Intelligent CISO Issue 08 | Page 41

E R T N P X E INIO OP Making the grade in cybersecurity SecurityScorecard assesses companies based not only on their security posture but also those of their partners and vendors etc, giving them a ‘security scorecard’. Similar to school reports, the companies and their third-party suppliers get a grade of A to F based on how secure the organisation is, also providing them with actionable data on where improvements can be made so they can increase their grade. Matthew McKenna, VP EMEA at SecurityScorecard, provides an overview of security ratings and what they are used for. e’re all familiar with the concept of credit ratings. From individuals seeking loans and mortgages to organisations and even entire nations, credit ratings assess an entity’s stability, financials and assets and assign a score that reflects its ability to pay debtors. In the business world, the score is commonly shown as a letter grade, with the most-used standards from credit giants like Moody’s and Fitch Ratings generally topping out at AAA and tumbling down towards C or D. W While organised credit ratings have existed for over a century, a more recent development is the introduction of the security rating. In our increasingly digital world, an organisation’s ability to protect its assets from cyberthreats www.intelligentciso.com | Issue 08 Matthew McKenna, VP EMEA at SecurityScorecard is now equally as important as its ability to remain financially solvent. Indeed, the two states are closely linked, as a company that suffers a major cyberincident will take a severe reputational and financial hit that will also heavily impact its ability to operate and pay debtors. Just like the more familiar credit ratings, security ratings are generally boiled down to a graded letter and are based on an in-depth assessment of the company’s assets and exposure to risk. Assessments will provide the company with actionable insight into its security posture and where improvements can be made to improve its score. the security hygiene of an organisation’s entire ecosystem. The evaluation should quickly provide insight into the externally facing risks across the digital footprint, however also take into consideration internal factors concerning practices around susceptibility to spear-fishing, credential security and other indicators that may suggest the entity in question is at risk. How are security scores added up? Network security performance is also very influential, as poor practices such as open access points, insecure or misconfigured SSL certificates or database vulnerabilities are commonly Establishing an accurate security score requires a comprehensive assessment of A large number of breaches are the result of companies using outdated systems, so a company’s diligence in patching its operating systems, services, applications, software and hardware is extremely important. 41