Moody’s recently launched their Vendor Information Risk (VIR) ratings service. The main objective of this service is to reduce the overall burden of conducting risk assessments for organizations, as well as their service providers. The whole idea being that if Moody’s can do a risk assessment on behalf of multiple subscribers, it can make the assessment process a lot more efficient. The service provider will not have to go through multiple assessments and the subscribers will share the cost, and therefore have a much lower price point.
Many CISOs I talk to are sick of performing third party risk assessments; it takes up valuable time, is expensive, and most importantly, pulls resources away from doing actual security work within the company. On the other hand service providers are also having a hard time keeping up with these assessments. A compliance manager at a large service provider estimated that they responded to over 300 audit requests in 2007, and that number would be around 400 in 2008. Thus, a service like this could potentially save millions of dollars for service providers and subscribers.
Industry efforts, such as the BITS framework, have so far focused on providing methodologies but haven’t really addressed the issue of building a platform to ensure consistency across assessments. It was refreshing to see this service from Moody’s that endeavors to take the burden off of your shoulders.
If this service delivers on its promise and is able to gain traction, it has the potential to move others in the industry to follow its approach. Although I think this is a great idea, here are some things to keep in mind as you evaluate this service for your organization.
- It can reduce the time, resources, and cost, if enough people use this service. There is no question that it would be much cheaper, less resource intensive, and a lot quicker to go through a Moody’s report as opposed to doing the assessment yourself. The trick would be to convince your service provider to go through an extensive assessment (Moody’s estimates two-three weeks), spend a substantial amount of money (Moody’s primary business model estimates US$ 23K for the initial rating and US$ 10K/year monitoring, volume purchase agreements are also available) for an assessment that may not be accepted by many other organizations. So the real value for a service provider be to have multiple companies subscribing to the VIR service.
- Ongoing monitoring reduces time consuming remediation follow-ups. I think this is a very valuable part of the service if Moody’s gets it right. They will rely on a quarterly questionnaire and publicly available sources to identify changes in a service provider environment. Thus, it may be a little bit of challenge to get a clear risk picture if the service provider isn’t honest in providing all the necessary information or if the information isn’t public. Having said that, it is still better than the current situation where there is no monitoring at all, just an annual audit. Quarterly follow-ups on previously identified decencies by Moody’s will also ensure that the service provider stays on its toes.
- Consultant expertise and consistency in scoring will improve over time. Having done a lot of assessments myself, you get better and more consistent as you go through the assessment process repeatedly. Although the current consultant skill set seems pretty good and appropriate checks are in place to check for consistency, it is only natural that different consultants will assess differently. Security assessments may be a very different beast compared to the financial assessments that Moody’s is used to doing primarily because there is a decent amount of subjectivity in these assessments.
Lastly, the pricing structure may also influence the decision making for subscribers as well as service providers. I personally think that the current pricing structure is pretty reasonable for the current marketing conditions. Lets hope Moody’s is able to nail this one. What do you think about this service? Does it address your pain points? Are you skeptical? I’d love to hear your thoughts on this.