Cybersecurity rating, a performance lever for organisations

By François Gratiolet
|
In the absence of objective benchmarks, it is difficult for a company executive to assess the maturity of its organization in terms of cybersecurity. However, the performance of any structure, its finances and its reputation can suffer heavily from a fault or an ill-managed crisis. In the future, through cybersecurity rating, everyone will be able to better assess their cyber risk exposure, their ability to cope with an incident, and to find out new levers of performance.

Organizations, both private and public, face an increasingly high level of cyber threat. At the present time, the maturity of each of them faced with new risks diverges completely. Their executives, if they are now fully aware of the risk, questioned by the headlines in the media, still struggle to evaluate their performance in cybersecurity. In the absence of objective criteria, shared by many players, and benchmarks, business leaders and cybersecurity professionals lack benchmarks.

In response to this shortcoming, in the US, rating firms have emerged, with the task of assessing the level of cybersecurity of organizations. In Europe, through CYRATING, a first initiative with a pan-European ambition has just been launched.

Cybersecurity ratings can enhance cybersecurity within an ecosystem of business partners, but shall also ensure that each organization performs better globally. Recent examples have further revealed that poor cybersecurity management could simply undermine the smooth running of an established and strong business, its financial performance or, worst, its reputation.

For example, Deloitte has just paid the cost of a data leak. For this global player, who regularly provides recommendations on best practices within organizations, this crisis, and the way it has been managed, is likely to permanently damage its image. Saint-Gobain, which was recently the victim of an attack paralyzing one of its factories for several days, said it suffered a negative impact of 65 million euros, or 4.4% of its first half semester earnings. Finally, the Equifax case is even more resounding. This American credit risk company has been the victim of a massive data leak with 140 million potentially affected customers (about 44% of the US population). Its stock market value dropped by a third in one week. And now, it has to deal with a multitude of legal proceedings.

These crises, if not avoided, now constitute school cases insofar as they have been poorly managed. Simply because the actors were not prepared to deal with it. In the case of Equifax, particularly, it was revealed, following the crisis, that the company's level of cybersecurity had been assessed a few weeks earlier by a rating agency with an "F" rating for application security. Indeed, did the Equifax's executives know about of this rating?

These stories reveal, on the one hand, that no one is safe from attack and that, on the other hand, protection and preparedness to deal with crisis situations must be approached methodically, based on objective criteria. In this context, cybersecurity rating should be viewed as an opportunity by each executive. It allows, firstly, to assess its level of maturity in relation to these stakes and risks, to compare itself with other peers and standards established in the field. It also allows each organization to evaluate its subsidiaries, suppliers and partners, with a view to improve risk management.

With a rating, depending on the performance and weaknesses revealed, organisations will find an objective basis allowing them to better allocate their resources to get better risk management. Knowingly, everyone will be able to activate the levers to improve their posture with regard to cybersecurity issues. With better investments, to close the loop, it is the overall performance of the company that will be improved.