E R T N
P
X
E INIO
OP
Making
the grade in
cybersecurity
SecurityScorecard assesses companies based not only
on their security posture but also those of their partners
and vendors etc, giving them a ‘security scorecard’.
Similar to school reports, the companies and their
third-party suppliers get a grade of A to F based on how
secure the organisation is, also providing them with
actionable data on where improvements can be made
so they can increase their grade. Matthew McKenna, VP
EMEA at SecurityScorecard, provides an overview of
security ratings and what they are used for.
e’re all familiar
with the concept
of credit ratings.
From individuals
seeking loans
and mortgages to
organisations and
even entire nations, credit ratings assess
an entity’s stability, financials and assets
and assign a score that reflects its ability
to pay debtors. In the business world,
the score is commonly shown as a letter
grade, with the most-used standards
from credit giants like Moody’s and Fitch
Ratings generally topping out at AAA
and tumbling down towards C or D.
W
While organised credit ratings have
existed for over a century, a more recent
development is the introduction of the
security rating. In our increasingly
digital world, an organisation’s ability
to protect its assets from cyberthreats
www.intelligentciso.com
|
Issue 08
Matthew McKenna, VP EMEA
at SecurityScorecard
is now equally as important as its
ability to remain financially solvent.
Indeed, the two states are closely
linked, as a company that suffers a
major cyberincident will take a severe
reputational and financial hit that will
also heavily impact its ability to operate
and pay debtors. Just like the more
familiar credit ratings, security ratings
are generally boiled down to a graded
letter and are based on an in-depth
assessment of the company’s assets
and exposure to risk. Assessments will
provide the company with actionable
insight into its security posture and
where improvements can be made to
improve its score. the security hygiene of an organisation’s
entire ecosystem. The evaluation should
quickly provide insight into the externally
facing risks across the digital footprint,
however also take into consideration
internal factors concerning practices
around susceptibility to spear-fishing,
credential security and other indicators
that may suggest the entity in question
is at risk.
How are security scores
added up? Network security performance is also
very influential, as poor practices
such as open access points, insecure
or misconfigured SSL certificates or
database vulnerabilities are commonly
Establishing an accurate security score
requires a comprehensive assessment of
A large number of breaches are the
result of companies using outdated
systems, so a company’s diligence in
patching its operating systems, services,
applications, software and hardware is
extremely important.
41