Connect with us

Hi, what are you looking for?


Risk Management

Consortium Promotes Principles for Fair and Accurate Security Ratings

Under the aegis of the U.S. Chamber of Commerce, more than 40 companies — including some of America’s largest banks and tech companies — have signed up to a set of new guiding principles for fair and accurate security ratings.

Under the aegis of the U.S. Chamber of Commerce, more than 40 companies — including some of America’s largest banks and tech companies — have signed up to a set of new guiding principles for fair and accurate security ratings.

Security rating has become an emerging technology over the last few years, with companies such as BitSight (which raised $40 million in Series C financing, September 2016), RiskRecon, and SecurityScorecard all offering to rate the security of companies and products. It’s a valuable service, helping organizations better understand the security of their supply chain, and helping cybersecurity insurance companies understand the risk inherent in potential customers.

But there are difficulties. In a statement Tuesday, Ann Beauchesne, an SVP at the Chamber of Commerce, explained, “There is, of course, the potential for the rating to be inaccurate, irrelevant, incomplete, or unverifiable. Problematic source data can create unfair and unreliable ratings, which serves neither the consumers of security ratings nor the organizations whose programs are rated.”

One of the problems is the ‘black box’ nature of the scores. The rating companies collect data — sometimes with and sometimes without the knowledge of the target company — from a wide range of sources. This data is fed into a proprietary algorithm and, simplistically, out pops a score. The value of a complex security program reduced to a single score is not always apparent or verifiable.

To solve this problem she continued, “a group of U.S. Chamber member companies have worked closely with security rating companies to develop a concrete set of principles (PDF) to increase confidence in, and usability of, fair and accurate security ratings.”

The principles comprise transparency; dispute resolution; accuracy and validation; methodology model governance; independence; and confidentiality — and the attempt is to bring consistency and credibility to an emerging market. 

“The fact that so many large organizations are coming together on this issue shows that the Security Rating Services market is here, real, important, and essential for the future of B2B risk management,” BitSight’s SVP Jake Olcott told SecurityWeek.

Advertisement. Scroll to continue reading.

While insurance providers can use ratings in their premium calculations, by far the bigger market comes from general commerce. Most large companies now have thousands of new cloud services as part of their supply chain, and CISOs struggle to get an accurate view of the risk they bring. This unquantifiable risk will only grow,

By 2020, claims Olcott, security ratings will be as important as credit ratings. “Just as credit ratings are part of every B2B transaction,” he said, “so too will security ratings become a critical element. [There are] many reasons for this, including the ever-expanding business ecosystem, the explosion of third party breaches, the challenge of finding cyber security and risk talent, and the difficulty in assessing cyber risk of the ecosystem at scale (quickly and cost-effectively).”

For that to happen, there must be trust in the accuracy and consistency of the rating process and the rating scores — both between scores from the same rating company, and between scores generated by different companies. Backed by major cross-sector companies such as Goldman Sachs and JPMorgan, Microsoft and Verizon, and Starbucks and Eli Lilly, the Chamber of Commerce principles will go a long way towards providing that trust.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.