Visiting the doctor for a yearly wellness exam may not be on your list of favorite activities, but it can be a good way to stay healthy. If the doctor finds any indications of illness, it's alway best to deal with them before they get worse, right? Same goes for taking your car in for an oil change and multi-point inspection before you end up stranded on a cold, dark highway in the middle of nowhere.
Your technology environment is really no different. Wouldn't you rather proactively have a multi-point inspection on your IT infrastructure to ensure it's secure, than fall victim to ransomware or a data breach? A great way to do that is with an S2ORG assessment (formerly FISASCORE), a scoring system which leverages various security frameworks to assess the administrative, technical and physical controls that are in place. The result of the assessment is a numerical score that represents the organization’s security posture, much like a credit score represents the state of our credit.
Credit scores are widely used by insurance underwriters and banking and financial institutions for calculating and managing risks. A standard, easy-to-understand security scoring system is just as crucial for those same organizations to evaluate the internal and external cybersecurity postures of their potential clients. As the need mounts for a mechanism similar to a credit score to evaluate an organization’s cybersecurity risk, it's wise to understand what a cybersecurity score is and how it works.
Who Should Care About a Cybersecurity Score?
Organizations of all types should care about cybersecurity scores. Here are three reasons why:
- To Assess and Compare Their Risk Level: The assessment process and subsequent score is a direct reflection of the initiatives made, or not made, to ensure the organization is safe from cyber security threats. A scoring standard makes it easy for an organization to determine what their current risk profile is and compare it to other organizations. Additionally, a scoring system offers a concise way to gain understanding of security at the business level in discussions with executives, board members and investors. An organization’s cyber security score is just as important as their credit rating and impacts everything from partnerships to insurance coverage.
Insurance Costs: Cybersecurity insurance underwriters use these scores to determine the risk of insuring an organization. Organizations with higher scores are rewarded with lower costs for coverage, while those with lower scores will carry a higher premium cost.
Partnerships: Organizations can use scores to determine who they do business with. Third parties with a poor security posture can have detrimental effects on the security and reputation of the groups that choose to partner with them. Companies that are looking to sell their services to other businesses should be keenly aware of their own security posture as this can be an important component in partnership evaluations.
Is There a Cybersecurity Score Standard?
Like credit scores, no one standard prevails, but some measurement systems are gaining a lot of traction due to their ability to comprehensively and objectively assess the ability of an organization to keep their confidential information secure. As I stated earlier in this post, an S2Score (FISASCORE) assesses the administrative, technical and physical controls that are in place. The score you receive reveals the areas in your environment that need attention and provides a benchmark to track progress.
Cybersecurity scoring is on its way to being as ubiquitous as a credit score. Obtaining your score is just one of several approaches in securing an organization's IT infrastructure, and ensuring your data stays confidential. Whatever method an organization chooses, they all need to be aware of their score because the stakes are high and the impact is wide.
Joe is the Executive Vice President of ITSG at Loffler Companies, and has been part of the Loffler IT leadership team since 2015. He has a deep background in enterprise software with experience spanning the areas of Unified Communications, Workflow Automation, Contact Center, Collaboration and ERP/SCM/WFM. A little known fact? Joe used to be the drummer in a blues band called the Electric Trane.