
Use a Cyber Security Score to Measure Your Environment
Written by CISOSHARE
February 27, 2018
25 min read
Common Uses of Cyber Security Scores
A cyber security score is a number that gives you an idea of the state of your security program. The numerical scale the score is based on varies with the provider, but the goal of each of these different scores is to help an organization understand the strength of their cyber security program.
There are as many approaches to generating this score as there are cyber security score providers, but some of the most important factors include:
- The way data is collected or input for the calculation
- The types of data that are collected
- How the data is measured
- Who has access to the security score
- How the score will be used
- How an organization can improve their score over time
Input Collection Method
A cyber security score is always derived from a set of data and inputs collected from the organization being scored.
Inputs can be collected manually or dynamically by the score provider. In some cases, the organization being assessed can directly supply this data. In other cases, the score provider can monitor an organization without their control or input.
Manual Input Collection
Manual input collection involves an organization submitting information on their own, or the score provider gathering discrete data points through their monitoring.
This usually involves gathering information such as process documentation or other items for consideration.
Dynamic Input Collection
A dynamic collection is often conducted via technical means over a period of time, and often without being input by a user or assessor.
Score providers can perform an automatic analysis of an organization’s IP reputation, or can gather data about the activities of an organization’s employee behavior.
Types of Inputs Collected
The inputs that the score provider collects can be either internal or external characteristics of an organization.
Internal Characteristics
Examples of internal characteristics include the number of employees, the types of internal security technologies deployed, or the internal security processes at the organization.
Internal characteristics are generally more difficult to collect automatically or without the permission of the organization being scored.
External Characteristics
Examples of external characteristics include items such as an organization’s IP addresses, or chatter on the dark web that involves the target organization.
External factors are usually publicly available to anyone who knows how to find and collect the information. As a result, this information can be collected without the permission of the organization being scored.
Common Uses and Purposes for Cyber Security Scores
As cyber security scores become more prevalent, they’re becoming increasingly important in the way that organizations conduct business.
Currently, some of the most common uses for these scores is for vendor management, cyber insurance, and helping an organization understand and improve their own cyber security environment.
Vendor Management
Since the security of customer and client data is an important part of the way organizations conduct business and operate, understanding the security practices of your vendors is an important part of maintaining the confidentiality, integrity, and accessibility of client information.
Organizations can utilize cyber security score providers to measure and score all their suppliers and business partners for a simple means of tracking their security practices.
The score provider can aggregate and organize the scores of the measured downstream business partners to identify trends and potential risks.
In terms of how valuable these scores are and why, it’s the organization that uses the cyber security scores of their business partners that derive the most value from them.
The organizations that are being scored have little to no control over how their scores are being used or shared, since the score is being given to the organization that requested them.
Cyber Insurance
Cyber insurance providers can contract a security score provider to score an organization that’s seeking insurance.
The score gives the insurance provider insight on the state of the organization’s security practices to determine their set premiums, coverage, and insurability.
In this case, the requesting cyber insurance provider also receives all the benefit of the cyber security score and again, the organization that’s being scored has no control over how their score is shared or used.
Understanding and Improving Cyber Security Environments
For organizations that seek to score and understand their own organization’s security environment, Cyber Progress Index is the only cyber security score provider that measures an organization’s ability to make progress.
The CPI score is calculated based on four things:
- The ability for an organization to establish a benchmark or starting point for their program and how security is defined in the environment
- How well they can measure against that benchmark
- Whether the organization’s key decision-makers can make well-informed decisions based on that measurement and other data
- The ability of the organization to execute these decisions
For organizations that are requesting their own score, they will be the ones to derive the most benefit.
Since assessing their organization is motivated by wanting to know and understand their own cyber security state, the organization will have the opportunity to improve their score and their cyber security program with recommendations and next steps.
To improve your cyber security program, start with measuring and understanding your current state.