Are you taking advantage of third-party risk assessments and cybersecurity report cards for your company?
In business, you need to be prepared for anything that can hurt or shut you down.
That’s why a second opinion from a third-party is critical to understand the actual state of your security environment. By validating your security stance and resilience to threats, you can prevent issues and risks before they impact your company.
But before you initiate a risk assessment, it’s important that you understand the potential vendors approach, including the way they score the findings. Many companies use a one-dimensional scoring of the results, indicating only what’s wrong or highlighting areas of improvement. This approach is misguided because it creates an adversarial relationship between the company providing the risk assessment and your vendor / teams.
Unless you’re considering replacing them, it’s better to take an approach where you, the client, set expectations for mutual collaboration and respect while confirming that your principle goal is to provide additional resources for your team and strengthen your overall security stance. By creating a professional, positive and collaborative tone, the extended team can collectively review and assess your strategies, executions and ability to mitigate future problems and risks.
In order to do this, you will find that a 360-degree report card is a better approach than a one-dimensional score as it can also validate what your team has done right. Further, a one-dimensional score can cost you more money than a full security report card. A one-dimensional score often leads to the assessor looking for risks, regardless of their actual impact on the company. For instance, when something gets listed as a medium risk for a particular subject, a lot of companies will interpret that as a need to remediate it as a priority. However, if that particular medium risk scoring was done only on the impact, or only on probability of occurrence, but not on both, you really don’t get a full picture. This means that reducing that risk will cost you more money than the risk profile is actually worth.
We have an example of this where a larger client hired a respected security company to assess their ecommerce platform, including the mobile application. They had indicated that something on the mobile application was a medium risk because certain information about the client in the mobile application on the customer phone was stored in in a less protected area. That meant that if a bad player looked to compromise or get a hold of the customer phone, they could get that information. Now, this wasn’t accessing the full credentials of the user, but it was nonetheless marked it as a medium risk.
Parabellyx was brought in to evaluate and provide a risk assessment for their work and our team found that not only did the threat actor need to physically access the phone for it to be compromised, but the compromise would only work if the phone is “rooted” and the default protection was removed. In North America this happens less than 1% of smartphones. So, yes, from the input perspective, there was a risk that may have been major, but for probability of occurrence and rate of occurrence, it would have been very, very low. However, to remediate the risk, the company was told that they needed to spend almost $200,000 in additional software development effort. By having a risk assessment completed before they engaged in that work, they were able to save that expense be understanding the full situation and likelihood of that risk impacting their business and that was just from a single finding. Most companies have multiple finding like this example.
This is why other security companies often hire Parabellyx themselves to provide a risk-assessment of their own work to avoid these very situations. The risk-assessment becomes part of their own security and business protocols in order to ensure that they are providing the best architecture and implementation for their own clients. That’s why we work well in a collaborative environment where we are protecting all of the parties involved in cybersecurity, including other vendors.
Our team at Parabellyx has some suggestions when you are looking to engage a company to provide a risk assessment:
- Is the company using a one-dimensional scoring or do they provide a full cybersecurity report card on what’s working, what needs improvement and what are real risks in the strategy or deployment?
- In addition to the risk, do they indicate the probability of occurrence and the circumstances that amplify the risk ?
- How collaborative is their approach with your own team and vendors?
- How much experience do they have providing risk-assessments?
- What is their process and approach in working with vendors, your security team and your executive management?
If you feel that any of the answers are one dimensional, this is likely not the right company to hire.
About Parabellyx
Parabellyx are security-matter-experts who take a focused and business aligned cybersecurity approach to developing strategies that accomplish your key business goals and objectives. We then train your entire organization in security, preparing you for any threat, until a security mindset is entrenched across your entire company, protecting and ‘future-proofing’ your information, your employees, your customers, your shareholders and your reputation. Contact us