Looking for folks with experience relying on vendor security rating services such as SecurityScorecard. How reliable are these services and from a vendor technology risk perspective, would you recommend using these services?
I've looked at a lot of these from a RFP / evaluation process (not going to name names, though). There's a lot to offer, but for me, where the rubber always hit the road was when I asked the question, "Can you viably replace my current vendor risk management process?" The answer was typically in the negative - they always saw themselves as a supplement to the process. Which brings us back to your question. I think if you're seeking a supplement to your current evaluation program, these can add great value and insight, but for a price. However, if you're looking to replace your own vendor management program, it's probably not going to work. A few caveats, I think if you don't have one, and are looking to build one out, this could take you up a level, for the short term. But you shouldn't depend on them in the long term. Also, if you are seeking to gain some level of cyber insurance, there does seem to be some motion in the industry towards these "credit score" like solutions. It's still a little early, IMO, to fully commit to them for this purpose.
I don't have much experience with the rating services. While I think they are useful, I'd place much less emphasis on the rating as compared to vendor service agreements and compliance. In short, I'd rather a vendor provide me documentation they are in compliance with - fill in the blank - than rely on a third party rating. That raises the challenge: What if you have a suspect vendor but they are willing to put in writing they are in compliance compared to a great vendor that doesn't put compliance in writing. From a regulatory standpoint, you are almost forced to go with the former vendor even though, likely, the latter will be better.
The problem with the vendor " Security Assessment questionnaire" approach is that it is a point in time and is not reflective of overall security "Hygiene" over time. kind of like asking a child to clean their room. It may be tidy for an hour, but the child is still messy 🙂 the good thing about rating services is that they measure behavior over time,which I believe is more predictive,
-Alex41 - I agree with your comments about "point in time" in a vendor assessment. The issues for me are two fold. First, as anyone who has done a vendor assessment knows, it's in the course of doing them you discover things that are specifically important or relevant to your business. These are the "peel you off the ceiling moments" that you don't really discover because you know your business, and what is important to you. A rating service will not give you this. Second, the rating service is still (somewhat) point in time. The service typically requires engagement from the vendor being rated, or a lot of investigation by the vendor, themselves. The other thing I didn't mention in my original post was adoption. I was constantly asking the rating companies, how many companies in your database? The answers I got were not encouraging. Think 100's to 1000's. Of course, they were willing to engage with the vendor "on your behalf" and for a price. This may be getting too deep into the muck, but I always replied to that with a smile, a question and a comment, "So you want me to grow your database of vendors and pay for it too? Good thing you get to use my company's name in order to engage too."
I think that's why I'm more or less sticking with my stand point of, they are a good supplement, and may be useful for insurance or regulatory purposes later. Although, I absolutely agree with your point, Alex41, and I think it's very thoughtful. But the better internal vendor assessment programs I have been part of building, typically review the vendor every 1-3 years depending on criticality. For the most part, I think this is sufficient.