Organizations are always looking for ways to distinguish themselves from the competition. According to Porter’s generic strategies, these competitive advantages take the form of either price or product/service differentiation and a focused or broad scope. In 2022, with the rise of stakeholder capitalism, we are seeing a rise in other factors that might augment Porter’s original model. Environmental, social, and corporate governance (ESG) concerns are an ever-present agenda item at board meetings and often reflect this stakeholder perspective.
Institutional investors, and increasingly individual investors, want to invest in companies with practices that align with their values. Increasingly, this includes the proper care of data. Cybersecurity concerns fit squarely under the corporate governance component of ESG. Ratings agencies such as Moody’s have built ESG rating methodologies and are doing the same for cybersecurity. Indeed, Moody’s has publicly stated that the management of a firm’s cyberrisk using quantitative methods (known as cyber risk quantification or CRQ) is “credit positive” in their view, a statement that means they view the cybersecurity as being impactful to a company’s credit rating as cyber incidents typically have severe costs associated with them.
Companies have added cyber reputation management practices to their cybersecurity organizations to manage these public cyber ratings. Several firms provide services in the security rating category, each with its own models and algorithms. Cybersecurity teams subscribe to one or more of these services to manage the data used in such ratings. They also subscribe to monitor their ever-growing list of third parties and look for weaknesses that might bring about cyber incidents. Proxy advisors use these same rating services to supplement financial data in annual proxy statements. Other use cases include cyber insurance underwriters looking for evidence-based reasons to reject applications and assist clients in improving their control environments.
At the core, such practices increase trust in the digital economy. Credit ratings are an apt model for implementing trust models. Like corporate credit ratings, they can be done with or without involvement from the rated entity. They can also be made available to the public (like a security rating). In-depth analyses can also be done and shared privately (think of this as a pen test or security assessment). Finally, these ratings can be displayed publicly by organizations that are proud to show off their performance through web badges that customers can click to see what the issuing security rating company scored that company.
Naturally, organizations that want to optimize their digital trust profile must understand which controls and processes need to be optimized. While focusing on all the controls is a strategy, it’s not an exceptionally optimized approach. Security rating models are designed with parsimony in mind, gathering data from external data. So instead of measuring everything, these ratings work to find a high correlation between control states (and more importantly control states over time) and security incidents. For example, this approach makes assumptions about the state of an organization’s vulnerability management processes based upon extrapolations from external metrics about how vulnerabilities are managed. Cyber reputation management groups may require specific internal priorities to controls that are measured this way to ensure their digital trust profiles are kept high. Because the metrics used to derive such ratings change over time, these programs must adjust and provide feedback to other security groups.
As the profession of cybersecurity continues to mature, it inevitably will borrow from other disciplines that have developed mature practices. In this, the credit rating profession has much to offer cybersecurity as it attempts to bolster its digital trust profile and capabilities. Historically, credit ratings were resisted but later embraced because of their consistency and predictability. The same is happening with cyber ratings, and today many more firms are participating with the rating agencies than resisting. For consumers of these services, it’s another benchmark that can be used to help inform the risk-based decisions about with whom they should do business. As the marketplace matures its expectations around digital trust, independent security ratings will be a hallmark of mature security practices.
About the author: Jack Freund, Ph.D., CISA, CISM, CRISC, CGEIT, CDPSE, NACD.DC, is VP and Head of Cyber Risk Methodology for BitSight, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, ISSA Distinguished Fellow, FAIR Institute Fellow, IAPP Fellow of Information Privacy, (ISC)2 2020 Global Achievement Awardee, and ISACA’s 2018 John W. Lainhart IV Common Body of Knowledge Award recipient.