Cybersecurity risk rating solutions are a polarizing topic for security leaders. We meet promoters and detractors in roughly equal measure in the customers that we speak to.
Positive client sentiment cites the ability to continuously monitor their third parties, and the simplicity of the quantifiable risk score is popular. Security leaders tell us it is an easy vehicle for starting a discussion about a vendor or their organization’s security posture.
Less positively, we speak to frustrated customers and third parties that find themselves dealing with inaccurate ratings that fail to depict the true picture of the organizational security posture. This does not apply to all, but we hear the following two complaints most frequently:
- Inaccurate attribution of company assets or data quality issues leads to an undeserved lower score. Customers and vendors resent the wasted time spent disputing and arguing about the rating, data quality, and bringing in the vendors.
- The process to dispute a rating’s accuracy is tedious, and the vendors hold all the power to make the changes or not that will impact your ratings and thus your business prospects.
For detractors, the bad news is that these cybersecurity ratings are here to stay. Rapid adoption of the third party use case, alongside increasing popularity with cyberinsurers, pushes cybersecurity ratings toward mainstream acceptance. However, universal acceptance from the security community will require that the number of providers in the market consolidate down to a handful over the coming 2–3 years.
For providers in the market that have been subject to these ratings, they are going to become a fact of life. While we have not seen an end user customer specifically decline business based on a poor rating, we expect that suppliers to large enterprise organizations will need to be able to account for the rating they have and what their plans are to demonstrate improvement.
Our latest report, “Cybersecurity Risk Ratings Enhance Third-Party Risk Management,” looks at how cybersecurity ratings make a third-party risk management program stronger. It also highlights the numerous challenges of current solutions. This market is still maturing, but it’s poised to be an incredibly important one in the coming years.