By Peter Kelley
Shared Assessments has published the risk industry’s first cybersecurity taxonomy to bring new consistency to the defining of cyber events and monitoring surfaces across security ratings services (SRS), and outsourcer and third-party organizations.
“A Unified Third Party Continuous Monitoring Cybersecurity Taxonomy” immediately received de facto industry standard status with its definition and adoption by a “team of rivals” in the third party risk management (TPRM) solutions industry, including BitSight, Black Kite, Panorays, RiskRecon and SecurityScorecard.
Andrew Moyad, CEO of Shared Assessments, said: “A consistent lingua franca among risk professionals has never been more important, and the rapidly evolving threat environment and escalating regulatory scrutiny make coalescing around a shared taxonomy all the more urgent. The broad and increasing adoption we’re seeing among major continuous monitoring cyber risk suppliers is a validation of our efforts, representing the latest example of our thought leadership and the added value Shared Assessments provides to our members and their industries.”
Release of the Taxonomy marks the culmination of years of effort among Shared Assessments, its members and other contributing organizations who worked together to establish consistent language, practices, and reporting structures for complex cyber events and vulnerabilities. The resulting shared language and definitions of cyber events reduces the potential for ambiguities that can result in potentially perilous miscommunications. The linguistic consistency the Taxonomy offers is sorely needed: larger organizations may have as many as 40,000 suppliers, making the shared understanding that the Taxonomy enables an essential element in identifying and addressing risks and cyber events.
Continuous monitoring allows an outsourcing organization to maintain an uninterrupted view of the control posture of their third parties such as vendors and service providers.
Evan Tegethoff, Vice President of Solutions Consulting with BitSight, said: “More precise and transparent communications enabled by the Taxonomy answer to a constantly changing world with increasing threats and volume of vendors. As a common language and framework, the Taxonomy will advance continuous monitoring as a practice for the risk management field.”
“Continuous monitoring cybersecurity taxonomy brings together the collective understandings of cybersecurity monitoring solution providers, outsourcers and third party service providers. Parallel tools and views coalesce into a complementary source for risk quantification,” said Demi Ben-Ari, the Co-founder and CTO of Panorays.
In addition to providing terminology that supports clearer communication and continuous monitoring, The Unified Third Party Continuous Monitoring Cybersecurity Taxonomy affords a better understanding of cybersecurity monitoring services. It allows fresh insight into what is and isn’t being monitored when evaluating and purchasing an SRS solution. This new insight will help organizations identify and compensate for potential gaps, and improve the alignment of practices with risks.
The Taxonomy helps organizations:
– Better understand how events monitored by SRS align with the outsourcer’s control requirements, and vice versa.
– Compare the services offered by several SRS providers.
– More easily communicate any issues identified by the SRS and develop mitigation approaches to correct them.
– Clearly communicate across the third party risk management ecosystem and help boards and leadership teams evaluate cyber threats to the business, and align appropriate resources.
Sam Kassoumeh, COO and Co-founder of SecurityScorecard, said: “The creation of a unified taxonomy of continuous monitoring cybersecurity terms represents a tremendous lift to the security ratings space in which SecurityScorecard is deeply invested, engaged and trusted by our customers. We have been actively involved in this working group since 2019 because standards and frameworks play an important role in helping boards of directors and other senior executives deliver on their mandate of modernizing cybersecurity governance.”
Candan Bolukbas, CTO and Co-founder, Black Kite said: “The Taxonomy solves an important problem. It is a good way for us to align checks and balances and enable buyers to make comparisons. We need to have a common ground to discuss market needs in order to reduce the customer learning curve.”
Shared Assessments is making the Unified Third Party Continuous Monitoring Cybersecurity Taxonomy freely available to the industry. To register for a download, visit: https://sharedassessments.org/paper/cm-cybersecurity-taxonomy/
