Not all cyber scores are equal
We are often asked, "what's in a score?" And what makes one vendor's scoring composition or algorithmic approach different than another. In this post, we will attempt to answer that, certainly as it relates to cyber scores of a counter-party. Hopefully this is useful for those that are concerned about cyber hygiene of their suppliers, vendors, and counter-parties which would include public and private sector organizations.
Introduction
The old cyber scoring business has needed a serious reboot. Vendor "Self-Assessments", simple "checks" and steep pricing have made these solutions less valuable to the CISO, and to the broader organization. We saw the need for a new paradigm, so we acted on it by building it.
1. Not all scores are the same.
Most, if not all are based on detection of specific current state vulnerabilities of some type, be it infrastructure, cloud environment, etc. I equate this to saying- "hey, this score is telling me it's raining out, right now". Which is invariably reactive. And tells the user nothing about what is "likely" to happen, as this score type is only reflecting a state of easily discernible "knowns".
2. Very few are based on data science, prediction using heuristics.
For instance, our cyber scores measure the risk of the organization's cyber proficiency being telegraphed to the world, surfacing indicators that the counter-party likely does or does not possess a strong cybersecurity proficiency, and subsequently has poor cyber hygiene. I equate this to saying- "hey, it's going to rain very soon, or maybe not today, but it's going to rain, and will rain more often for this supplier than that supplier based on the signals they reflect to the world". This is proactive decision intelligence.
3. Most scores are evidenced in a dashboard, are expensive.
Most TPRM vendors have made a healthy profit based on a very expensive business model, where costs often exceed $1500 or more per supplier, per year to continuously monitor. MeasuredRisk's Cyber Hygiene Score is a fraction of that price for a reason, so as to accommodate an organization's entire supply chain, program or procurement list. For instance, you can run our API against 10s of thousands of suppliers, stack rank them at once, and continuously. Whereas pricing models of our competitors make it untenable to do so at scale for even the largest customers who typically only monitor 10% of their entire supply chain.
4. Most scores are singular in risk archetypes offered.
MeasuredRisk is multi-risk archetype driven, looking at other attributes such as supplier survivability, measuring how long the supplier will likely remain a concern, and how much operational resilience they have. This means you are also measuring dependency risk.
There are other aspects here to consider, but certainly, what's in one score, vs. another absolutely matters, as it can best be expressed by possessing the ability to be proactive vs. reactive in your cybersecurity, and more broadly your supply chain risk posture.