Forrester Webinar: Security Ratings Set the Standard

© 2018 FORRESTER. REPRODUCTION PROHIBITED.
Security Ratings And Your Security
Program
Heidi Shey, Senior Analyst

2© 2018 FORRESTER. REPRODUCTION PROHIBITED.
Heidi Shey
SENIOR ANALYST SERVING SECURITY & RISK PROFESSIONALS
Heidi serves security and risk professionals with solutions for data security and privacy as well as
security architecture and operations. Her research focuses on sensitive data discovery and
classification; data loss prevention; cybersecurity and privacy policy and regulatory concerns;
customer-facing breach notification and response; consumer security; cyber insurance; and
eDiscovery. She also focuses on data-driven topics such as security spending and the costs of a data
breach.
Heidi holds a B.A. in economics and studio art with honors from Wellesley College and an M.S. in
cybersecurity policy from the University of Maryland. She is also a Certified Information Systems
Security Professional (CISSP).
Phil Marshall
Director, Product Marketing
Phil Marshall is a security industry veteran with more than 17 years of experience in both network and
data security. At SecurityScorecard, he oversees the company’s go-to-market strategy in partnership
with the product management organization. Prior to joining SecurityScorecard, Phil worked at security
firms Black Duck, Cryptzone, Rapid7, and RSA.
Phil earned a BA at Bates College and an MBA, cum laude, at the F.W. Olin Graduate School of
Business at Babson College.

Enterprise security and third party risk
management
(The struggle is real)

Firms face common operational challenges
Changing/evolving
nature of IT threats
Complexity of our IT
environment
Lack of visibility into our
partners
Reporting relevant
security and risk metrics
to the business
73% 69% 64% 62%
Source: A commissioned study conducted by Forrester Consulting on behalf of Security Scorecard, March 2018
Base: 158 North American enterprise security and compliance technology decision-makers

Technical challenges dominate budget focus
Data
Network
Identity
Endpoint
Application

60% of companies had their sensitive data breached in
the past year
How many times do you estimate that your firm's sensitive data was
potentially compromised or breached in the past 12 months?”
0
(39%)
Twice
(24%)
Once
(12%)
3-5
(16%)
6-10
(4%)
11-25
(4%)
>25
(1%)
Don’t
know
(1%)

Data breaches come in a variety of forms, whether internal,
external, internal, or from the partner ecosystem
“Which of the following types of security
breaches has your organization been subject to
in the past 12 months?”
7%
49%
52%
58%
Lost/stolen asset
Attack or incident involving our
business partners/third-party
suppliers
Internal incident within our
organization
External attack targeting our
organization
Base: 96 North American enterprise security and compliance technology decision-makers who have had a security breach in the past year

Third-party partner misstep are your missteps too
[unnamed]
[24]7.ai
Genpact

Third-party partner misstep are your missteps too
[unnamed]
[24]7.ai
Genpact
- Workplace Privacy Report, April 8, 2018
- Star Tribune, April 5, 2018
- CSO Magazine, April 5, 2017

Breach costs vary

Most organizations have frameworks and technologies in place to
measure and track vendor risk management/ecosystem risk
“Which of the following best describes your company's current approach to the way
vendor risk management/ecosystem risks (VRM) are managed, communicated, and
reported across the company?”
1%
11%
31%
46%
11%
1%
No formal processes or tools are used to identify and manage
ecosystem risk.
We manually identify and manage ecosystem risk and concerns as
issues arise.
We have established processes and technical capabilities for identifying
and managing ecosystem risks.
We have a well-defined framework that consistently tracks and
measures ecosystem risks and uses metrics to connect IT to the
business.
Ecosystem risk management processes are considered a critical
business imperative at all levels of the organization.
Don't know/not sure

But there is room for improvement…
Which of the following best describes your company's process for vendor
risk management (VRM)?”
Continuous monitoring
solutions connected to
vendor systems
40%

vendor systems
40% 32%
Periodic audits of third-
party systems

vendor systems
40% 32%
Periodic audits of third-
party systems
Annual or semi-annual
questionnaires sent to
vendors
26%

The role of a security ratings platform

How security scores and ratings affect your firm
› Aids insurers in setting
cyberinsurance policy rates
› Helps business leaders evaluate M&A
opportunities
› Assist board members' review of
consistent risk metrics (including
third-, fourth-party risk)
› Helps your partners assess the risk of
working with you

Ratings are used to identify, measure, manage,
report, and provide education around risks
“How do you use security ratings?”
26%
29%
33%
40%
41%
42%
44%
45%
50%
53%
53%
56%
To inform our mergers and acquisitions
To inform our procurement activities
To inform our insider threat program
To support our cyber insurance underwriting or renewal discussions
To demonstrate and validate our security posture to partners
To demonstrate and validate our security posture to investors
To identify and manage fourth-party risk (your third party's third parties)
To demonstrate adherence to compliance requirements
To improve our security awareness training efforts
To measure effectiveness of our security program and investments
To report security metrics to the business and/or the board
To identify and manage third-party risk
Base: 107 North American enterprise security and compliance technology decision-makers who use security ratings services

What determines
your score?

Understand and overcome common challenges that make it difficult
to extract value from security ratings
Not sure how to
prioritize
remediation
efforts
Challenging to
act on the
results internally
Identified too
many new
issues to
remediate
Not sure we can
trust the results
Too many false
positives
Do not
understand how
scores are
determined
Business
leaders do not
understand what
the scores mean

91% find that ROI of security ratings services meets expectations;
55% say ROI has exceeded expectations
“How would you describe the return on investment (ROI) of your security ratings services?
2%
6%
36%
41%
14%
No return
Some return but below expectations
Significant return that has met expectations
Significant return above expectations
Significant return beyond our highest expectations
Base: 107 North American enterprise security and compliance technology decision-makers who use security ratings services

Areas with the greatest benefit vs expectation gap
› Justification for new investments
› Easier to prioritize security efforts
› Improved business resiliency
› Business leaders are more informed
› Improved security posture
› Improved threat intelligence

Capabilities to consider when evaluating a security ratings platform
Predictive capabilities
Visibility into 3rd party risk
Compliance tracking
Depth and detail of info
behind the scoresBuilt-in data sources to
provide quick and accurate
results
Actionable advice to
improve scores
Customizable alerts
and/or dashboards
Ease of understanding
what scores and ratings
mean
Customizable APIs Ease of sharing results
with partners

Trusted by Hundreds of Industry Leaders

Nearly 75% of Breaches are a Result
of Poor Third-Party Security.

Limitations of Current Third-Party Risk
Management Methods
Point-in-time snapshots that fail to
address ongoing changes in security
posture
Labor intensive process that is expensive
and time-consuming
Not scalable without additional
investment and resources
Difficult to measure IT security
investment
Difficult to show due care to regulators
Lack of executive level reporting – Inability
to communicate security posture and ROI
to C-level and Board
No ability to prioritize “weakest link”
third-parties
No ability to validate information given –
honor system

What is Breach Insights?
Breach Insights quantifies the likelihood of breach (i.e. risk level) within customers vendor and
partner portfolios using a “multiplier”, based on identifying common attributes between companies
and their relevance to breach risk. It combines this “correlated” risk with uncorrelated, individual
company risk
- Common attributes can include SSC-defined issues, CVEs (vulnerabilities), and common
technologies (e.g. cloud providers, 3rd party libraries, etc.)
- Action log: the feature will prioritize actions to reduce risk across a portfolio of vendors
The feature enables predictive and prescriptive risk
management and makes SecurityScorecard data
actionable.

What Problem are we solving?
• Customers now have a way to tie our scores to real-world impacts
• Customers can prioritize which issues need to be fixed first across
a portfolio (and which actions are most impactful)
• Helps companies gain prescriptive guidance from
SecurityScorecard to help educate users
“This is the kind of stuff that real risk
professionals are asking for”

Two Types of Portfolio Risk - Asset
Management
• Uncorrelated Risk
▪ Assumes portfolio entities are independent of each other with
regard to risk.
• Correlated Risk
▪ A single event can result in the simultaneous occurrence of many
losses.

Uncorrelated Risk
• Breach risk is determined by scores of individual vendors in the
portfolio.
• More vendors with poor scores greater breach risk.

Accessing Breach Insights
• New dropdown on
main navigation for
“Analysis Tools”
• Features Board
Summary, Breach
Insights, and
Comparison Tool
• Creates home for
new analysis tools
going forward

Breach Insights - Healthy Portfolio
• X-axis: Correlated Risk
• Y-axis: Uncorrelated Risk
• Portfolio vendors have good
scores and are well diversified
(low correlation of security flaws).
• Overall Assessment: Healthy

Breach Insights - Portfolio at High Risk
of Breach
• Portfolio vendors have
good diversity (low
correlation) but have an
excess of poor scores,
resulting in high risk of
multiple breaches.
• Overall Risk: High

Breach Insights - Portfolio at Severe Risk
of Breach
• Portfolio vendors have poor diversity
(high correlation) and have an excess of
poor scores, resulting in higher risk of
multiple breaches.
• Overall Risk: Severe
• This is an example of a silent risk that
is much greater than the uncorrelated
risk, associated with the scores of the
individual portfolio vendors alone, would
suggest.

Breach Insights & Action Log
• Shows an overall Breach Risk
score for a selected portfolio,
both correlated and uncorrelated
risk
• Action Log of top issues
contributing to breach risk
• Ability to export detailed findings
to CSV

The SecurityScorecard Platform

Children’s Hospital of
Minnesota Case Study
https://s3.amazonaws.com/ssc-corporate-website-
production/documents/resources/ChildrensMN-Case-Study-c04-1.pdf
Children’s Hospital of Minnesota is one of the
largest independent pediatric health systems in the
United States, with two hospitals, twelve primary
care clinics, six rehabilitation and nine specialty
care sites. As a healthcare nonprofit, Children’s
Minnesota is subject to HIPAA regulations and
must ensure that personal health information (PHI)
is secured, both at physical locations and within
electronic health records and exchanges.

Farm Credit Case
Study
production/documents/resources/FarmCredit-Case-Study-c05.pdf
Farm Credit Mid-America (“Farm Credit”) is one of
the largest agricultural lending cooperatives within
the U.S. Farm Credit System, with over 1,100
employees and more than 100,000 customers
across Indiana, Ohio, Kentucky, and Tennessee. We
spoke to Chief Security Officer and Assistant Vice
President of Database Systems Mike Everett about
how Farm Credit operationalizes SecurityScorecard.

Healthwise
Case Study
production/documents/resources/Healthwise-Case-Study-c02.pdf
Healthwise is a global provider of consumer health
content and patient education for the top health
plans, care management companies, hospitals and
consumer health portals. It is a non-profit
organization that has been in operation for more
than 40 years. Healthwise is dedicated to providing
health information, decision support tools,
behavior change assistance, and personal care
planning for millions of people yearly. Healthwise is
an essential resource that many people rely on in
order to improve their lives.

FORRESTER.COM
Thank you
Heidi Shey
+1-617-613-6076
hshey@forrester.com

Forrester Webinar: Security Ratings Set the Standard

Recommended

Recommended

More Related Content

Similar to Forrester Webinar: Security Ratings Set the Standard

Similar to Forrester Webinar: Security Ratings Set the Standard (20)

Recently uploaded

Recently uploaded (20)

Forrester Webinar: Security Ratings Set the Standard