Promote cybersecurity rating of organisations

By François Gratiolet
|
Private and public organisations have everything to win by having their cybersecurity performance objectively assessed. A rating should enable them to compare themselves with their peers in the same industry, to pinpoint their cybersecurity issues, but above all to identify the levers to improve their cybersecurity performance. On this basis, it will be easier for every organisation to develop relationships of trust with « secure » partners.

For ages, human beings want to measure everything, to rate, to compare. From our earliest childhood, our academic skills are constantly evaluated. We can compare ourselves to other students in the classroom, but above all we can estimate our level of knowledge at each stage of our scholarship. Organisations themselves are always evaluated. They are judged by rating agencies on their financial performance, their exposure to risks and the importance of their environmental footprint. Scores are given to real estate to determine their energy performance. At all level, standards are laid down.

Jump into a virtuous cycle

Everything is scored or rated, for very good reasons. Ratings make it possible to compare with others, to position oneself towards existing standards or practices, in order to better embrace the possible improvements. Well designed, a rating system makes it possible to put organisations into a virtuous approach.

Considering the current cybersecurity challenges faced by any kind of organisations, it is not surprising to see more and more agencies whose mission is to assess the maturity level of organisations and to rate them.

Guarantee a sufficient level of cybersecurity for each organisation

We can be happy. Each organisation should even have the desire to see its cybersecurity effectiveness assessed by an independent and transparent body. The risks to which each private or public organisation is exposed are huge. Even if an organisation claims to have no sensitive data to lose (and I challenge it to prove it), its systems could still be compromised by a cybercriminal for malicious purposes. To respond to this threat, everyone must therefore ensure a sufficient level of cybersecurity. Every organisation must also be part of a continuous improvement process. It is therefore important to be able to evaluate cybersecurity performance of its organisation and to be able to compare it with the existing best practices.

Ratings to build trust

Cybersecurity is also an important factor for establishing a relationship of trust among business partners. Tomorrow, with the emergence of a widely shared scoring system, organisations will more easily build strong partnerships based on objective data. To say that one is the best is no longer enough. It is necessary to be able to demonstrate the effectiveness of controls in place to protect the organisation, its systems, the data that it has to deal with. For cybersecurity executives, ratings also make it possible to better priorize efforts and allocate resources adequately. If, tomorrow, a cybersecurity manager can show that the company is lagging behind its competitors, he is more likely to be listened to and to get more budget.

The tsunami of recent massive data breaches now requires organisations to manage their cybersecurity in a more effective and continuous way and advocates for a robust rating system.

Facilitate transparent ratings starting from Europe

A few US-based rating providers have already started to assess cybersecurity performance of our European organisations. However, principles and standards in this discipline are not clearly established. In addition, as Europeans, we want cybersecurity ratings that can take into account our particular sensitivities regarding data protection. We cannot leave the domain of cybersecurity rating of our organisations to foreign actors. Our technological sovereignty is at stake.

We therefore advocate for the establishment of a transparent rating system with agencies rooted in European Union to evaluate our private and public organisations. This rating system must be based on specific criteria, assess cybersecurity best practices, and respect widely shared standards. This must be built now for the benefit of our economy, our society, and the safety of all.