Ask a room full of CISOs about cyber risk ratings (CRR) platforms, and you’ll encounter a wide range of opinions—strong, but never indifferent. Like a panel of judges in a “Top Chef” culinary competition, customers scrutinize the missing or poorly executed elements of the “dish.” Similarly, ratings vendors often grapple with refining their offerings to present a unique yet robust “plate” that both appeals to and meets the challenge’s intent.
Although the CRR market is over a decade old, these platforms have traditionally lacked key ingredients to satisfy customers’ needs. The most crucial one? Trust. Half-baked use cases, poorly explained scoring methodologies, and overstated security findings have made it difficult for customers to fully appreciate their value.
Today, the expertise in the CRR field is improving. Technical challenges persist, but vendors are rethinking their approaches, investing more in technical accuracy and efficiency, and expanding their services and support to address more relevant security and third-party risk needs. Savvy customers look for vendors that:
Obsess over trust
This goes beyond glossy PR campaigns that view ratings through rose-colored glasses; it means CRR vendors making trust an essential part of their business practices. By publishing a public rating, CRR vendors take on a fiduciary-like responsibility, emphasizing integrity, consistency, competency, and transparency. Leading vendors are beginning to take this role seriously, understanding that it is a continuous journey rather than a fixed destination.
Continuously improve their discovery and attribution methods
ow a CRR vendor discovers, attributes, and validates assets and findings distinguishes the good from the great. For years, customers have had to settle for “good enough.” However, leading vendors are addressing these concerns, employing external attack surface management techniques to give rated entities more control over their data.
Know the difference between risk ratings and risk quantification
A risk rating is not a quantitative measure of risk—it’s a score based on security indicators that correlate with risk. In contrast, risk is a scenario with some likelihood (a threat actor impacts an asset via an attack vector) and impact (resulting in various forms of material loss). Cyber risk quantification directly measures the probability and material impact of a risk scenario. They are related but distinct concepts.
The CRR market is heating up, and our latest report, “The Forrester Wave™: Cybersecurity Risk Ratings Platforms, Q2 2024,” is now live. Use this report to gain more insights into the CRR market and the 10 vendors that matter most. Schedule a guidance session or inquiry with me to learn more!