Many in the industry now are familiar with SSAE 16 and SOC audits and use them to show their systems are safe for lenders, consumers and other vendors to work with. Silicon Valley analytics firm FICO is offering an Enterprise Security Score to better identify security risks across the supply chain.
In a recent press release the company said its Enterprise Security Score helps enterprises vet the security risk of potential partners and monitor ongoing risk across an entire portfolio of existing partnerships. The results reflect the long-term stability of partners’ security practices, the effectiveness of security policies and the condition of network assets. The scores are delivered with robust capabilities for ongoing management and benchmarking, including the ability to organize entities into portfolios, create peer groupings, and generate and route alerts for changing conditions or behaviors.
“An institution’s liability for a data breach now extends throughout its entire supply chain,” FICO Vice President for Cybersecurity Solutions Doug Clare said in the press release. “As a result, organizations are responsible for security risks introduced by their business partners’ networks — risks that are beyond the immediate control of their respective IT departments. With enterprises often interfacing with hundreds or even thousands of vendors and business partners, the aggregate risk exposure is significant.”
FICO is one of a number of companies, such as UpGuard and SecurityScorecard, in the marketplace producing rating scores for companies’ security and risk management programs.
For its Enterprise Security Score, FICO data scientists explore a deep pool of historical data and security breach exemplars to determine mathematical, causal relationships between network conditions, organizational behaviors and negative outcomes, the company said.
FICO’s algorithm is built around an objective outcome that is forward-looking, geared to measure the risk of a major breach in the next 12 months, rather than simply assess current security posture. The score is delivered with reason codes, which allows scored organizations to quickly remediate the weakest parts of their infrastructure and actively work to remediate and improve scores over time.