2023-07-03 12:32:00
Cyber rating: the difficulty in establishing a…
On June 19, the Club of Information and Digital Security Experts (CESIN), of which I-TRACING is one of the historical founding members, published a press release to share its concern regarding the proliferation of cyber rating agencies. For CESIN, “the absence of a shared method and reference system” does not allow clients and assessed companies to find out regarding the reliability and impartiality of the ratings. For the club, the danger is that a company can present a good note without even respecting the basics of security. It is with this observation that CESIN demands “total transparency of the methods and algorithms of cyber rating agencies as well as the development of European leaders”.
The cyber rating is used to rate companies on their cybersecurity. This is a process widely used by insurers in the context of subcontracting contracts. In this context, Laurent Besset, Cyberdefense Director at I-TRACING, specialist in cybersecurity services, reacts:
“If there is no universal cyber rating today, it is above all because private and competing companies first seized a market that has become very profitable.
We therefore have to juggle on a daily basis with a wide variety of scores, often constructed from very similar indicators, but never with the same calculation formula.
If the concerns of the community appear justified with regard to certain limits (problem of exhaustiveness of the monitored perimeters, side effects created by certain architectures, in particular Cloud/SaaS services positioned in front of the company’s assets, case of Wi- Fi guest, etc.), it is a shame not to exploit a majority of relevant detections (exposure of dangerous ports, assets exposing obsolete and vulnerable software, virus infections, etc.).
The rating remains a rather reliable indicator of “non-quality”. It is indeed rare for a company with a poor rating to be very mature in terms of information security. On the other hand, the fact that a company has a good rating does not guarantee that it is “secure” because a good rating is not self-sufficient.
It is therefore necessary to take the note and the associated alerts for what they are: elements to be taken into account within a much broader beam.
There is a significant bias that is introduced regarding the expectations of companies towards this service. On the one hand, there are customers who see cyber rating as a tool enabling them to reduce their attack surface and have every interest in ensuring maximum coverage. The latter will tend to complete the list of assets self-discovered by the service thanks to an inventory of missing and known assets. On the other hand, there are customers who only see the rating and its value in terms of image (vis-à-vis insurers, customers, partners, etc.). For them, there is no interest in completing the self-discovery list and taking the risk that an asset unknown to the service, declared in addition, will downgrade the rating. »
1688388242
#Cyber #rating #difficulty #establishing #a..
