Continuous Threat Exposure Management – The 6 Aspects You’ll Need to Address Continuous Threat Exposure Management (CTEM) is an…
In today’s business environment, dependence on third-party vendors to deliver a service is becoming a part of normal operations. Businesses of all sizes are increasingly reliant on third-party vendors to provide critical services, making it essential to assess and manage the security risks associated with these vendors. This is where third-party risk management (TPRM) comes in.
TPRM is a process that helps organizations identify, assess, and mitigate risks associated with third-party vendors. A couple of key components of TPRM are the use of security rating services and security assessment questionnaires.
Security ratings, like SecurityScorecard, are a standardized way to measure and compare the security posture of different vendors based on collected IT and vulnerability information about a company.
Security assessment questionnaires, like CyberGRX questionnaire, are sent to specific vendors seeking response to security posture and practice questions about their cybersecurity posture.
There are a number of different security rating services and questionnaire management platforms available, but two common ones are SecurityScorecard security rating services and CyberGRX questionnaire. Both companies provide a view of a vendor’s security posture, but there are some key differences between the two.
SecurityScorecard Dashboard UI, source: securityscorecard.com
CyberGRX Dashboard, source: cybergrx.com
Additional Resources
Cybersecurity rating scale explained
What are security ratings used for?
How are security ratings created?
What is a good cybersecurity rating?
How do you improve your security rating?
Is it easy to switch security ratings providers?
Why is my security rating wrong?
What Kind of Company is BitSight?
Select What are the 5 C’s of Cybersecurity?
What is the difference between SecurityScorecard and BitSight?
The Evolution of Cybersecurity Ratings and How They Can Boost Risk Visibility
Understanding and managing cybersecurity risks is paramount and security ratings services like SecurityScorecard ratings have emerged as a pivotal tool in this endeavor, offering insights into an organization’s cybersecurity posture and that of their third-party associates.
What is the SecurityScorecard and how it works to benefit enterprises as they evaluate third-party vendor risk.
SecurityScorecard is a TPRM platform that provides a continuous assessment of a vendor’s security posture. The platform collects data from a variety of sources, including public records, vulnerability scans, and breach history. SecurityScorecard then analyzes this data to generate a security rating for each vendor. The company also offers a number of other services, such as vendor onboarding and remediation support.
These are some of the use cases that SecurityScorecard security rating and other BitSight competitors address are:
SecurityScorecard is a commonly used security rating services vendor and has been featured with a SecrityScorecard Gartner Magic Quadrant review. Further detail on security rating services can be found on our What are Security Ratings Used For? blog.
Many organizations think their choice for a security rating provider is limited to SecurityScorecard, Bitsight competitors or other TPRM solutions like CyberGRX, but there are many other SecurityScorecard competitors, some listed below:
CyberGRX, according to their company website, is “the world’s first and largest third-party Exchange, equipping you with the cyber risk intelligence you need to make more informed decisions, in less time.”
One of the main benefits of CyberGRX is their Global Risk Exchange (GRX). This is a library of self-attested CyberGRX questionnaire, some validated by third-party auditors, that companies can access and reference as part of their third-party risk management diligence process for new vendor review and an aspect of a continuous monitoring of third parties. The CyberGRX questionnaire exchange concept touts the benefit of organizations saving time in the traditional ‘back-and-forth’ transmission of questionnaires by having an attested or validated questionnaire available for reference.
Based on the questionnaires and supplemented with additional risk intelligence, CyberGRX can provide a predictive risk gauge for third-party vendor teams to evaluate companies.
FortifyData, a SecurityScorecard and BitSight competitor when the focus is narrowed on just the security rating, provides a standard security rating scale similar to a credit score. The security rating scale we employ ranges from 350 –900 with explanations below.
FortifyData, when compared to CyberGRX, also has questionnaire management and exchange capabilities. Since FortifyData also conducts external attack surface assessments of vendors we are able to auto-validate some of the applicable technology related questions in the questionnaire. As an example, if a questionnaire asks about patching cadence of critical vulnerabilities being remediated within 30 days, our external assessments may identify patches that are outside the attested questionnaire response, and we would flag that as a contradiction to the response for the client and third-party vendor to review.
FortifyData enables clients to reflect the context of their business and cyber risk in the security rating. Clients can classify identified assets by operational criticality (also allowing for identification of data types on devices) and respond to risks identified by recording the compensating control(s) in place to reduce the likelihood of threats occurring. This produces the most accurate security rating risk representation by the published security rating score.
FortifyData enables clients to create additional, configurable security rating risk models to produce security ratings unique to their cyber risk appetite and threat profile. The weightings of the factors can be adjusted to help further tune the risk representation of a company as ‘one-size-fits-all’ rarely works effectively.
The FortifyData security rating score methodology is publicly available which details the specific cyber risk and vulnerability factors that go into the security rating as well as the weightings. We are the only security rating provider with a patent pending on their configurable security rating risk rating models which allows clients to create additional security rating models where you can define the weighting of the factor’s effect on the security rating scale.
| Feature | CyberGRX | SecurityScorecard | FortifyData |
|---|---|---|---|
| Data Collection Methods | Questionnaires from companies | Public records, vulnerability scans, breach history | Active scanning of organizations, threat intelligence associated to identified assets and questionnaires from companies. |
| Frequency of Updates | Monthly | Monthly or longer depending on when and how specific data is collected on a company. | Weekly or at another client specified interval. |
| Methodology | Proprietary | Machine-learning assignment of a security rating based on a variety of factors. | Findings from direct assessments are analyzed with AI platform to prioritize vulnerabilities and identified threats. |
| Target Audience | Large enterprises | Businesses of all sizes | Businesses of all sizes |
CyberGRX questionnaire exchange and SecurityScorecard security rating services are both TPRM platforms that provide a valuable service to businesses of all sizes- just in different ways. The best platform for a particular business will depend on the specific needs of the business.
If you are interested in learning more about TPRM capabilities from FortifyData – Security Ratings, Vendor External Assessments and Questionnaire Management – for your business, please contact us today.
