A recent ranking of the most cyber-secure companies reveals weaknesses in current third-party risk management practices. Credit: Elnur/Shutterstock A Forbes article is making the rounds right now about America’s most cyber-secure companies, and I can already see the cybersecurity outrage machine up in arms. Full confession: I haven’t yet read the article, but I’m about to. I’m writing this in two parts: before I read the article, and after I read the article.Part I: What are the most cyber-secure companies?If you ask me to list the most cyber-secure companies (what does that even mean?), here is my shortlist, in roughly the order I think of them:Top tier: Google, Apple, Microsoft, AmazonSecond tier: Bank of America, Goldman Sachs, Fidelity, Capital One, Meta, LinkedIn, United Airlines, Akamai (full disclosure: I am the former CSO of Akamai), Cloudflare, Fastly That list isn’t meant to be comprehensive. I spent five minutes thinking, “Who has a lot of data, or systemic control of systems at scale, and does a decent job of protecting it?”Part II: The problem with third-party risk managementOkay, I see that United Airlines and Fidelity make the top 20 after reading the Forbes story. The other financial services firms I hypothesized mostly are in the top 100, but not one of the infrastructure companies makes it. Entertainingly, the authors of this list agree with me that United Airlines stands head and shoulders above the rest in its industry. Deneen DeFiore, United’s CISO, must be doing a great job. But that’s our only overlap. What’s going on here? This list is made by SecurityScorecard, one of the flagship companies in the third-party risk management (TPRM) industry. The challenge that TPRM companies have is rather simple: Provide a mechanism for companies that do business with other companies to evaluate the risk that their vendors present to them, from a cybersecurity perspective. SecurityScorecard and its primary competitor, BitSight, use a similar methodology: Create a risk score (sort of like your credit score), evaluate companies, and score them. Sounds easy, right?Nope. Imagine if the credit reporting agencies decided that they’d start evaluating large enterprises with the same credit scoring algorithm that they use for me, as an individual. Of course they’ll look awful! Think about the size of Google’s perimeter – all its publicly visible IP addresses – against Intel (which came in first on the Forbes list). One of these is predominantly a chip manufacturer, and I seriously hope they have a small external footprint. This tells us nothing about Intel’s cybersecurity practices, which I hope are heavily focused less on their website security (which contributes to their rating) and more on their product and manufacturing security (which don’t contribute to their rating). Google, on the other hand, looks like one of the slum lords of the internet. Their addressable IP space is one of the largest on the planet, so of course they’ll look bad from the outside at a cursory glance, especially if one of your measures is the size of someone’s attack surface.The credit reporting agencies, for better or worse, have much more data than the TPRM scoring companies. They’re embedded throughout our financial system, collecting a lot of information that shouldn’t be publicly available. The TPRM scoring companies, on the other hand, are doing the equivalent of drive-by appraisals. They look at the outside of businesses on the internet and decide how reputable they are based on their external appearances. Of course, certain business types will look more secure than others.The alternative to TPRM scoring is, sadly, the TPRM questionnaire industry, which is only marginally less unhelpful. This is an industry focused on shipping massive questionnaires to vendors, which take huge efforts to fill out. Dedicated teams then review the answers to search for any answer that looks like a “no” to follow up on (all mature vendors have by now figured out to never say “no” to any questions). There’s now an entire industry focused just on streamlining filling out these questionnaires.The TPRM problem is yet to be solved. Companies have a real need to understand the actual risks they inherit from their vendors, including both intrinsic risk (risk the vendor brings to you) and usage risk (risk created by how you’re using the vendor). Unfortunately, neither the scoring space nor the questionnaire space are solving this problem. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe