It is now standard practice to assess third-party cybersecurity risk using a combination of questionnaires, document reviews, and cybersecurity ratings. While most vendors are adept at producing proper answers to questionnaires, and security program documents can be easily produced to paint a picture of a strong cybersecurity posture, many struggle to respond to the objective observations produced through cybersecurity ratings.
And while there are many organizations who respond constructively to ratings data, fixing the technical issues identified, such as exposed unsafe network services or unpatched software, and seeking to address the root cause, there is still a large majority who aggressively seek to summarily dismiss cybersecurity ratings. Since founding RiskRecon back in 2015, I have heard a lot of arguments that vendors make to excuse their poor cybersecurity hygiene.
Before talking through the arguments customers encounter from vendors regarding use of cybersecurity ratings, I submit that the main argument for cybersecurity ratings in managing third-party risk is this: objective data is increasingly essential in our new world of generative AI through which questionnaires can be easily answered and supporting documentation easily produced.
Here are the three most common objections vendors give to deflect information in cybersecurity ratings:
Argument 1: “These issues aren’t relevant because they reside in systems and networks that aren’t involved to your business with us.”
Counter Argument:
Two thoughts on this one. First, even if the issues are not in the systems or networks related to your relationship, can you trust a company that allows material issues in any of their internet-facing systems?
Second, even if the issues don’t exist in systems or networks related to your business, criminals are surprisingly adept at leveraging an initial foothold to pivot to unexpected places in an organization. Also, data tends to spread to unintended systems in organizations – file shares, employee endpoints, customer support…even S3 buckets!
Argument 2: “Cybersecurity ratings data are inaccurate.”
It is true, some cybersecurity ratings reports have incorrect data. Doing cybersecurity ratings well and accurately at the scale of global supply chains requires, among other things, correctly attributing digital assets to each company and keeping up with the frequent shifts in domain and network ownership. RiskRecon’s accuracy is periodically independently assessed, earning a certified accuracy rating of 99.1%.
Counter Argument:
Bodies of data with inaccurate information are still useful. If the data has a 3% false positive rate, there is a 97% true positive rate. Consider this example: a cybersecurity ratings report identifies five high and critical software patching issues resident in several WordPress deployments and in an SSL VPN gateway. It also identifies three unsafe network services exposed to the internet – RDPP, MySQL, and Telnet. Upon review, it turns out the telnet service exists in a system that doesn’t belong to the company. Do you ignore all the information because it contains one false positive?
Argument 3: “The ratings are meaningless grades made up by the ratings companies.”
Counter Argument:
RiskRecon’s ratings are based on statistically modeling the outside-in observable cybersecurity hygiene of real-world risk management, with the banking sector being the best and universities being the worst. Is the cybersecurity hygiene of the organization being assessed more like a bank (A/B rating) or more like that of a university (D/F rating)?
Even more importantly, it turns out that companies that manifest poor cybersecurity hygiene (D or F rating), like that of universities, have a 13x higher rate of breach events and 35x higher rate of destructive ransomware events compared with organizations that maintain clean hygiene (A rating). It makes sense. Afterall, maintaining good ratings requires, among other things, a solid vulnerability management program, strong network filtering, and strong control of shadow and forgotten IT.
Conclusion
The next time a vendor seeks to summarily dismiss findings in a cybersecurity ratings report, I recommend you consider the other side of their excuses and the implications to your risk. Even if they refuse to engage on the data, you are still responsible for managing the risk. As you well know, you can outsource your systems and services, but you can’t outsource your risk.
And in a world of Generative AI, objective information is increasingly essential to managing your risks well.
To learn more about how a cybersecurity ratings platform like RiskRecon can help you objectively validate vendor performance, request a demo.