E R T N
P
X
E INIO
OP
exploited by cyberattackers. Likewise,
poorly secured laptops, mobiles and
other endpoint devices frequently
provide an easy attack route, so any
device that can access the Internet must
be factored in.
Looking beyond the business
Security should never be assessed in a
vacuum and any assessment must include
external elements to be truly accurate.
Monitoring conversations on underground
hacker forums for example can reveal
if a specific organisation and its IPs are
being discussed as potential targets. The
development of new malware relating to
systems used by an organisation can
influence its security rating.
Closely monitoring both open and closed
sources can also reveal if a company’s
sensitive information has been exposed
as part of a data breach or leak. Data
can then be mapped back to the
organisation to determine whether it is
likely to influence further incidents.
Furthermore, a security rating extends
beyond the organisation to include
suppliers, partners and any other
company that the organisation is
connected with. Whereas the cost of
cyberattacks continually decreases
due to readily available tooling,
cybercriminals can just as easily
attack smaller and less well-equipped
companies to exploit their connections
to larger targets, so the entire supply
chain should be assessed for crucial
risk factors as well.
What does a security
score represent?
Much like their financial equivalent,
a security rating can be an important
indication of how safe it is to do
business with an organisation. A good
score can be a valuable competitive
advantage for securing new customers
and partners, while a poor score can be
a liability that costs business. It should
be noted that companies can conduct
42
The cybersecurity
landscape has
evolved rapidly in
recent years and
while security ratings
are still an emerging
standard now, they
will soon become as
commonly used as
credit ratings.
non-intrusive analysis on others, for
example assessing the reputation of its
IP address and vulnerability to social
engineering, in addition to hacker
chatter and leaked credentials.
As cybersecurity continues to grow in
importance, a prospective supplier or
partner’s security score will be just as
influential as its credit score.
Companies which are shown to have
poor security will begin to lose business
in the same way as those that have a
reputation for being financially risky. A
security score and the accompanying
reports and advice can also have a
number of benefits across the company.
Getting attention in
the boardroom
While the continued spate of high-level
data breaches has helped to elevate
the discussion of cyberthreats, security
is still all-too-often neglected at board
level. Even for the most diligent CISO,
demonstrating the return on investment
for cyberspending can be a constant
struggle. The result of a good security
programme is the absence of a security
incident, which usually makes for
less compelling proof than things like
increased productivity and profitability.
Security ratings can help to change this
by making cyberthreats a more tangible,
visible issue as well as by demonstrating
an ROI on ongoing security investment.
An assessment can be used to
produce a report card which outlines
the company’s security posture and
highlights its strengths and weaknesses.
A good security rating will reinforce the
value the CISO and security teams are
bringing to the company and further
reinforce argumentation for more
investment and strategic focus.
Due diligence with partners
and customers
As well as helping to improve the
company’s approach to security,
security ratings can lead to more
efficient and thorough diligence when
dealing with third parties. As mentioned,
Issue 08
|
www.intelligentciso.com