Cybersecurity Risk Dashboards: No Value, Extreme Liability
Over the last 12 months, “risk dashboards” became all the rage in cybersecurity, with varied titles such as “risk index,” “security baseline,” “security posture,” and “risk posture.” These dashboards appear in a vendor’s user interface and purport to help security programs improve. Some even offer coveted “benchmark data” that leaders can share with boards and executives. A more accurate name for these displays, designed to make cybersecurity teams feel insecure, would be: upsell dashboards.
But these dashboards limit themselves to the native telemetry/data collected from the specific vendor’s ecosystem of tools — and whatever myopic viewpoint the legacy vendor offering them uses — rarely taking the entirety of a security program and all controls present into account. Instead, the identified risks predominantly focus on features and functions the customer has yet to subscribe to. These dashboards identify gaps and opportunities, alright — gaps in what you as a customer failed to purchase and opportunities for the vendor to upsell.
These “upsell dashboards,” aka “risk dashboards,” create more risk than they reduce. They also act as liability shields for the vendors that offer them, disguised as a way to improve your program. We see two inevitable scenarios playing out in the future as these upsell dashboards become ubiquitous.
Scenario one: Imagine one of these dashboards tells you that your “risk score” is 76/100. Higher scores equal higher risk, and theoretically — but lacking any actual evidence — that equates to higher likelihood of a breach. The interface tells you to enable prevention rules, patch systems, and segment networks. In other words, it’s a typical list of things that you’d do with infinite time, budget, buy-in, people, and no competing priorities.
You never perform these tasks. Months later, a breach occurs. During the inevitable litigation, this dashboard becomes “plaintiff’s exhibit A.” It’s a visual representation of the things your security program let linger that helped the attacker enter, persist within, and steal from your company. A narrative emerges that you were “WARNED.” You were told via the dashboard that these issues existed, and you failed to correct them.
Cybersecurity vendors introducing liabilities isn’t really much of a shock; plenty of security products ship riddled with vulnerabilities. But the weaponization of these purportedly helpful dashboards to prove your ineffectiveness is a real risk that these dashboards get weaponized against security leaders and their companies.
Scenario two: Many vendors now offer warranties, guarantees, or embed cyberinsurance into their product or service. If their product proves ineffective, you can make a claim. Like any warranty or cyberinsurance policy, these come with lots of fine print. Imagine that the vendor uses these as evidence in denying a claim — proof that you failed to do what was suggested, resulting in denial of your claim. Security researchers already face legal roadblocks when publicizing their findings. Security vendors often prohibit disclosures of assessments of their products in the product’s end user licensing agreement, as well.
These stack the deck in the security vendor’s favor from a legal standpoint and eliminate valuable sources of information regarding product and service effectiveness. Couple that with a dashboard demonstrating that a security program failed to “make the recommended choices,” and denying claims becomes easier for the vendor. Adding “risk dashboards” and “posture recommendations” gives your vendor a liability shield to reduce the chance it needs to make good on those warranties bundled with various products and services.
What To Do About Upsell Dashboards
To be clear, the existence of the dashboard will not trigger litigation. The underlying issues create the liability. But these upsell dashboards do assist in manufacturing a compelling narrative that the security leader failed to make the right choices. A history of repeated warnings and recommendations to close security gaps goes a long way toward proving that a security leader did not take the cybersecurity and privacy of its customers very seriously after all. This is something that no security leader needs during litigation.
Some questions that security leaders should ask about these dashboards:
- If you can deactivate them, go for it. Tell your vendors that you don’t want these dashboards in your products and services in any capacity. Given how widespread they are, it’s likely too late for that recommendation to work.
- Ask about access to this security posture data. Given the economic downturn, many security vendors pivoted to an “all-channel” go-to-market. If you procured your product or service from a partner, does that partner have access to this information? Can the partner use it to upsell? If you have managed security services, or the vendor offers a service, it’s a virtual certainty that they have access to it — is that something you can restrict with permissions? Inside the vendor, who has access to this data?
- Determine whether you can opt out of your data that is being used for benchmarking purposes. If you receive benchmarking data, your data is USED to benchmark someone else. Ask about obfuscation, anonymization, confidentiality, data cleaning, and opt-out.
- If the security vendor experiences a breach, can adversaries obtain all the dashboard information? Stealing source code of a major application enables downstream attacks for years down the line. Stealing security posture data offers the same thing. Rather than conducting reconnaissance against a specific target, the adversary gained reconnaissance at scale. How is this information being protected, and is it protected differently than the rest of the platform?
Are you currently using one of your security vendors’ risk dashboards? We’d love to hear from you about your experience and how you use the information provided.