How CyberGRX Compares to Security Ratings

Security ratings are based on a compilation of outside data sources and are intended to measure the health of an organization. The primary benefits are consistency in how they are determined and speed for the evaluator. Security pros can see an instant number and gain a relative understanding of one company’s security posture vs. another. But are they enough to assess the risk a third party poses to your organization and provide ample information to make confident risk management decisions?  

The reality is security ratings can give you a baseline indicator of how well a third party manages their cybersecurity, but they fail to measure an organization’s risk posture completely. To illustrate, let’s look at an analogy.

Curb Appeal vs. Home Inspection

Let’s say you want to buy a new house. Your realtor has several homes to show you that all meet your buying criteria. As you drive to each one, the first thing you notice is the curb appeal– how does this home look on the outside? It’s easy for the curb appeal to influence your opinion of the home’s condition. If it’s kept up externally, it’s probably also maintained internally– right? Maybe, but not necessarily.

Few buyers would purchase a home based on the curb appeal alone, as it doesn’t accurately reflect the underlying conditions or recent incidents that have occurred with that house. As an example, you see a house that looks attractive on the outside– a new roof even. But what you don’t see is what’s under the roof and why it had to be replaced. From the last big storm, part of the roof collapsed also damaging the trusses and supporting beams, creating structural concerns for the new homeowner, if not addressed.  To protect their investment, most homebuyers hire a professional home inspector, to help identify potential risks and avoid costly surprise repairs.

Third-party risk management is no different.

You can’t confidently make critical decisions based on the curb appeal– the security rating– of a vendor. The scores are merely one data point; to fully evaluate the security posture of a third party, you need a more comprehensive evaluation and the appropriate tools that go beyond the surface and uncover your greatest areas of vulnerability.

The Allure and Dangers of Security Ratings

Without a doubt, security ratings are attractive to security professionals, and for good reason. Security ratings tools can cover a breadth of third parties with a single risk score, a capability that has earned them the reputation for an easily-scalable solution. The simplicity of security ratings is their strength– but also their downfall. One frustration is the transparency in the methodology used for the data analysis– how exactly was this score developed?

The greatest predictor of a security rating is the inverse of a company's internet presence.  Large companies typically have vast internet real estate, which means they are going to have some evidence of malware or misconfigurations. As such, their security score may be lower, regardless of how good their security is. For the big brands, a low rating is less of a concern, however. Most companies using security ratings would just discount it and move on, knowing that well-known logos are well managed.

Where the problem truly arises is at the other end of the spectrum. 

The smaller company that has a limited internet presence has the potential to be rated artificially high, as the ratings will only see their one internet instance. But in reality, they have minimal or no security controls at all and are totally exposed, posing risk to their customers, too. As an example, Defazio Air Conditioning, the small HVAC supplier, was the entry point to the infamous Target breach.

The quality of the data behind security scores has also been challenged, mainly for the fact that third parties themselves are not able to easily contribute to the information. Imagine if you as a consumer were unable to fix errors in your credit score. Third parties often feel the same frustration when they are assigned a score that isn’t truly reflective of the controls they have in place.

In short, scores for security ratings are driven by outside-in data, meaning it’s gathered from scanning external information from outside resources. The vendor is not consulted in the process or asked to provide additional information– in other words, the scores are one-dimensional which produces only surface-level information. In addition, they don’t account for the different layers of risk, including inherent, predictive and residual risk.

The CyberGRX Advantage Over Security Ratings

While we compared security ratings to a home’s curb appeal, think of CyberGRX as the home inspector. CyberGRX uses both inside-out and outside-in data sources to provide you with complete visibility into your risk posture– more than what you can see on the outside from a security rating alone. How?

CyberGRX uses both internal and external data that provides businesses with both broad visibility and deep intelligence about a third party’s risk posture. With a multi-dimensional view, you’re able to evaluate inherent, predicted, and residual risk, allowing you to protect your data more effectively while also providing a roadmap to reduce risk at scale. We call this “Cyber Risk Intelligence”-- and CyberGRX is the only risk management solution to provide this level of insight.

Because of the comprehensive approach to third-party risk management, organizations are able to manage their overall risk within a single platform instead of relying on outside resources for additional help. A few of the unique features of CyberGRX:

  • 14,000 self-attested assessments
  • Proprietary predictive risk data on over 250,000 companies
  • Threat intelligence data and tools

And yes, we do provide you with a security rating too, to use in conjunction with all the other tools and data points. But make no mistake– we don’t just give you information and a score– we also equip you with the tools to prioritize mitigation. Our goal is to help you address your most pressing concerns and give you confidence in your third-party risk management decisions– confidence security ratings alone cannot offer you. 

Functional Comparison of CyberGRX and Security Ratings Tools

Compare for Yourself

Choosing the right TPRM solution for your organization is a big decision. Even if you’re not sure about security ratings vs. a collaborative risk exchange or the benefits CyberGRX offers you, we invite you to book a no-obligation demo. See how it works. Give us a list of your third parties and we’ll show you the risk that they pose to you as well as the tools available to help manage your vulnerabilities. If nothing else, you’ll walk away with valuable insights about your third party blindspots. Book a demo now.