This blog post has been published on the Cyber Startup Observatory blog.
At a time when some people wonder: « Is it cheaper to get hacked than invest in security ?», it is important to recognize that cybersecurity can be complex in many ways. In the cybersecurity world of today, trends come with several level of complexity comparable to the parallel worlds in the movie “Inception”. An efficient cybersecurity posture needs to be as “simple and streamlined” as possible. However, most of the time cybersecurity is anything but simple.
- Cybersecurity is complex due to the technical vocabulary used: when looking at cybersecurity from an outside perspective, words or acronyms like “APT”, “Fileless attack”, “Sandbox”, “ROP” make no sense, particularly when cybersecurity experts tend to overuse them. Even more, hype language like “new generation firewalls”, “deception endpoint response and detection”, “cloud access security brokers” or, “user and entity behaviour analytics” add to the opaqueness. Beyond this vocabulary, the fact is it’s quite difficult for various cybersecurity subject matter experts to reassure non-experts that risk of a cyberattack is limited and could be accepted.
- Cybersecurity is complex due to Information Systems themselves being complex: on average a typical Information System of a company can contain tens to thousands of computers, servers, devices, networks, cloud accesses and virtualization. This is a result of today’s Information Systems becoming more and more complex in order to bring further value to the business. A limited number of organizations have a global mapping of their Information Systems which adds to this intangible octopus, that Information Systems irremediably expand with everything we are close to, such as: our vendors, our partners, our regulatory authorities, Internet, etc. Regardless of the fact that the IT architecture keeps growing and evolving, it opens up a bigger attack surface for malicious users.
- Cybersecurity is complex due to no benchmark: cybersecurity benchmark is quite difficult to establish today. This is due to the multiplicity of standards supplied with the lack of global cybersecurity assessment. A majority of organizations are focusing their assessments on a specific basis and on a precise scope, which is more accessible rather than focusing on the big picture.
- Cybersecurity is complex due to the perpetual negative language: if we try to sum up cybersecurity insights, it’s always about issues, vulnerabilities, data breaches, attacks. The Cybersecurity market is riding on fear where negative points are always on top of the agenda rather than positive ones. Just have a look at the daily news and the sensationalists always point out the latest company under cyberattack or the most recent large data breach.
Cybersecurity benchmark: a must-have
Faced with the issues previously mentioned, positioning, benchmarking and elaboration of an efficient and performing action plan are extremely challenging. The cybersecurity rating agencies missions are to provide solutions to these challenges. Leveraging an innovative approach and making the complex simple, the cybersecurity rating agencies create values by providing a clear, comparative and systematic picture of corporate cybersecurity in a positive language.
At the cybersecurity agency, our belief is that making the information accessible and clear is essential. This is done by leveraging a rating system just like at school where everybody knew how he/she has done, whether they worked hard and did well or they slacked off. Aside from rating, cybersecurity rating agencies need to be based on 3 pillars:
- Objectivity: all organizations have to be rated in the same way with the same controls, scope and scale, providing an independent and objective rating system. This is the statement to quietly compare the cybersecurity of organizations with each organization in the same industry. The rating methodology must be transparent and scope, controls, recommendations, scale, with detailed results need to be provided;
- Positioning: having ratings only makes sense when the context is known. Cybersecurity rating agencies have to provide benchmarks to assess the rating and position the cybersecurity of an organization in its vertical market;
- Maturing: agencies have to offer methods to further grow and develop an organization by following cybersecurity trends, by observing the work achieved, and in doing so gradually improve the overall rating.
Cybersecurity rating: a positive language
Cybersecurity assessment is not a new topic. Many assessments take place through different sources such as surveys, interviews, certifications, attestations, etc. However, so far the number of necessary resources to conduct them are unsatisfactory. In addition, it is important to agree that they are more focused on processes rather than on their effective purposes. Based on corroborative controls, cybersecurity rating is simple and inexpensive to obtain a reasonable level of trust. It also enables the ability to assess large number of organizations where the traditional approach failed.
That being said, cybersecurity ratings are not a result of a global and exhaustive cybersecurity assessment – there are no innovations to current practices. Based on effective controls with automated resources, the assessment draws a perception of the cybersecurity including facts coming from compliance with standards and events coming from the reputation of an Information System. It’s a rating system just like any other and at this stage it’s a fledgling rating system. Improvement and development will necessarily take place in the near future via standardization.
Finally, cybersecurity rating brings a way to communicate positively about cybersecurity. It enables a communication about what is achieved and is not focused on vulnerabilities or issues. Cybersecurity rating enables a quick assessment of any organization to reassure our management, our teams, our customers and other stakeholders. It also enables monitoring of thousands of vendors, including cloud providers which will help organizations in their digitalization.
Cybersecurity rating: an essential stake of sovereignty
By nature, humanity needs to be reassured in landmarks. We have ratings on credit, energy consumption, environment, products, restaurants, and so many others and now, a rating system on cybersecurity. It’s inescapable – we will all be rated on cybersecurity. The perception of corporate cybersecurity will therefore be linked to this rating. Based on that, our most powerful option is to participate in the improvements of the rating system by using it and giving feedback in order to grow, by explaining its benefits and its limits and by grouping together to build a common vision of what this system should look like. Finally, it’s important to support a European voice to avoid the hegemony of some countries. Together we need to bring the European cybersecurity rating into existence.