“I think that one of the really genius things that our founders did, was in seeking to find ways to manage and measure risk. They devised a rubric that’s easily understandable objectively.”
Brendan Peter, Vice President, Global Government Affairs at SecurityScorecard, was in town for a couple of days as part the the annual GovWare Conference & Exhibition, held at The Sands Expo, in Singapore. We caught up with Brendan to understand what cyber awareness and resilience mean to businesses today, and how SecurityScorecard bridges the gap between security awareness and readiness.
In line with GovWare’s theme, we wanted to understand how businesses can better increase their cybersecurity profiles, and remain agile to meet changing market needs. This is where SecurityScorecard, a global leader in cybersecurity ratings, comes in. “The promise and premise of SecurityScorecard is that it’s relatively easy to begin gaining insights into (cybersecurity),” Brendan said.
He works closely with customers and partners across global organizations and public agencies for their needs around raising their cybersecurity portfolio. This includes working through different levels of maturity across owned and third party risk management programs, and capabilities to detect, assess and mitigate potential vulnerabilities. SecurityScorecard essentially provides users with a platform where they can immediately inventorize and analyze potential threats and vulnerabilities in real-time.
Cyber Resilience is Fundamental in the Age of Digital
According to Gartner Inc, security and risk management (SRM) leaders must focus on three key domains to address cybersecurity risks and sustain an effective cybersecurity program. One key program would be to provide technical security capabilities that provide greater visibility and responsiveness across the organization’s digital ecosystem.
For organizations trying to achieve greater visibility and responsiveness in their security capabilities, Brendan mentioned that many organizations often lack the time or resources to monitor outside risks and threats, especially as their partner ecosystems grow, potentially introducing new vulnerabilities to the supply chain. Over time, this creates an inability to map suppliers and relationships that matter most in terms of criticality, potential disruptions and vulnerabilities. This is where SecurityScorecard provides a solution via their SecurityScorecard Rating dashboard which allows organizations to automatically discover, triage and communicate with partner organizations that have an impact throughout the supply chain.
The dashboard coalesces data and learnings from millions of organizations and internationally-accredited security standards, against the company’s trusted and transparent rating model. Once a risk assessment process via an automated solution, such as SecurityScorecard Rating is in place, the practice to review and map new partner organizations becomes a continuous method of evaluation, and triaging of risks as they are happening in real-time.
The company also provides a baseline ratings portal where organizations can use historical and current insights to see exposures they may have, and get an indication of potential vulnerabilities. The dashboard provides easy-to-read, data-driven ratings, across 10 risk factors, that allows organizations to benchmark against peers in similar industries or organizational sizes, and to understand their own baseline standings.
Bringing Measurable Outcomes to the Table
Founders, Sam Kassoumeh and Alexandr Yampolskiy, were practicing CISOs prior to starting SecurityScorecard. As CISOs, both struggled to demonstrate a measurable way to prove that investments in security programs were making a tangible difference to their organizations’ security posture.
Thus, the duo started SecurityScorecard as a solution to use metrics as the de-facto measure to identify gaps and opportunities through a proprietary scoring model. “We’ve been really focused in the last 10 years in building statistically valid and defensible metrics that correlate to cyber incidents and breach likelihood to help organizations better understand their security posture,” Brendan added.
And the solution had been successful in proving the effectiveness of security investments to business leaders, by quantifying tangible return-on-investments as greater risk aversion. For example, SecurityScorecard is able to quantify a 7.7x better cyber resilience rate of an organization with an A rating, than that of an F rating.
The proprietary nature of SecurityScorecard’s approach also entails a scan every 10 days, of the entirety of the internet, to ensure the latest external inputs of identified risks and vulnerabilities that can be built upon the company’s risk assessment models. With historical data going a decade back, and the consistent refreshing of information, SecurityScorecard is able to provide a highly sophisticated data correlation that is highly predictive of an organization’s risk of cybersecurity threats.
Bridging the Gap Between Policy and Action for Cyber Resilience
Government agencies are often limited in their ability to move as fast as the private sector, but the sense of urgency continues to accelerate with the need to baseline, communicate and continuously assess risks. Brendan sees this as an opportunity to assist public agencies with actionable information to understand if policies in place are actually moving the needle and addressing known issues and gaps, and in turn use the data to inform further policymaking and investment decisions moving forward.
In the United States, public agencies have started to use SecurityScorecard’s data to map directly to regulatory policies that have been issued, and to monitor the effectiveness of these policies in reducing security risk factors for its intended partners. One example is with the Transportation Security Administration in the United States. TSA adopted SecurityScorecard and used its data to align with regulatory policies and continuously assess infrastructure owner operators, enabling real-time communication and risk reduction. This approach is not only proven to drive accountability and facilitate inter-entity communication, but also simplify technical data for non-experts.
Brendan underscores the value of a simple rubric for assessing and grading organizations’ cybersecurity maturity, making it comprehensible to a wider audience. This grading system allows the agencies to show, using observable data, that recommended cybersecurity measures have been implemented and have effectively reduced risk.
“For us, we’re on a broad mission, I think to talk to critical infrastructure sectors, regulators and governments around the world that these types of approaches can yield tangible data and tangible results that can help you measure the effectiveness of programs but also communicate with stakeholders about the hard work that you’re undertaking to increase resilience.”