A recent Forrester report on cyber risk ratings has provided some interesting insights into the market and inadvertently confirmed where Orpheus is leading the market.
A key takeaway from the report was “instead of bombarding users with more data, CSR vendors need to focus on improving the risk context of their ratings to help security and risk pros prioritize efforts, support risk-based decisions, and act on the information.”
A key part of the Orpheus cyber risk score involves reviewing the threat level of an organisation. As a threat intelligence company, we have extensive sources of data and analysis that help determine the threat to an individual company. When combined with data on the vulnerabilities an organisation has, this provides a far more accurate score than looking at their security measures alone.
We know, information has to be easy to understand and consume to be useful. Long reports with lots of data are useful to some but are harder to act upon. Security teams complain of endless alerts, false positives and having too much information to be able to make use of it. Orpheus’ reports are shorter, containing the key information needed with further extensive detail available in our platform if needed. It was interesting to see Forrester agree with this approach.
Endless data does not necessarily yield a more accurate result. Including additional data points may only change the risk level slightly, if at all. The bigger risk is that companies are overwhelmed with data and do not act on it, or can not prioritise. This keeps their risk high instead of allowing them to focus on the most critical risks first.
Have models externally validated to improve trust was another key finding from the report. Orpheus ensured our machine learning was peer-reviewed by Queens University in Belfast. It is important organisations know they can trust the data they are being asked to act upon. This peer review found our machine learning to be at least 94% accurate. Crucially, it is this external validation that increases trust, along with the result itself. There is more to be done in this area and we look forward to publishing studies that demonstrate the accuracy of our risk ratings in the future.
Our customers tell us they like our threat led approach and have confidence in the scores we are providing, which allow them to monitor their third parties. It is exciting to have some external validation of the approach we have taken. We look forward to future reports from market research firms, like Forrester, to see how this fast-moving market adapts.