Rating vendors' information security

Published 5 March 2008

A new Moody’s service aims to create the security world’s equivalent of Aaa to C ratings, replacing the need for companies to do individual vendor assessments; it would only work if enough companies sign up

Our readers have probably noted this three-step security business dance: First, there is a growing recognition of a security need; second, the government writes rules and regulations to address the security need; third, a small industry emerges to help industry comply with the new rules and regulations. Ed Leppert, a consultant for @stake and then for Symantec, spent a lot of time doing third-party security assessments for his financial-services clients — slogging through questionnaires and SAS 70 reports, trying to determine how effectively a given service provider was handling its own security. The research was important, but sometimes it seemed inefficient. “We said, it doesn’t make sense to do these things individually.” Leppert says. “All the companies want [to know] basically the same things.”

Sarah Scalet writes in CSO that now, as part of a startup within the credit rating company Moody’s, Leppert is trying to bring the same clarity and efficiency to security assessments that investors have when evaluating credit risks. Moody’s expects to introduce the Vendor Information Risk Rating Service this week. The goal is to create the security world’s version of the Aaa to C ratings Moody’s devised long ago for financial securities and bonds. Of course, it is more complicated than that. For starters, the due-diligence ratings are not made public — the rated company has to authorize a potential customer to access the information. Also, the ratings are 1 through 5, not A through C. “The people creating it are techie guys, not good marketing guys,” quips Leppert, who is VP of Moody’s Risk Services.

Service providers who sign up are analyzed and rated in each of eleven categories — including access control, business continuity and data security — and get an overall assessment as well, with 1 being the best. The business model is still in flux, but currently, rated companies pay about $23,000 for the first year, and subscribers pay less than $1,500 per report, after receiving two reports for free. Some vendors have signed up after being asked to do so by one of several large financial-services companies that served as an advisory council during the service’s development. The idea for such an at-a-glance rating is appealing to risk executives such as Andre Gold, head of security and risk management for ING’s U.S. Financial Services business, who is evaluating the Moody’s service along with a similar Product Certification Program from BITS, a nonprofit financial-services consortium operated by the Financial Services Roundtable. Last year Gold oversaw reviews of 176 new technology vendors; his team visited sites as far away as South Africa to conduct security assessments. “It’s a service that we must do, but I think it’s a non-value-add service,” he says. Gold is eager for a service that would allow him to streamline that process, but the question for him — as well as for Leppert — is whether Moody’s can persuade enough companies to sign up to make a subscription worthwhile. As of early February, Moody’s had completed only a few ratings, with 20 to 25 more in the contract process. “The subscriber base is going to be the issue with something like this really taking off,” Gold says. “I’m an optimistic observer.”