Working on third-party security risk assessment or due-diligence means that you are eventually use one of the so many cybersecurity rating services to expand the coverage of your review. You may thought in the beginning when designing the program "We cannot just rely on security questionnaires or pentest report from few months ago or (almost) outdated SOC 2 reports or ISO 27001 Statement of Applicability. We need something more recent, automatically!"
But as more software or online service vendors are "fighting back" against the reports published by these cybersecurity rating services, it's normal that we would ask ourselves "Is such service still valuable to complement our third party risk management (TPRM) program?"
Most of the time we hear complaints from the vendors that these reports captured the wrong IP addresses claimed as their digital assets. Since most of modern software vendors hosted their services on cloud services such as AWS, re-assigning and rotating IP addresses amongst different AWS customers would be a common challenge for these security rating services which rely on "point in time" scanning processes.
We at FHIC, as we continue our path in helping companies globally with their TPRM programs, believe that the cybersecurity rating service is here to stay, but yes it needs to be and can be improved especially in terms of data accuracy:
1. Although the age of the information contained in these reports can be considered "outdated" in comparison with how often and how fast the cloud hosting providers rotate their IP addresses, solely relying on SOC 2 audit report or ISO 27001 certification or Pentest report is actually not a better situation to have. These documentations are even more "outdated" than the cybersecurity rating service reports which normally re-scan the digital world every few days of week(s).
2. We understand how costly "real-time" scanning these service providers need to bear, especially when they have to scan multiple billions of digital assets every day. So we think 1-3 days information gap is still valuable.
3. Some of the cybersecurity rating services actually allow their customers to manually trigger a new scanning that would run between 24-48 hours. That's very much still acceptable.
4. There won't be any perfect risk assessment methodology that one company can use to review their hundreds or even thousand of vendors every single year. We are all working with the (technological) capabilities availability at this point in time, trying to manage the risks as much as we can. And cybersecurity rating service is still good enough to be the extension of TPRM program beyond security questionnaire and reviewing security assurance documentations.
5. Expecting every single company to perform their own independent and thorough manual security testing, as if every company should have its own pentester or red team group, is not feasible.