Insights blog.

At a recent Bitsight Roadshow, a customer with an advanced third party risk management program declared “assessments are not risk reduction.” The statement was not meant to convey that assessments are useless for third party risk; rather, that assessments themselves don’t inherently drive risk down.

It’s no surprise that cybersecurity remains a top concern for business leaders today. In fact, PwC’s 2018 CEO Survey showed cyber threats rose from its position as the #10 organizational threat in 2017 to #4. As such, the market for cybersecurity solutions is extremely large, with forecasts putting the expected spending on security solutions at over $100 billion by 2020 (according to Gartner and IDC.) From traditional security hardware to more modern software solutions and a multitude of security services, security leaders have no shortage of options when it comes to strengthening the security posture of their organization. But where do security ratings fit in? Do organizations really need both security ratings and traditional security solutions like a SIEM? And if so, why?

In today’s day and age, reducing cyber risk needs to be a priority for your organization — but what is the most effective way to tackle building your security program? For seven years, Bitsight has proven that we have the most time-tested, trusted, and actionable security ratings that are now used by over 2,100+ customers. But when you become a Bitsight customer, what are the benefits that you actually receive besides our world-class security ratings solution?  

The federal government relies on tens of thousands of contractors and subcontractors — often referred to as the federal “supply chain” — to provide critical services, hold or maintain sensitive data, deliver technology, and perform key functions. Along with the Federal Government itself, these contractors and subcontractors face a multitude of cyber threats.

Last year, Bitsight was proud to help drive the Principles for Fair and Accurate Security Ratings, published by the US Chamber of Commerce and supported by over 40 global organizations. The establishment of these Principles demonstrates the momentum and maturity of the security ratings market that Bitsight pioneered in 2011. The Principles were designed to promote fairness in reporting of cybersecurity performance and encourage the adoption of security ratings across all industry sectors.

When Bitsight pioneered the security ratings market over six years ago, it was the first to use the outside-in approach to security ratings. Although not initially intuitive to many people, the value of this approach has become increasingly clear for many reasons and subsequently, its adoption has become more widespread. At Bitsight, we believe that an outside-in approach is the best way to build a security ratings product, and has proven valuable in many use cases.

Within the Bitsight Security Ratings platform, we prioritize features specifically chosen to help organizations identify and manage risks across their own networks and the networks of their third parties. Bitsight now enables users to identify organizations who are potentially vulnerable to ROBOT — short for "Return Of Bleichenbacher's Oracle Threat"— attacks. The vulnerability behind the ROBOT attack was originally discovered in 1998 and has resurfaced through a number of proprietary TLS/SSL implementations, affecting some of the most popular websites — including Facebook and PayPal. The vulnerability ultimately provides a method by which an attacker can decrypt TLS/SSL traffic and obtain sensitive information.

This August, Bitsight announced the release of several new risk vectors specifically chosen to help organizations identify and manage risks across their own networks and the networks of their third parties. Bitsight chose those new risk vectors to enhance the insights across the “spectrum of risk” and provide a more comprehensive picture of an organization’s security posture.

In today’s market, an increasing number of security and risk management executives are being asked to present to the Board of Directors on the state of their — and their third parties’ — security and risk programs. Gartner estimates that by 2020, 75% of Fortune Global 500 companies will treat vendor risk management as a board-level initiative to mitigate brand and reputation risk. Bitsight understands that making an organization’s cybersecurity posture accessible to C-level executives and the Board of Directors is becoming more of a requirement within the business; we’ve added capabilities within Bitsight Security Ratings that arm security and risk management executives with actionable metrics that they can share with the Board of Directors.

In today’s world, organizations must be extremely conscientious about their vendors. It is just as important to be aware about the security of third-party networks as it is to be aware of their own. In April 2017, Netflix’s new season of the hit show “Orange is the New Black” was stolen and leaked after they ignored several ransom requests by a hacker. The agent was able to breach Larson Studios, a third party postproduction company for Netflix. It’s critical that organizations have a vendor risk management (VRM) program in place to address the risk posed by third parties. As outsourcing and the use of cloud services continues to grow, it’s even more crucial that the strategy can scale to meet the rising demands to increase the number of vendors. This is where many companies are falling short today.

There’s no doubt that organizations understand the value of implementing strong cybersecurity programs and encouraging their third parties to do the same. As data breaches continue worldwide, 63% of those breaches are caused through a third party vendor, according to Soha Systems’ Third Party Advisory Group. As such, Boards of Directors realize the need to have security and risk practitioners such as Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) provide their expertise and guidance. In today’s landscape, cyber risks are at the front of Boards’ minds. This is why it is critical that security practitioners be in the room.

Following an increase in ransomware cyber attacks, most notably May 2017’s WannaCry attack, U.S. public sector entities are starting to see the effects of these attacks on the almost $4 trillion municipal debt market. As a result, issuers are now starting to consider the cybersecurity posture of borrowers at the town, city, and local levels when they apply for bonds.

For years, cybersecurity was considered a “check-the-box” discussion during the merger and acquisition (M&A) process. It was almost always examined to ensure there weren’t any glaring issues or major red flags—but there wasn’t a whole lot of care or thought put into it.

While your current Vendor Risk Management (VRM) or Third-Party Risk Management (TPRM) program may have areas of strength, there is most certainly room for improvement. These programs are a significant driver of both internal and external advisor time, extremely costly, and limited in scale. How can you harness more actionable insight to scale your program and truly and continuously understand the cybersecurity of your third parties? Using Bitsight Security Ratings, you can see a positive impact on your TPRM/VRM program by getting more value out of what you are already doing.

Security Ratings are still a relatively new phenomenon. As a result, many security and risk professionals are still familiarizing themselves with how ratings work, the data used to compute ratings, and how ratings are put into action. We expect this education to continue: consumer credit scores are always changing and after many years, people are still constantly coming up to speed with the multitude of factors that affect their score.