Ask a room full of CISOs about cyber risk ratings (CRR) platforms, and you’ll find no shortage of opinion — hot or cold but never indifferent. Like a judges’ panel in a “Top Chef” culinary competition, customers critique missing or poorly planned components of the “dish.” And like the competing chefs, ratings vendors often struggle with editing their dish to provide a unique yet solid “plate” that both appeals and meets the challenge’s intent.

While the CRR market is over a decade old, CRR platforms traditionally lacked key ingredients to satisfy customers’ cravings. The most important one? Trust. Half-baked use cases, poorly articulated scoring recipes, and overcooked security findings made it difficult for customers to enjoy their plate.

Today, the caliber of chefs in the CRR kitchen is improving. Technical challenges with CRR platforms still exist, but vendors are rethinking the ways they deliver, investing more in technical accuracy and efficiency, and expanding their services and support to meet more relevant security and third-party risk demands. Savvy customers look for vendors that:

  • Obsess over trust. We don’t mean sparkly PR campaigns that view ratings through rose-colored glasses; we mean CRR vendors making trust an imperative in the way they do business. By publishing a public rating, CRR vendors assume a fiduciarylike level of responsibility and due diligence associated with integrity, consistency, competency, and transparency. Differentiated vendors are beginning to take this role seriously, but it’s a journey rather than a destination.
  • Continuously improve their discovery and attribution methods. How a CRR vendor discovers, attributes, and validates assets and findings sets the good apart from the great. But for many years, customers have had to put up with just good enough. Differentiated vendors have taken these complaints seriously, leaning into external attack surface management methods to give rated entities more control over their data.
  • Know the difference between risk ratings and risk quantification. A risk rating is not a quantitative measure of risk — full stop. It’s a score based on security indicators that correlate with risk. Instead, risk is a scenario with some likelihood (a threat actor impacts an asset via an attack vector) and impact (resulting in different forms of material loss). Cyber risk quantification, however, directly measures the probability and material impact of a risk scenario. They are related, but they are not the same.

The CRR kitchen is heating up, and our latest report, The Forrester Wave™: Cybersecurity Risk Ratings Platforms, Q2 2024, is now live. Forrester clients can use this report for more insight on the CRR market and the 10 vendors that matter most, and schedule a guidance session or inquiry with me to learn more!