Heidi Shey, Forrester Senior Analyst - Security and Risk, discusses Forrester’s recently released study, “Security Ratings Set the Standard.”* View this webinar to learn how:
*91% of those using security ratings platforms find that the ROI meets or exceeds expectations
*Adoption of security ratings platforms is on the rise
*Security Ratings provide a competitive advantage
*Today’s threat landscape is as complex as it is dangerous
*Security Ratings Set The Standard, an April 2018 commissioned study conducted by Forrester Consulting on behalf of SecurityScorecard
27. Nearly 75% of Breaches are a Result
of Poor Third-Party Security.
28.
29. Limitations of Current Third-Party Risk
Management Methods
Point-in-time snapshots that fail to
address ongoing changes in security
posture
Labor intensive process that is expensive
and time-consuming
Not scalable without additional
investment and resources
Difficult to measure IT security
investment
Difficult to show due care to regulators
Lack of executive level reporting – Inability
to communicate security posture and ROI
to C-level and Board
No ability to prioritize “weakest link”
third-parties
No ability to validate information given –
honor system
37. What is Breach Insights?
Breach Insights quantifies the likelihood of breach (i.e. risk level) within customers vendor and
partner portfolios using a “multiplier”, based on identifying common attributes between companies
and their relevance to breach risk. It combines this “correlated” risk with uncorrelated, individual
company risk
- Common attributes can include SSC-defined issues, CVEs (vulnerabilities), and common
technologies (e.g. cloud providers, 3rd party libraries, etc.)
- Action log: the feature will prioritize actions to reduce risk across a portfolio of vendors
The feature enables predictive and prescriptive risk
management and makes SecurityScorecard data
actionable.
38. What Problem are we solving?
• Customers now have a way to tie our scores to real-world impacts
• Customers can prioritize which issues need to be fixed first across
a portfolio (and which actions are most impactful)
• Helps companies gain prescriptive guidance from
SecurityScorecard to help educate users
“This is the kind of stuff that real risk
professionals are asking for”
39. Two Types of Portfolio Risk - Asset
Management
• Uncorrelated Risk
▪ Assumes portfolio entities are independent of each other with
regard to risk.
• Correlated Risk
▪ A single event can result in the simultaneous occurrence of many
losses.
40. Uncorrelated Risk
• Breach risk is determined by scores of individual vendors in the
portfolio.
• More vendors with poor scores greater breach risk.
41. Accessing Breach Insights
• New dropdown on
main navigation for
“Analysis Tools”
• Features Board
Summary, Breach
Insights, and
Comparison Tool
• Creates home for
new analysis tools
going forward
42. Breach Insights - Healthy Portfolio
• X-axis: Correlated Risk
• Y-axis: Uncorrelated Risk
• Portfolio vendors have good
scores and are well diversified
(low correlation of security flaws).
• Overall Assessment: Healthy
43. Breach Insights - Portfolio at High Risk
of Breach
• Portfolio vendors have
good diversity (low
correlation) but have an
excess of poor scores,
resulting in high risk of
multiple breaches.
• Overall Risk: High
44. Breach Insights - Portfolio at Severe Risk
of Breach
• Portfolio vendors have poor diversity
(high correlation) and have an excess of
poor scores, resulting in higher risk of
multiple breaches.
• Overall Risk: Severe
• This is an example of a silent risk that
is much greater than the uncorrelated
risk, associated with the scores of the
individual portfolio vendors alone, would
suggest.
45. Breach Insights & Action Log
• Shows an overall Breach Risk
score for a selected portfolio,
both correlated and uncorrelated
risk
• Action Log of top issues
contributing to breach risk
• Ability to export detailed findings
to CSV
48. Children’s Hospital of
Minnesota Case Study
https://s3.amazonaws.com/ssc-corporate-website-
production/documents/resources/ChildrensMN-Case-Study-c04-1.pdf
Children’s Hospital of Minnesota is one of the
largest independent pediatric health systems in the
United States, with two hospitals, twelve primary
care clinics, six rehabilitation and nine specialty
care sites. As a healthcare nonprofit, Children’s
Minnesota is subject to HIPAA regulations and
must ensure that personal health information (PHI)
is secured, both at physical locations and within
electronic health records and exchanges.
50. Healthwise
Case Study
https://s3.amazonaws.com/ssc-corporate-website-
production/documents/resources/Healthwise-Case-Study-c02.pdf
Healthwise is a global provider of consumer health
content and patient education for the top health
plans, care management companies, hospitals and
consumer health portals. It is a non-profit
organization that has been in operation for more
than 40 years. Healthwise is dedicated to providing
health information, decision support tools,
behavior change assistance, and personal care
planning for millions of people yearly. Healthwise is
an essential resource that many people rely on in
order to improve their lives.