Cyber-Scoring in the Cybersecurity Evaluation Arsenal

At a time when Information Systems are becoming more fragmented, a major challenge for CISOs is the ability to quickly and continuously assess cybersecurity risks of their suppliers. This article shows how cyber-scoring reinforces the arsenal of tools available to meet this challenge.

The Multiplication of Suppliers and Subcontractors

As the French security authority ANSSI has been saying regularly for some years now, the improvement of the defense of the largest companies and groups has led to a significant increase in indirect cyberattacks via suppliers and subcontractors, whose numbers continue to grow with the digitalization of corporate services.

To manage this risk, CISOs must multiply evaluations and controls on third parties, in a context where cybersecurity resources, whether internal or external, are often lacking and are particularly costly.

A Strategy Adapted to the Challenges

Among the possible responses, an increasingly shared strategy involves categorizing suppliers into different levels according to identified business risks and then adapting the assessment methods to be implemented based on this classification. As evidenced by the CISO of a leading banking institution, sharing his approach that can be called the “10, 100, 1000” method:

• For the 10 most critical suppliers, traditional in-depth audits are carried out at frequent intervals by internal teams, or by using external auditors; a costly method but allowing a broad and in-depth coverage of risks;
• For the next 100 suppliers, a cybersecurity questionnaire-based approach is used less frequently; less expensive, it captures information on the organization and the processes deployed;
• Finally, for all suppliers, the evaluation is implemented through an external cyber-rating solution, allowing an immediate view of cybersecurity risks, with the possibility of judiciously engaging in a dialogue or an audit with the third party, especially if the rating deteriorates during the duration of the contractual relationship.

The immediate visibility, continuous control approach, and cost control of automating cybersecurity assessment and its deployment via external cyber-scoring thus provide an answer adapted to the challenges of CISOs in facing the multiplication of suppliers and subcontractors.