What’s in a security score?

Apparently a lot, as companies seek to vet third-party providers and cyber insurers look for predictors of breaches.

keeping score
Credit: Thinkstock

Fair Isaac Corp., the company that issues credit scores for individuals, was tired of other analytics companies developing security scoring tools for businesses and then proclaiming themselves “the FICO of security scores.”

So in May, FICO upped its own scoring game. It acquired cybersecurity firm QuadMetrics to create its own brand of enterprise security scores for enterprises. The new scoring tool, available in August, uses predictive analytics and security risk assessment tools to issue scores and predict a company’s likelihood of a significant breach compared to other firms within the next 12 months.

“Our own cyber breach insurance underwriters commented how great it would be if there was really a FICO score on this for the underwriting process,” says Doug Clare, vice president of cybersecurity solutions. The company had already invested in cybersecurity detection technology that assesses network traffic, and it saw the addition of QuadMetrics as “the right opportunity at the right time,” he adds.

Indeed, enterprises are eager for an accurate, easy-to-understand indicator of a company’s security posture, but are today’s enterprise security scores ready for prime time? BitSight Technologies, SecurityScorecard, and startups RiskRecon and UpGuard, already offer security scoring, to name a few. Another group of vendors monitor and score the security of cloud providers, including eFortresses,Elastica, Netskope and  Skyhigh Networks.

The market for security scoring tools and services is so new that research firms haven’t yet assessed its growth potential, but companies like BitSight report a 60 percent increase in customers in the first half of 2016, and sales have tripled over the first half of 2015.

Security scores are used by cyber insurance underwriters to evaluate a company’s potential risk, by companies to evaluate the cyber-risk posture of third-party vendors and partners, and by senior executives to explain a company’s cyber risk to its board of directors with an easy-to-understand rating.

“The third-party risk management is the one we see growing the most rapidly,” says Jeffrey Wheatman, research director, security and privacy, at Gartner. “We think that at some point in the near term, a cybersecurity score will be as important as a credit score when organizations look to sign up for a partnership.”

Jeffrey Wheatman, research director, security and privacy, at Gartner

Nearly two-thirds of IT decision-makers surveyed by Forrester Research believe that continuous third-party monitoring would improve their ability to screen vendors based on risk. Almost 80 percent say that their top IT priority is ensuring that business partners and third parties comply with their security requirements.

What’s in a security score?

Security professionals have some concerns, however, about whether a single score can capture all the nuances of a security program, whether score issuers are comparing the same security metrics to produce a score, and if companies can even be compared to one another given that no two networks are the same.

“Cyber risk is literally a living organism that keeps changing every day,” says Mary Galligan, director of Deloitte’s security and privacy practice. “The execution of how to [use analytics to assign a score] is extremely complicated, but a score could be a good baseline as long as apples are being compared to apples.”

The biggest security-score providers only analyze a company’s security posture using externally accessible data that they don’t need permission to acquire. That also means that companies could have a security score without even knowing it.

Most score issuers rely on publicly available data on known vulnerabilities to a company’s current network, web applications and endpoint security. Underground hacker groups and Dark Web chatter are monitored for malicious activity. Scores can also take into account the company’s reaction time to patch known vulnerabilities and the number of leaked company credentials being circulated by thieves and hackers.

For an additional cost, some providers offer tools that can be placed inside the firewall that collects more data on activity within the network. “It won’t necessarily improve your score, but it will make it more accurate as far as details,” Clare says.

The real differentiator, or “secret sauce,” is the vendor’s depth of collected data and the analytics it uses to come up with a score, which can be hard to discern.

“Are the tools perfect? No. Are they better than nothing? They are. The issue is, they’re not really that transparent about how they do what they do,” Wheatman says.

Security-score providers use their own unique scales. BitSight security ratings, for instance, range from 250 to 900, with higher ratings indicating a positive security posture. SecurityScorecard issues a letter grade A through F based on 10 security categories, and QuadMetrics scores range from 0 to 300. The new FICO/QuadMetrics offering will have a scoring range of 0 to 900 to allow for more detailed results, Clare says.

Despite differences in scoring methods, a handful of Gartner clients who received demo scores from various vendors found that they generally yielded the same results, Wheatman says.

Algorithm tweaks can change a score significantly

Companies have reported that as algorithms are updated, scores can fluctuate wildly. “They’re constantly re-evaluating the way they do their scoring. I spoke with a customer two months ago. BitSight changed its algorithm, and their score dropped 80 points. They were mad,” Wheatman says. Significant score changes trigger an alert that is sent to any organization that’s monitoring that company’s security posture, and it can cause needless concern, he adds.

Most scoring services will license or sell the scores of industry peers to a company so that it can compare its security practices to others in the same market. Contracts usually prohibit companies from publishing the scores of other companies, but there are no guarantees.

FICO has no such clause in its contract right now. “What we have is an ability for organizations to opt out and say ‘I don’t’ ever want to be scored,’” Clare says. Companies who haven’t opted out are fair game. “If we saw some kind of abuse there, that would be an interesting consideration, but up to this point we haven’t seen it.”

Insurance companies have licenses with score providers for the underwriting process. The company applying for cyber insurance has no say in what provider issues the score.

“If you get a bad score and you don’t agree with it, there’s not really a good mechanism to appeal that right now. That is something that needs to be addressed,” Wheatman adds.

Clare says a low score is often due to unrelated assets that are lumped into a company’s external profile, such as those with a similar company name or acronym. “There are ways of remediating that in the process,” he adds.

Will there be a Big Three?

Just as Experian, TransUnion and Equifax have become the primary credit score providers, will the current pool of enterprise security score providers be whittled down to just a few?

“It could go that way,” Wheatman says. “It’s likely that a cyber score will become as important as other scores, so other rating agencies need to build or acquire this technology. It’s too early to determine what the landscape is going to look like in even two years, let alone five to seven years.”

This story, "What’s in a security score?" was originally published by CSO.