It’s one thing to tell customers you’ve got the cybersecurity skills, processes and tools to keep them safe. It’s quite another to show them proof. CompTIA ISAO members now have that opportunity—thanks to a new partnership with SecurityScorecard that provides a cyber risk rating for their companies’ cybersecurity proficiency.
The risk rating is a badge that allows solution providers, MSPs, distributors, and tech vendors to either trumpet their cyber prowess—if they have a high grade—or show them where their struggling and how they can improve. In either case, it’s valuable information to help your business, according to M.J. Shoer, senior vice president and executive director of the CompTIA ISAO.
“It’s a nice clear description of what your risk is and recommended steps to mitigate that risk. It’s important to show customers information like this so they know you’re paying clear attention,” Shoer said at CompTIA’s EMEA Member and Partner Conference in London, where the CompTIA ISAO was launched to UK companies. “Customers are going to start asking for third-party validated information about your business. Show it to your vendors too, ask them what their score is. It’s a way to monitor your supply chain. Help each other.”
The cyber risk rating is included at no extra cost in CompTIA ISAO membership and comes at a critical time for both MSPs and their clients, as cybersecurity threats continue to escalate and get more complex.
“My MSP brothers and sisters are getting killed. Offering the cyber risk rating as a [benefit] is amazing,” said Ian Thornton-Trump, CISO at Cyjax, executive council member of CompTIA’s Cybersecurity Community, and member of the CompTIA ISAO’s SME Champions Council. “Here’s the gritty reality, especially in the U.S. Cyber criminals will run over your organization and take out a number of customers. What’s going to happen? You’re going to get sued. What you need is something that says, ‘hey, we tried, we didn’t lie.’ With the risk rating, you have documented evidence of due diligence. It’s not going to work if it’s a D, but let’s give the advantage to the good guy.”
Users can generate a detailed risk rating report that describes where their risk lies, and how to fix it. For example, updating an outdated web browser might add five points to your score.
“Tell me what the risk is, then tell me how to fix it. Then you can put the report in front of every customer and every prospect you have that highlights your score,” Shoer said. “That report is gold to me.”
There’s Always Room for Improvement
Security concern among customers is real. Only 69% of respondents in CompTIA’s 2021 State of Cybersecurity research report feel that the state of cybersecurity is improving—down from 80% in 2020. Similarly, 70% of employees felt satisfied with their organization’s cyber approach, compared to 82% last year.
While it’s imperative that all tech companies work with customers to improve their cyber resiliency, unfortunately practices that were previously considered good enough might not be cutting it anymore.
The average risk rating score across 1,200 CompTIA ISAO members is an 81, Shoer said. Approximately, 19% of members have earned an A, another 49% score a B, 19% score a C and 13% score a D.
“There’s a lot of room for improvement here. In one respect, there’s some good news but I don’t like the distribution of the grades. There are far too many MSPs that aren’t taking care of their own house. How can you deliver valuable services if you’re not taking care of your own house?” Shoer said. “We think this will be game changing for the industry. I wouldn’t be very confident trying to upsell security services if I’m sitting in the C or D quadrant.”
Making the World a Safer Place
SecurityScorecard’s goal is to give any company—including customers—comfort in knowing that their tech partners aren’t causing them any unnecessary risks, according to Jason Cowie, senior director of worldwide strategic alliances at the company.
“With most entities that have embraced digital transformation, the likelihood of a third-party breach is alarmingly high. Whether an entity is focused on improving its own security scorecard, or improving that of its supply chain, security ratings provide a non-intrusive way of measuring risk and exposure and offers meaningful remediations to improve their overall security posture,” Cowie said.
SecurityScorecard expects to be actively monitoring more than 20 million entities by the end of 2021.
“Ultimately, we’re focused on making the world a safer place. Security ratings are easy to communicate, non-intrusive, and allow entities to not only communicate their own cyber security posture, but also quickly assess the security posture of any entities in the world,” Cowie said.
Learn more and join the CompTIA ISAO now!