To address the increasing security risk within the mining and metals industry supply chain, the Mining and Metals Information Sharing Analysis Center (MM-ISAC), Mirai Security and SecurityScorecard have developed what they say is a streamlined methodology that produces a cyber security risk rating for vendors to demonstrate how they’re doing from a security standpoint.
This supplier risk management assessment identifies the supplier’s risk management capabilities through assessment of its governance and technical capabilities, as well as its risk and safety culture. The result of the assessment is a cyber security readiness rating that identifies high-level security and privacy facts that provide security and threat risk assurance which can be leveraged by organisations during the vendor screening and selection process.
Rob Labbé, Chair of the MM-ISAC, said: “As the only group globally focused on cyber security in the mining and metals industry, I felt the MM-ISAC was well positioned to head this initiative. It will not only save companies time and money but also enable the centralisation of data and easy updates to questions as new security risks become mainstream. And so, the MM-ISAC Cyber Security Readiness Rating was born.”
Alex Dow, Chief Technology Officer, Mirai Security, said assessing vendor risk is arduous, inconsistent and creates friction between buyer and seller.
“The MM-ISAC’s Cyber Security Readiness Rating solution has set out to centralise and simplify the process, improve accuracy through novel threat-based risk assessment methodology and, as a whole, raise the cyber security water level industry wide,” he said.
The problem with risk assessments within the industry, according to Labbé, is they are reliant on a lengthy and confusing questionnaire. Most companies have difficulty answering the questions — and even if the suppliers are able to articulate their security posture, many members of the ISAC lack the cyber security expertise required to interpret the results.
This new solution uses SecurityScorecard’s software platform to establish a security scorecard based upon an external view of the company’s risk and security posture information. The company has the ability to continuously monitor and score the External Cybersecurity Posture of an organisation (their scores have a statistically relevant correlation with breach risk) and show them how to improve via actionable issue-level detail.
Alex Rich, VP of Marketplace Business Development, SecurityScorecard, said: “Data is the most valuable and personal commodity in the increasingly more connected environment that we operate in. Companies who collect it and fail to protect it will suffer consequences, both monetary and reputation based.”
The customised survey and questionnaire only contains questions that are relevant to each specific company. What sets the questionnaire apart is the acknowledgement that the “one-size fits all” assessment framework does not provide the risk management value that MM-ISAC members need. Mirai’s methodology recognises not all vendors bring the same level of risk to their clients, and the methodology focuses on assessing the risk based on a vendor persona.
Once the questionnaire is completed, the automated data from the platform is combined with data from the questionnaire and then meticulously reviewed by Mirai’s security team. The result is a cyber security readiness rating that allows vendors to share their security posture with potential clients and use it as a marketing tool to differentiate themselves in the marketplace.