With enterprises critically dependent on such large and complex supply chains, traditional methods of managing third-party risk simply do not provide the timely, accurate information necessary to scale at business speed. In the face of these realities, what are the protectors of enterprise assets and supply chains to do?
A big part of the answer lies in data. In operating on the Internet, companies cannot help but reveal the quality of their cybersecurity risk management. It shows in their systems, their applications, the signals they emit to the Internet, and the breach events they incur. We at RiskRecon, as a leading provider of cybersecurity ratings and insights, claim that opensource intelligence-based assessments of your vendors and partners enables better risk decisions.
The obvious question is: Does OSINT-based assessment data enable better third-party risk decisions? We engaged Cyentia to answer this question. Of course, Cyentia (or anyone for that matter) does not know the actual risk management quality of a company, so they came up with an objective proxy for what good risk management looks like – the rate of high and critical severity issues in systems that collect sensitive data.
With this proxy in place, Cyentia put their data science magic to work against tens of thousands of companies to see how powerful four different data scenarios were in predicting the rate of high and critical severity issues in the high value systems of each company. They started with just industry information, added additional firmographic information for the next scenarios, and for the final scenario added in the RiskRecon assessment information. In doing so they of course excluded information related to the findings they were seeking to predict.
At the risk of spoiling the paper, I will say this – it is in fact true that OSINT cybersecurity assessment data is very useful in predicting which companies manage risk better. Basic firmographic information, while useful in comparing one industry to another, is not useful in assessing the risk quality of a specific company. The OSINT cybersecurity assessment data has a 21.7-times greater predictive power than does basic firmographics.
It boils down to this – do you want to do business with vendors and partners who maintain a low rate of high and critical severity issues in their sensitive systems? A broad spectrum of firmographic information won’t give you the answer. The data behind our cybersecurity ratings will. It will help you manage your third-party and supply chain risk better and faster.
Download our Uncertainty to Understanding report to get the full details of our research.