The Cybersecurity ScoreCard Aproach

As a long-time security practitioner, I’ve done my share of assessments. Usually, an assessment is tied to a long compliance scheme, like PCI. If you’ve been through an assessment before, you know how costly they can be. Not just in the cost of services (which can be pretty hefty depending on the organization), but the cost of your time! Unfortunately, these compliance-based assessments usually do very little to help the organization understand their real security risk posture in a timely and affordable way.

So I decided to come up with something new…

I got some inspiration from something we are all familiar with: the annual physical. I recently had bloodwork done, and upon receiving the results, I made a realization: I don’t care how the blood work was performed, I care about the bottom-line numbers and what they mean! What’s even better, each time I get blood work, I can quantitatively track whether I’m getting better or worse.

Wouldn’t it be great if there was an equivalent in security?

Well, that’s exactly what we created: and we call it the Cybersecurity Scorecard. Using mature and established assessment methods and metrics for inspiration (e.g. NIST, PCI, HIPAA, etc…), we created a new assessment based on “markers.” These markers are security health indicators, of sorts. Rather than go into a deep-dive in an area, we can often get a 90% understanding of the environment just by looking for the right markers.

One of my favorite examples in this area has to do with centralized logging. If I find out that an organization is not centrally storing logs, I immediately know they’re not adequately monitoring their environment, they have no SIEM to look for active threats, they have a policy deficiency, they aren’t prepared for any kind of incident response, and many other deficiencies. I don’t need to assess those individually…That’s just a single example, of course. And security practitioners understand this, but we’re often bogged down by the checkboxes.

Who is this for?

We developed this for small-mid sized organizations looking to get a better understanding of their security posture, OR the security posture of their partners, suppliers, etc… Outside of the obvious SMB use-case, another good example might be an insurance company that needs to assess all their clients for Cybersecurity Insurance. Or a venture capital group looking to better understand the IT risks associated with a new venture. There are many useful use-cases, and we’re excited to find them!