A recent Forbes article highlighting America’s most cyber-secure companies has sparked a wave of controversy within the cybersecurity community. Although I haven’t read the article yet, I will discuss my thoughts before and after delving into its contents.
So, what exactly constitutes a cyber-secure company? While this definition may be subjective, here is a shortlist of companies that come to mind, roughly in order of importance: Google, Apple, Microsoft, and Amazon sit at the top tier, while Bank of America, Goldman Sachs, Fidelity, Capital One, Meta, LinkedIn, United Airlines, Akamai (disclosure: I am the former CSO of Akamai), Cloudflare, and Fastly make up the second tier. Of course, this list is not comprehensive, and it is purely based on my perception of which companies have extensive data and effective cybersecurity measures in place.
Upon reading the Forbes article, I discovered that United Airlines and Fidelity indeed made it to the top 20. However, the other financial services firms I had hypothesized about were only present in the top 100. Interestingly, the authors of the list agreed with me that United Airlines outshines others in its industry, which indicates that their CISO, Deneen DeFiore, is doing a commendable job. Nevertheless, there seems to be a disconnect between my perception and the actual ranking. What could be the reason behind this?
It turns out that the list is compiled by SecurityScorecard, a prominent participant in the third-party risk management (TPRM) industry. TPRM firms aim to provide companies with a mechanism to assess the cybersecurity risks associated with their vendors. Companies like SecurityScorecard and its primary competitor, BitSight, utilize a similar methodology of creating a risk score, evaluating companies, and assigning scores accordingly. However, this process is far from simple.
To put it into perspective, imagine if credit reporting agencies assessed large enterprises using the same scoring algorithm applied to individuals. The results would likely be unfavorable for the companies since their scale and size present different challenges compared to individuals. For example, consider the size of Google’s perimeter, encompassing all its publicly visible IP addresses, in contrast to a chip manufacturer like Intel, which topped the Forbes list. Google’s vast IP space may make them appear vulnerable when examined superficially, especially if one considers the size of their attack surface as a criterion. However, this evaluation tells us nothing about Intel’s cybersecurity practices, which may differ significantly from website security.
In comparison, credit reporting agencies possess more extensive data than TPRM scoring companies. These agencies operate within the financial system, collecting sensitive information that should not be publicly available. TPRM scoring companies, on the other hand, engage in a form of “drive-by appraisals.” They analyze the external appearances of businesses on the internet to determine their reputation and security level. Naturally, certain types of businesses may seem inherently more secure than others due to various factors.
Unfortunately, the alternative to TPRM scoring is the TPRM questionnaire industry, which, while slightly more helpful, is still far from ideal. This industry revolves around sending extensive questionnaires to vendors and painstakingly reviewing the answers for potential red flags. Mature vendors have learned to provide answers that avoid any negative implications, leading to an entire industry dedicated to streamlining these questionnaires.
Solving the TPRM problem remains a challenge. Companies genuinely need to understand the risks they inherit from their vendors, both intrinsic and usage risks. However, neither the scoring nor the questionnaire approach effectively addresses this issue.
In conclusion, the Forbes article on America’s most cyber-secure companies has prompted a discussion about the effectiveness of TPRM and its methodologies. While the list may not align with common perceptions, it highlights the challenges faced by TPRM scoring companies in evaluating the cybersecurity posture of organizations. The TPRM problem persists, and a more comprehensive solution is needed to address the risks associated with third-party vendors effectively.