I ripped this blog title off from CSO Online.
In December of 2006, I predicted that we would see a nationally recognized information security rating system come to fruition in 2007.
In today's financial markets investors rely on analyst reports and metrics. Often time simply referred to by the company providing the metric - Moody's, Morningstar, Fitch and others. As an investor, these rankings and metrics generally weigh heavily in decision factors. However, we have no security index or rating systems. If as a consumer, you had a choice to take a loan from two companies with varying different security index ratings, you might think twice. Would you want to risk your personal information being negligently handled in return for a lower rate or take a slightly higher rate knowing your information is safer?
Well, 15 months later, Moody's will be announcing their own Vendor Information Risk Rating Service soon. That according to this article in CSO Online.
As a security manager, I can't wait for the day when this tactic is mainstream. The amount of time, resources and lost opportunity given to individually assessing each vendor security practices drives me nuts. Lets hope Moody's does this well. Even more so, lets hope that every independent and trusted rating company jumps on the bandwagon to drive competition in this new marketplace.
Comments (2)
Yeah, because these guys did such a great job rating mortgage-backed securities. It will be a very long time before consulting one of these rankings will be sufficient to verify a vendor's security process.
Posted by Jess Austin | March 5, 2008 4:28 PM
Posted on March 5, 2008 16:28
Hopefully vendors and financial institutions will give the service a chance, and judge it on it's own merits before being dismissed out of hand. Of course, given my role in this service at Moody's, I am a biased participant here :)
What I do know from working with a significant number of FSI firms in building this offering is that there is a market need within the FSI industry (and others) for a better understanding of the security capabilities of their business partners - so that both parties can work towards mitigating those risks. That is the primary mission of the service - to help providers and enterprises better understand risks so that they can take steps to avoid and mitigate them. This is needed not just for regulatory and compliance reasons, but for brand protection and just plain old good risk management.
And as stated in the original post, there is significant inefficiency in the market right now, in that each FSI firm does their own evaluations, causing them to spend alot of effort doing reviews, and the service providers are being subjected to several requests a year for security reviews by their clients. We think our model helps create better efficiencies in the marketplace.
The service won't be perfect out of the gate - no service is. As we progress, we will refine and evolve our approach based on feedback from firms that choose to utilize the service.
Posted by Ed Leppert | March 27, 2008 9:26 AM
Posted on March 27, 2008 09:26