Reflections on digital ratings and questionnaires: a non-enough-combination combination.
We have attended a forum and found this comment (see picture above) about digital ratings that has led us to reflection.
Recently, at the IT GRC Forum, Chris Poulin, Deputy CTO / Director, Technology & Strategy at Bitsight, proposed the use of questionnaires to supplement the results of their cybersecurity ratings: “Using a security rating system such as Bitsight is not mutually exclusive of sending vendors questionnaires based upon NIST CSF (or any other cybersecurity framework). The two should validate each other, favoring direct observational evidence over self-attestation.”
But even the sum of both is not enough to obtain a reliable result.
Using a digital rating, such as Bitsight, to evaluate a company or service has great shortcomings, even if it is complemented with questionnaires, since they can only be checked from the outside. It is in the very nature of this type of ratings. It is like assessing the security of a building without entering it, just observing it from the outside. In this way, the areas that can be evaluated are limited to being accessible from the perimeter. That leaves out, for example, checking if there are active password renewal protocols, if the backups are in a location not accessible from the main network or if there are controls for personnel access to protected areas, among others.
In addition to the limited scope of this type of qualification, the proposed validation is through questionnaires. We all know that questionnaires are almost always answered in the affirmative. They do not provide reliability, independent third party audits do. Questionnaires are useful, but they have a conditional use, they need a subsequent validation and a cybersecurity rating cannot be based on them.
Therefore, the alternative is a cybersecurity rating that is based on audits, with a comprehensive, rigorous and reliable method to determine the level of cybersecurity, and based on a methodology that is fed by international regulations and widely used standards and good practices. We use the digital rating as a complement to the rating.
Therefore, the LEET Security rating is The Ultimate Cybersecurity Rating. And that’s a fact.
Suscribe to our newsletter here