings give a high-level view of cyber risk at set intervals and so can be used to validate requirements, or “check the boxes”.

This means that if new vulnerabilities appear in the time between such intervals, those cyber risks can remain unaddressed for days or even weeks, leaving the entire supply chain at risk. It is difficult to drive actual risk reduction without contextual awareness, and periodic assessment makes it difficult to capture the metrics necessary to measure how much risk has been effectively remediated within any given vendor.

3. Absence of Remediation Guidance and Added Customer Workload

Loading customers up with risk information and leaving the work of acting upon that information to the customer is a constant point of frustration for SRS users. The ratings and scores often fall short in assisting organizations in taking actionable steps to address vulnerabilities. The validation of escalated risks, the prioritization of which findings to investigate, all in collaboration with third parties, and the development of action plans is all left as an exercise to the customer.

Interactions with third parties can be particularly resource-intensive and create friction for customers of SRS, as many third parties will respond negatively to the identification of risk within their environments. If a primary organization goes to a third party seeking to remediate a risk, and then that risk turns out to be a false positive, this can put a particularly intense strain on the business relationship with that third party.

4. Zero-Day Vulnerability Lag Times

One of the greatest threats to modern businesses is the nearly continuous emergence of new zero-day vulnerabilities that can affect many organizations across a supply chain and offer threat actors ways to rapidly infiltrate even the most protected of IT environments.

Traditional security ratings services struggle to keep pace with these new threats. Scoring models are often updated days or weeks after a disclosure and it takes time for SRS customers to even see new vulnerabilities impacting the risk scores or ratings of their vendors. By the time the disclosed zero-days are being considered and remediated, the door to compromise might already have been open for an attacker to exploit.

5. One-Size-Fits-All Coverage

Modern approaches to (TPRM) should recognize that every organization has unique risk tolerances and business needs. Within a company’s supply chain, certain vendors will always be more critically important and will have specific business processes that primary organizations will want to be aware of. However, part of the limitations of Security Ratings Services is that they provide generic assessments, relying on pre-established ratings for companies that have already been scored, and applying standards of evaluation across all vendors, not tailoring to specific business needs that a customer might have.

Modern solutions for third-party cyber risk should move beyond these limitations of SRS vendors, and should emphasize validity of data over simple scores, offer active assisted remediation, and measurably reduce risk across the whole third party ecosystem.