What’s in a security score?

Apparently a lot, as companies seek to vet third-party providers and cyber insurers look for predictors of breaches.

Fair Isaac Corp., the company that issues credit scores for individuals, was tired of other analytics companies developing security scoring tools for businesses and then proclaiming themselves “the FICO of security scores.”

So in May, FICO upped its own scoring game. It acquired cybersecurity firm QuadMetrics to create its own brand of enterprise security scores for enterprises. The new scoring tool, available in August, uses predictive analytics and security risk assessment tools to issue scores and predict a company’s likelihood of a significant breach compared to other firms within the next 12 months.

“Our own cyber breach insurance underwriters commented how great it would be if there was really a FICO score on this for the underwriting process,” says Doug Clare, vice president of cybersecurity solutions. The company had already invested in cybersecurity detection technology that assesses network traffic, and it saw the addition of QuadMetrics as “the right opportunity at the right time,” he adds.

Indeed, enterprises are eager for an accurate, easy-to-understand indicator of a company’s security posture, but are today’s enterprise security scores ready for prime time? BitSight Technologies, SecurityScorecard, and startups RiskRecon and UpGuard, already offer security scoring, to name a few. Another group of vendors monitor and score the security of cloud providers, including eFortresses,Elastica, Netskope and Skyhigh Networks.

The market for security scoring tools and services is so new that research firms haven’t yet assessed its growth potential, but companies like BitSight report a 60 percent increase in customers in the first half of 2016, and sales have tripled over the first half of 2015.

Security scores are used by cyber insurance underwriters to evaluate a company’s potential risk, by companies to evaluate the cyber-risk posture of third-party vendors and partners, and by senior executives to explain a company’s cyber risk to its board of directors with an easy-to-understand rating.

“The third-party risk management is the one we see growing the most rapidly,” says Jeffrey Wheatman, research director, security and privacy, at Gartner. “We think that at some point in the near term, a cybersecurity score will be as important as a credit score when organizations look to sign up for a partnership.”

Jeffrey Wheatman, research director, security and privacy, at Gartner

Nearly two-thirds of IT decision-makers surveyed by Forrester Research believe that continuous third-party monitoring would improve their ability to screen vendors based on risk. Almost 80 percent say that their top IT priority is ensuring that business partners and third parties comply with their security requirements.

What’s in a security score?

Security professionals have some concerns, however, about whether a single score can capture all the nuances of a security program, whether score issuers are comparing the same security metrics to produce a score, and if companies can even be compared to one another given that no two networks are the same.

“Cyber risk is literally a living organism that keeps changing every day,” says Mary Galligan, director of Deloitte’s security and privacy practice. “The execution of how to [use analytics to assign a score] is extremely complicated, but a score could be a good baseline as long as apples are being compared to apples.”

The biggest security-score providers only analyze a company’s security posture using externally accessible data that they don’t need permission to acquire. That also means that companies could have a security score without even knowing it.

Most score issuers rely on publicly available data on known vulnerabilities to a company’s current network, web applications and endpoint security. Underground hacker groups and Dark Web chatter are monitored for malicious activity. Scores can also take into account the company’s reaction time to patch known vulnerabilities and the number of leaked company credentials being circulated by thieves and hackers.

For an additional cost, some providers offer tools that can be placed inside the firewall that collects more data on activity within the network. “It won’t necessarily improve your score, but it will make it more accurate as far as details,” Clare says.

The real differentiator, or “secret sauce,” is the vendor’s depth of collected data and the analytics it uses to come up with a score, which can be hard to discern.

“Are the tools perfect? No. Are they better than nothing? They are. The issue is, they’re not really that transparent about how they do what they do,” Wheatman says.

Security-score providers use their own unique scales. BitSight security ratings, for instance, range from 250 to 900, with higher ratings indicating a positive security posture. SecurityScorecard issues a letter grade A through F based on 10 security categories, and QuadMetrics scores range from 0 to 300. The new FICO/QuadMetrics offering will have a scoring range of 0 to 900 to allow for more detailed results, Clare says.

Despite differences in scoring methods, a handful of Gartner clients who received demo scores from various vendors found that they generally yielded the same results, Wheatman says.

Algorithm tweaks can change a score significantly

Companies have reported that as algorithms are updated, scores can fluctuate wildly. “They’re constantly re-evaluating the way they do their scoring. I spoke with a customer two months ago. BitSight changed its algorithm, and their score dropped 80 points. They were mad,” Wheatman says. Significant score changes trigger an alert that is sent to any organization that’s monitoring that company’s security posture, and it can cause needless concern, he adds.

Most scoring services will license or sell the scores of industry peers to a company so that it can compare its security practices to others in the same market. Contracts usually prohibit companies from publishing the scores of other companies, but there are no guarantees.

FICO has no such clause in its contract right now. “What we have is an ability for organizations to opt out and say ‘I don’t’ ever want to be scored,’” Clare says. Companies who haven’t opted out are fair game. “If we saw some kind of abuse there, that would be an interesting consideration, but up to this point we haven’t seen it.”

Insurance companies have licenses with score providers for the underwriting process. The company applying for cyber insurance has no say in what provider issues the score.

“If you get a bad score and you don’t agree with it, there’s not really a good mechanism to appeal that right now. That is something that needs to be addressed,” Wheatman adds.

Clare says a low score is often due to unrelated assets that are lumped into a company’s external profile, such as those with a similar company name or acronym. “There are ways of remediating that in the process,” he adds.

Will there be a Big Three?

Just as Experian, TransUnion and Equifax have become the primary credit score providers, will the current pool of enterprise security score providers be whittled down to just a few?

“It could go that way,” Wheatman says. “It’s likely that a cyber score will become as important as other scores, so other rating agencies need to build or acquire this technology. It’s too early to determine what the landscape is going to look like in even two years, let alone five to seven years.”

Join the CSO newsletter!

Error: Please check your email address.

More about CSODeloitteElasticaEquifaxForrester ResearchGartnerGoogleNetskope

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stacy Collett

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place