Cyber risk rating companies generally work by identifying all internet domain names and addresses associated with an organization and querying those for potential vulnerabilities such as weak SSL protocols. Until now, organizations have been given a single risk rating that reflects all findings across all internet properties.
Enterprise analytics allows organizations to delineate findings by domain names or geolocation of IP addresses, and then assign those findings to specific parts of their enterprise.
Image source: BitSight logo
“BitSight Enterprise Analytics provides confidence to executives through data. It helps our customers gain insight into risk concentration and changes in potential risk impact throughout their organization over time to help them continuously monitor cybersecurity posture, measure security program performance and allocate limited resources to focus on the areas that will have the greatest impact on their cyber risk management programs,” claims Dave Fachetti, SVP Corporate Strategy & CMO of BitSight.
At Info-Tech Research Group, we encourage companies to review their cyber risk ratings in order to fix any problems that may reflect poorly on them. However, the value of risk ratings for deep insight into internal information security is questionable. This is especially true at the enterprise level, where most large organizations should already have mature vulnerability assessment and other audit processes that can probe much deeper than the current state of cyber risk ratings.
Dark web monitoring for supply chain risk is becoming a mandatory feature for cyber risk ratings providers. Panorays’ latest press release shows that it is catching up to the big players.
Normshield recently announced that it has licensed the FAIR model to allow customers to quantify supply chain security risk in terms of financial impacts. It is innovative, but is it useful?
Panorays has announced a partnership with Shared Assessments to provide Panorays customers with access to the Standard Information Standard (SIG) questionnaire. This is an innovative offering but may prove to be a mixed blessing.
SecurityScorecard has announced the availability of new professional advisory services to help customers consume its vendor cyber risk rating product. In doing so, it is tacitly admitting that risk ratings are not the easy solution they’ve been hyped to be.
RiskRecon and RSA have announced a partnership to bring RiskRecon’s third-party risk rating services to RSA’s Archer Governance, Risk and Compliance (GRC) system. This should be a welcome move for Archer customers.
BitSight, one of the leaders in cyber risk rating, has announced a new product to allow organizations to benchmark against their peers. Dubbed “Peer Analytics,” this service will interest companies where benchmarking is a compliance obligation.
SecurityScorecard, a leader in vendor cyber risk rating, has announced an initiative to help non-profit organizations with third-party risk management. Named Project Escher, this initiative demonstrates SecurityScorecard’s commitment to the non-profit sector.