Former Senior Vice President, National Security and Emergency Preparedness Department, U.S. Chamber of Commerce
June 20, 2017
What is the professional standard for cybersecurity? Whose program is secure and whose isn’t? These are just two of the many questions that arise when discussing the crucial importance of a business’s security defenses.
In today’s highly digitized and interconnected world, a simplified and reliable view of an organization’s cyber defenses can help companies assess risks internally and externally. As the utility and availability of security ratings increase, it is clear that a common understanding of how these ratings should be derived and used is fundamental to building trust in these metrics.
How do ratings work? Rating companies use a combination of data points and proprietary algorithms to develop a rating for a target organization. They collect this information either with the assistance of the rated organization or at times without the rated organization’s knowledge at all. This can include publically available data points and external sources, such as intelligence feeds or hacker chatter picked up from underground groups. The collected data is then run through algorithms to develop an organization’s security rating. The target organization is then graded, scored and/or ranked against its peers.
Consumers of security ratings use them for a number of different reasons:
- Organizations can review their own scores to identify weaknesses in their security programs or see how they rank against competitors.
- Organizations can seek the ratings of their vendors, partners, or acquisition targets to evaluate potential risks.
- Insurance providers can look at incorporating these security ratings into their cybersecurity insurance underwriting calculations.
While reducing a complex security program to a single metric can cause chief information security officers to discount the score as not providing the whole picture, the simplicity of a security rating can make it an attractive tool to quickly evaluate an organization’s security program. Organizations can leverage security ratings to help measure and manage the cyber risk they face from partners, and the ratings can provide beneficial insight for making business decisions.
There is, of course, the potential for the rating to be inaccurate, irrelevant, incomplete, or unverifiable. Problematic source data can create unfair and unreliable ratings, which serves neither the consumers of security ratings nor the organizations whose programs are rated. Although certain aspects of the rating process will be proprietary, the usability of ratings depends upon consistency and clarity in how they are derived. Sudden changes in methodology can also directly impact the internal risk management models of consumers that depend upon ratings as a key input.
To maximize their utility, both consumers of security ratings and rated companies need to have confidence that ratings are based on actionable, relevant information evaluated through a clear, articulable algorithm or data-driven process. Through a collaborative process, a group of U.S. Chamber member companies have worked closely with security rating companies to develop a concrete set of principles to increase confidence in, and usability of, fair and accurate security ratings. These principles leverage industry best practices and represent the needs of both companies use ratings as a key cyber risk management tool and those that are rated themselves.
The Fair Credit Reporting Act (FCRA) is what provided the model for our approach in developing these principles. The FCRA has helped increase confidence in the credit process by ensuring both the usability of ratings for legitimate purposes and recognizing the interests of rated consumers to ensure that the data underlying their scores were accurate and complete. Appropriate transparency and mechanisms for verifying or correcting data, including providing notice of disputed scores, enable proper context and a robust dialogue that strengthen the system to benefit all participants.
In addition to understanding how ratings are formulated, customers should understand what ratings reflect and what they do not. Ratings represent an encapsulation of available data points and may not reflect nuances and effective security controls layered within a rated organization’s security program. Customers and rated organizations should be able to expect that ratings have been created through fair and independent processes and that sensitive information is not shared publically or used for marketing materials.
Reliable security ratings that are fair, accurate, and clear will enhance security across the economy. But for security ratings to become ubiquitous, they will need to be created consistently and used responsibly.
We believe that our principles are the next step in making security ratings an accurate and efficient tool for evaluating and managing cybersecurity risk.
About the authors
Ann M. Beauchesne
Beauchesne is the former principal spokesperson on national security and emergency preparedness issues, and is responsible for building and maintaining relationships with administration and regulatory agency leaders.