1

The Business Case for Investing in a Security Ratings PlatformData breaches caused by third-party vendor relationships are on the rise. Can your organization truly a�ord to do nothing?

2

Cyber-attacks can be costly to businesses in a number of ways. Data loss. Operational downtime. Incident recovery. Shareholder and customer lawsuits. Regulatory fines. Reputational damage.

On average, the total cost of a data breach is more than $7 million for U.S. companies, according to a 2017 study conducted by Ponemon Institute.

Many cyber breaches are caused as a result of third-party vendor relationships. And these types of attacks are on the rise. According to the Verizon 2017 Data Breach Investigations Report, 75% of breaches are a result of issues around third-party security, up from 70% last year.

Unfortunately, most assessment techniques used to determine a business partner’s cyber readiness are point-in-time and only express a vendor’s cyber health at a particular moment. The problem with these types of audits is that a vendor’s cyber posture can change overnight due to systems and network modifications that are made.

“Ultimately, it comes down to mitigating risk,” said Bill Hogan, Chief Revenue Officer at SecurityScorecard. “We know from experience that companies will get hacked, breaches will occur and the reality is that they have to be prepared to respond. But if you can reduce your organization’s third-party risk and lessen the likelihood of a breach, you also stand to save the organization a substantial amount of money that would otherwise have gone toward remediation.”

A security ratings platform can help companies to continually monitor and respond to changes in the cyber health of their vendor ecosystems. A platform that has machine learning capabilities can enable CISOs and security teams to reliably predict risk, correctly attribute findings, and accurately calculate each partner’s security score.

Despite these and other benefits, you still need to be able to cost justify the investment to your company’s CFO and executive committee.

In this white paper from SecurityScorecard and HMG Strategy, you’ll discover:

• A step-by-step approach for building a business case for a security ratings platform.

• A dissection of the cost of doing nothing.

• Examples of companies that have benefitted from the deployment of a security ratings platform, including a breakdown of the cost benefits that have been achieved.

3

The Threat Landscape is Dangerous and EvolvingDescription: Sixty percent of North American enterprises acknowledge they have had at least one form of cybersecurity breach in the past year. And while most organizations have vendor or third-party risk management frameworks in place, few are sufficient in providing executives with a continuous assessment of the vendor ecosystem, according to a recent study conducted by Forrester Consulting on behalf of SecurityScorecard.

Source: 158 North American enterprise security and compliance technology decision makers in a commissioned study conducted by Forrester Consulting on behalf of SecurityScorecard, March 2018.

4

Building the Business Case New and emerging cyber threats continue to become more sophisticated, making it increasingly difficult for cybersecurity teams to keep pace. For instance, the frequency of ransomware attacks more than doubled in 2017, according to a study by Accenture.

Meanwhile, the shortage of qualified cybersecurity professionals continues to intensify, making it increasingly difficult for companies to identify and address potential vulnerabilities. According to an annual study that’s conducted by ESG, 51% of respondents in North America and Western Europe claimed their organization had a ‘problematic’ shortage of cybersecurity skills, up from 45% in 2017 and more than double the 23% of organizations that suffered from acute skills shortages in 2014.

With the threat landscape expanding faster than cybersecurity teams can respond, this ‘perfect storm’ of cybersecurity challenges is making it extremely difficult for cyber teams to stay ahead of emerging threats, including those that are inadvertently generated by third-party partners.

The skills gap faced by cyber teams is one of the ways in which CISOs can cost-justify the use of a real-time automated security ratings platform. Connections with multiple business partners can result in unanticipated cyber threats that can make your company vulnerable. Without enough hands on deck to track the cyber readiness of vendors and third-party partners, the organization needs a security ratings platform that can continuously track changes in each vendor’s cyber readiness.

Without a security rating platform, substantial personnel costs are incurred to manually monitor, audit, log, and remediate vulnerabilities. Not to mention the financial and reputational impact incurred by companies that have been breached.

Case in point: the 2013 security breach against Target which exposed the records of 70 million people and the payment card data for more than 41 million customers was caused by a spear phishing email that targeted an HVAC vendor in Target’s supply chain. The attack resulted in a 46% drop in operating profit for Target in the year after the breach, the resignation of its CEO and $18.5 million in lawsuit settlements.

Traditional Security Assessments Fall Short

Even with a full battery of available cyber personnel, each vendor’s cyber status is constantly changing – posing unforeseen threats to your organization.

Most vendor security assessments are point-in-time exercises. This means

5

that while the information that’s captured may be accurate at that moment, a vendor’s network configuration and other aspects of cyber readiness can change overnight.

There are a few steps that can be taken to validate a partner’s cyber readiness. However, they each have their shortcomings. For instance, one or more members of your company’s information security/audit teams can travel to a vendor’s site to visually inspect their data center for its security provisions. However, this is costly and time-consuming exercise and the security protections that may be in place for a data center during an audit can quickly be disrupted.

“Traditional vendor assessment techniques are labor-intensive, they aren’t sophisticated and they don’t scale to the enormity of the challenge that’s facing most cyber teams,” said Hogan.

CISOs can break down the costs of conducting on-site audits, including travel and personnel costs, that are involved along with the gaps that remain after conducting audits.

Providing a Baseline – and More

Another benefit to using a security ratings platform is that it enables CISOs to provide other executives and board members with a fair and accurate portrait of the company’s security posture across ten risk factors. This includes up-to-the-minute security ratings on each connected vendor. “The platform provides executives with a predictable, non-intrusive approach for assessing the vendor ecosystem and to visualize any challenges that are looming,” said Hogan.

There are multiple metrics and approaches that can be used to cost-justify investing in security ratings platform. In the next section, we’ll examine how Farm Credit Mid-America, a leading agricultural lending cooperative in the Midwest, has obtained impressive operational benefits from its use of SecurityScorecard.

Traditional vendor assessment techniques are labor-intensive. They aren’t sophisticated, and they don’t scale to the enormity of the challenge that’s facing most cyber teams.

-Bill Hogan, Chief Revenue Officer, SecurityScorecard

On average, the average total cost of a data breach is more than $7 million for U.S. companies.

-Source: 2017 study conducted by Ponemon Institute.

6

Security Ratings Provide a Competitive AdvantageRespondents to the Forrester Consulting/SecurityScorecard study overwhelmingly rated the ROI of security ratings services at or above their expectations. Security scores have been shown to boost threat intelligence, security posture, business resiliency, and the prioritization of new security investments.

Source: 158 North American enterprise security and compliance technology decision makers in a commissioned study conducted by Forrester Consulting on behalf of SecurityScorecard, March 2018.

7

Case Study: Automated Security Assessment Engine Helps Farm Credit to Optimize its ResourcesFarm Credit Mid-America is one of the largest agricultural lending cooperatives within the U.S. Farm Credit System, with over 1,100 employees and more than 100,000 customers across Indiana, Ohio, Kentucky and Tennessee.

As part of the U.S. Farm Credit System, Farm Credit Mid-America is subject to the rules and regulations put forth by the Farm Credit Administration (FCA). With regards to cybersecurity, FCA has recommended that its institutions follow cybersecurity guidelines from the Federal Financial Institutions Examination Council (FFIEC), including:

• Managing connections with and to third-party vendors.

• Engaging boards of directors and senior management to ensure they understand their institution’s cybersecurity risks; and

• Monitoring and maintaining sufficient awareness of threats and vulnerabilities throughout the organization.

The Challenge

While Farm Credit has become increasingly attuned to the importance of monitoring the security posture of third parties, one of its primary concerns is that vendors that are not subject to the same or similar regulatory oversight as Farm Credit may not set as high a standard on security, said Mike Everett, Chief Security Officer and Assistant Vice President of Database Systems for the company.

Like many other companies faced with the challenge of managing vendor risk, Farm Credit started with an in-house process that was simple and familiar enough to incorporate: an assessment questionnaire. The questionnaire was sent out to each existing vendor to gauge their security status and to each new vendor as an added level of diligence before a new vendor started doing work for Farm Credit.

However, this approach had several shortcomings.

Ineffective Use of Resources. In most cases, security personnel who are assigned to the upkeep and management of assessment surveys from vendors are not solely dedicated to this role. This means, in nearly every single instance, that a highly-qualified and highly-paid security professional is now spending a significant portion of their time performing administrative functions.

At Farm Credit, three experienced security engineers were burdened with tasks such as sending out reminders to vendors that had not yet filled out their assessment, said Everett.

Only Reflective of a Point in Time. Simply put, the obvious flaw in a point-in-time assessment is that it only reflects the security maturity of an organization at that moment. A secure vendor could quickly become a problematic one as a result of a breach or a change in its network configuration. On the other hand, a vendor could remediate a few of its security holes and drastically reduce its risk landscape. Either way, executives at Farm Credit felt they had no real-time visibility into its growing number of connected vendors, said Everett.

Perhaps Not Even Reflective. Another rarely discussed wrinkle in the point-in-time security assessment is that it is inevitably colored by the vendor’s desire to keep the client’s business. Even the most responsible, forthcoming vendor has a sales team, a general counsel or an account manager who can quickly shift the conversation from “How should we disclose this?” to “Should we disclose this?” The result of the well-intentioned vendor partner with too much prep time available is an assessment that’s riddled with ‘Not Applicable’ responses with little-to-no information that would allow for a substantive assessment.

Faced with the growing reality that a vendor survey wasn’t the right fit, the Farm Credit team set out on a mission to find a solution that would enable them to continuously monitor its vendors in an efficient manner.

The Solution

By adopting the SecurityScorecard platform, Farm Credit could finally proactively monitor all of the company’s connected third-party vendors. Additionally, other departments that rely on Everett’s team for vendor

approval have experienced a substantial improvement in feedback and turnaround time for vendor approvals.

As the firm’s ecosystem of connected vendors continues to grow, the platform’s real-time and continuous monitoring capabilities have enabled Everett and his team to identify specific security areas or issues that need remediation.

In addition to improving the velocity of vendor onboarding, Everett is now able to provide regular vendor risk reporting

– not only within his department but also across the company and to the firm’s internal governance committees and external regulators.

The Results

The SecurityScorecard platform has dramatically expanded the capacity of Farm Credit’s security team while substantially improving the new vendor experience for other department heads. Automated monitoring also allows Everett to keep track of Farm Credit’s attack surface while ensuring his team stays abreast of potential issues.

When assessing new third-parties, Everett’s team uses SecurityScorecard to identify problematic vendors, while providing alternative options through the platform’s vendor comparison tools. The platform’s real-time monitoring and notification tools ensure the team is always aware of changes within their portfolios.

Other departments that rely on Farm Credit’s security team for vendor approval have experienced a substantial improvement in feedback and turnaround time for vendor approvals.

Next StepsA cyber-attack can impact your business in multiple ways. It can result in the theft of customer information, the erosion of customer trust, business disruption, loss of sales and a reduction in profits.

To guard more effectively against cyber-attacks and help manage your company’s risks, CISOs and other organizational leaders responsible for risk should begin by focusing on developing a strategy to use a security ratings platform to monitor and manage the vendor ecosystem.

“The things that CISOs and CFOs should think about regarding using a security ratings platform is how do you manage and rank your risk right now,” said Hogan. “The overall cyber posture of your company must quantify risk and your vendor ratings methodology is part of what will define your organization.”

By clearly communicating the financial and brand impact of a security breach to members of the executive steering committee along with the personnel costs associated with manual assessment techniques, clarity on why investing in a security ratings platform makes good financial sense can be provided.

“An increasing number of companies have security ratings platforms and services in place as part of their enterprise cybersecurity strategies,” said Hogan. “Another way to help cost-justify an investment in a security ratings platform is to emphasize how it can help the company improve its visibility against cyber threats and improve its security posture relative to its competitors.”

11

About SecurityScorecardSecurityScorecard helps enterprises gain operational command of their security posture and the security posture of their third-parties through continuous, non-intrusive monitoring. The company’s approach to security focuses on identifying vulnerabilities from an outside-in perspective, the same way a hacker would. For more information, please visit: www.securityscorecard.com

To receive an email with your company’s current score, please visit: instant.securityscorecard.com

About HMG StrategyHMG Strategy is the world’s foremost provider of pioneering networking events and thought leadership to support the 360-degree needs of CIOs, CISOs, and other technology executives. HMG Strategy’s regional CIO and CISO Executive Leadership Series, newsletters, authored books, and Resource Center deliver proprietary research on leadership, innovation, transformation, and career ascent. The HMG Strategy global network of 300,000-plus senior technology executives, industry experts and world-class thought leaders is the strongest, most trusted network of executives. Additionally, partnerships with the world’s leading search firms provide vital insights into the evolving role of the CIO and CISO.