The cybersecurity risk ratings (CSR) market is a bit like Marmite or SPAM (the pork product in a can, not the unwelcome emails) — some customers love it, others hate it. We see examples of both extremes in our customer interactions, interviews, and research on this market. Our responsibility as analysts is to highlight where CSR solutions can add value to firms’ cybersecurity and third-party risk programs, as well as to call out where further improvement is required to meet the evolving needs of customers. To that end, we’ve both spent the last few months reviewing this space by undertaking a Forrester New Wave™, and we’re happy to announce its publication today.
Our latest piece of evaluative research shows the CSR space has made some improvement since our last CSR New Wave in 2018 but still has substantial ground to make up before it can be considered enterprise ready.
Here are our top four observations on how customers are and are not using these solutions and the capabilities required to get the CSR platform market ready for “prime time.” For our full analysis, read “The Forrester New Wave™: Cybersecurity Risk Ratings Platforms, Q1 2021.”
- Customers are using CSR solutions primarily for supply chain security and for self-monitoring. Although CSR vendors market their ratings to support a half dozen use cases from communicating cybersecurity to the board to M&A due diligence, customers are overwhelmingly favoring two: (1) monitoring their own external cybersecurity presence, and (2) vetting third-party relationships. The benefits of self-monitoring include visibility into how firms’ customers and suppliers view them and enabling them internally to make the case for security with upper management. The advantages of monitoring their supply chain support deeper vetting, quicker cyber risk due diligence, and the ability to continuously monitor changes to suppliers’ cyber risk posture. These capabilities are a useful addition to their armory for third-party risk management but are not substitutes for multidimensional risk assessment.
- Most customers are not using the solutions to monitor their fourth, fifth, and nth parties. While many customers monitor their third parties, we noted that a significant number of the customers we spoke to were not using their ratings solution to monitor the sub-tiers (fourth, fifth, and nth parties). Despite many (but not all) of the solutions in this market having the capability to monitor fourth parties, customers found price and platform usability as two major barriers to greater adoption. Prices can be as much as $3,000 per continuously monitored supplier at the upper price range — hence firms are concentrating their continuous monitoring on the most critical suppliers. Diving deeper into fourth parties is constrained by budgets and having enough headcount internally to process and act on the results.
- Significant improvements to transparency and dispute resolution processes are still needed. A common complaint about this market is that if you have a challenge with the findings of a ratings company, they in effect play god, acting as judge, jury, and executioner in deciding whether to keep or remove a finding from your rating. This has gotten better over the past two years, but for many firms, the level of transparency over disputes and even how their models are constructed requires substantial improvement. We think that firms in this market should set up an adjudication body independent of the firms to deal with disputes in a fair and transparent manner, publishing results of disputes and following through on any corrective actions by the firms. In a similar manner and to build further confidence in the results produced by these models, firms would benefit from having external validation of their models not just for how they attribute assets to companies as some have already done, but to validate that the risks identified are a genuine reflection of the cyber risk for a given company (within the limitations of what can be said about a company based solely on its external posture).
- Cybersecurity risk ratings require better integration with security business processes. Finally, we would also like to see integrations and usability of ratings data within broader security risk management and supplier due diligence processes to substantially improve. This does not mean that we expect these firms to build questionnaire functionality and become third-party risk management (TPRM) or governance, risk, and compliance (GRC) vendors in all but name. However, we do expect, for example, ratings data to be automatically mapped to appropriate control responses provided by a vendor where they can highlight divergences in the vendor’s response from the observed reality. This is just one example where currently a lot of manual drudgery still happens to map questionnaire responses that live in GRC platforms to what the ratings data can say. Some firms do this, but more need to up their game in this dimension to help security practitioners use the ratings data in the context of the risks they’re assessing. Ratings on their own are meaningless. It’s what the ratings data can tell us about observed risks that allows us to act and gives these solutions their potential value.
For further insight into how we view the CSR market developing, please see “The Forrester New Wave™: Cybersecurity Risk Ratings Platforms, Q1 2021” report (available for Forrester clients).