Yesterday a CISO in the insurance space asked me about what I thought about looking at something in an audit report like a SOC 2 vs. something from a ratings vendor like SecurityScoreCard or BitSight . . .
The fact is, 90% security teams are doing some sort of due diligence on third parties. For anywhere from 10–30% of the vendors they care about they’re reading SOC reports, asking for pen tests and painstakingly analyzing 20, 50, 100, 200 question questionnaires. And they’re getting value from that — they’re finding areas that need work and issues that could lead to breach and they’re following up and trying to do something about it.
But this process is fraught with problems. It’s too slow, can’t scale and requires a level of engagement from the vendor that’s frequently lacking. Security teams are left with huge gaps in visibility and are stuck delivering information too late in the game to make enough difference.
So what about the other 70–90% of vendors they care about but just don’t have time to perform due diligence on? Well for many security or risk teams that’s where the security ratings vendors come in.
As CISOs widely point out, the processes these tools utilize to determine ratings are questionable and their results commonly lack relevance or accuracy.
So why are they used? I got the following answer to that question from the head of risk at a global financial services company that sticks with me:
“They are better than nothing.”
While I am sure many CISOs will contend still with that answer, in a world where dozens, hundreds, in some cases thousands of vendor relationships just can’t be meaningful assessed due to the practical limitations in doing so, the ability to quickly pull some data on a company, hand it to a buyer and say ‘ask them to fix it,’ is a big deal. Now, if an auditor, risk committee, regulator or partner asks them what they’re doing about third party risk they have at least one leg to stand on, whereas before they had none.
Regardless of if that’s security theater or a valuable reminder for a buyer and a third party to at least think about security, the underlying need is clear:
Companies need to be able to assess third party cyber risk at a speed and scale that just can’t be accomplished by collecting surveys and reading documents AND provide a level of intelligence, insight and accuracy that can’t be accomplished with security ratings.