The New Cyber Risk Rating: A Conversation with Panorays’ Chief Architect
Today, Panorays announced its release of the Cyber Risk Rating, a combined “bottom-line” rating of all of the cyber data available about a supplier on Panorays, including the Cyber Posture Rating, Smart Questionnaire™ Rating and business impact. Unique to Panorays, the Cyber Risk Rating enables security professionals to make quick decisions about their suppliers’ security.
To shed some light on what this all means, we reached out to Giora Omer, Chief Architect at Panorays to explain.
How do the ratings work?
The Cyber Risk Rating combines data from the supplier’s responses to Panorays’ Smart Questionnaire™ with the Cyber Posture Rating—an external assessment that is based on over 100 security tests, typically from thousands of assets.
The Cyber Risk Rating has five levels:
These levels serve as critical thresholds to make business decisions. The Cyber Risk Rating is highly influenced by the evaluator-supplier relationship. The same supplier can have a different Cyber Risk Rating for different evaluators based on context. The rating can also be affected by periodic events such as critical findings and breach news.
What Makes the Cyber Risk Rating Unique?
When a security team assesses a supplier, they often must sift through a tremendous amount of data, which doesn’t necessarily give them actionable information. Critical findings, for example, can get lost in the Cyber Posture Rating, because it’s a weighted average of numerous tests and findings. This hinders the team’s ability to make fast decisions about, for example, whether to work with a supplier or not.
The Cyber Risk Rating is designed to address this problem. It takes into account temporal factors like critical findings to provide an updated status of the right now, rather than general security hygiene, which is also important. Essentially, it cuts to the chase, providing a rapid overview of a supplier’s security based on the organization’s particular standards and the context of the business relationship.
The Cyber Risk Rating is also unique because it is customizable. The organization determines which rating is acceptable, and how to configure their risk policy.
How is the Cyber Risk Rating used?
Security professionals can use the Cyber Risk Rating as follows:
- In the vetting process, including RFI and M&A, it can establish a threshold that suppliers need to meet to do business with a company. For example, a company may decide to work with suppliers with a minimum Cyber Risk Rating of “Good.”
- During continuous monitoring, it can quickly identify significant changes in a supplier’s Cyber Risk—including rating drop or critical findings—that companies need to take action on.
- It can provide business owners and executives with a clear cyber overview of a supplier as it uniquely relates to their organization.
- It can serve as input for more general risk platforms.
How can customers benefit from the Cyber Risk Rating?
By using the Panorays risk rating model, customers can benefit from:
1. An overview of a supplier’s internal policy security, as reflected through the customized Smart Questionnaire™.
2. A “hacker view” of the supplier’s digital perimeter, as reflected through the Cyber Posture Rating.
3. A unique “bottom line” Cyber Risk Rating that combines the two ratings above with context and business relationship. This enables rapid and clear-cut decision making about working with a supplier.
Want to learn more about Panorays’ Cyber Risk rating? Schedule a demo today.