Having trouble viewing this email? View in browser.
THE WALL STREET JOURNAL
Paid program from BitSight
Qualys
Assigning a Number to Cybersecurity Risk

In the world of personal finance, there’s nothing unusual about the concept of a credit score. It’s so fundamental, in fact, that it’s easy to take for granted just how much information is contained in that one single number.

The same is true of cybersecurity ratings—although in today’s risk environment, no one is taking those for granted. As a numerical value summarizing a business’s security posture, security ratings have surged in value and visibility, with use cases in everything from vendor selection to mergers and acquisitions. From both a risk and compliance perspective, businesses increasingly require a clear, consistently updated benchmark reflecting their strengths and vulnerabilities, as well as a window into the same qualities of any potential partner.

“Cybersecurity ratings help address the critical business decisions or questions being asked in companies of all sizes,” says Tom Turner, CEO of security ratings pioneer BitSight Technologies. “The ability to visualize and communicate security performance allows much better risk decisions to be made at scale. Do I accept the risk? Do I transfer the risk? Or do I mitigate the risk I have with third-party vendors?”

Measuring Outcomes

In Turner’s view, the function of cybersecurity ratings runs parallel to that of the bond credit ratings industry, which enables the issuers of a bond to address the risk level of potential investments. BitSight’s ratings system weighs a business’s security posture on a scale from 250 to 900, where higher ratings equate to lower risk. According to the firm’s independently verified research, companies with a rating of 400 or lower are nearly five times more likely to experience a publicly disclosed data breach than those rated at 700 or above.

The ratings themselves are comprised of publicly accessible information falling into four general categories: evidence of ongoing compromise, diligence in maintaining standards of security, behavior among users of endpoint devices and public record of data breach. In other words, it’s shorthand for the many security factors an enterprise might look at when considering partnering with a vendor or third party.

“What we’re actually measuring when we look at performance are outcomes,” Turner says. “Outcomes are important because they are a way for you to think about not what might happen, not what could happen, but what has happened—and therefore, what has the impact been.”

Security ratings also help businesses look inward to identify the steps they need to take to strengthen their own security posture. For example, Turner explains, businesses where more than 50 percent of its endpoint devices are out of date (like laptops or company-issued smartphones) are three times more likely to suffer a public data breach. Similarly, businesses where employees are engaged in illegal file-sharing or are using pirated software have a high correlation with public breaches due to the likelihood of compromised assets.

A Better Risk Discussion

For vendors, a high rating can also be a way to win or retain existing business. One global bank recently partnered with BitSight to better understand the performance of the third-party organizations in its supply chain and granted some of its suppliers access to the BitSight platform. The response was stirring: Within the first six months, more than 50 percent of those partners improved their cybersecurity ratings.

“They’re not only having a better risk discussion with their suppliers, they’re also reducing the risk surface area between them as a bank and the important vendors in their supply chain,” Turner says. “If you think about making a decision about what vendors to work with, which companies to underwrite from a cyber insurance standpoint or what companies you might buy—or flat-out invest in—we have a variety of different signals that are important for helping our customers make decisions at scale.”

Ultimately, with spending on cybersecurity continuing to rise, it’s crucial that senior executives and board members understand which investments should be prioritized, drawing on real-time, actionable conclusions about their overall security posture. Whether an enterprise is looking outward to potential partners or analyzing its own footing within the threat landscape, cybersecurity ratings only stand to grow in utility as the world becomes more digital, collaborative and complex.
This content was paid for by an advertiser and created by The Wall Street Journal advertising department. The Wall Street Journal news organization was not involved in the creation of this content.

Copyright 2018 Dow Jones & Company, Inc.

If you wish to unsubscribe from WSJ Pro marketing communications, please click here.

Dow Jones
The News Building |1 London Bridge Street 
London | SE1 9GF
Privacy Policy