When Aviva Zacks of Safety Detective sat down with FICO’s Vice President of Fraud, Compliance, and Security Solutions Doug Clare, she found out that FICO’s free Cyber Risk Score can help companies determine their own security risk and that of the companies with which they do business.
Safety Detective: How did you get into cybersecurity and what do you love about it?
Doug Clare: Much of my career has focused on developing technologies that help organizations better manage risk with machine learning. In the financial services space, this work includes applications that detect anomalous behaviors and activities that are indicative of fraud or another form of financial crime. Our goal is to protect banks, as well as consumers, from harm. In fact, these tools are used today by more than 9,000 banks around the world. If you’ve ever received notification of suspicious activity on your credit or debit card, the alert was likely triggered by a FICO machine learning model.
The transition from fraud and financial crime into cybersecurity was a natural step. We saw an opportunity to apply risk analytics to help organizations quantify the risk of suffering a material breach event. At its core, we’re using machine learning to identify the behaviors and time-series signals that are proven to have a strong correlation with cyber risk. It’s all based on empirical analysis of organizations that have, and have not, suffered a breach. There’s nothing subjective or opinion-based, we rely on what data science tells us. That’s what I love most about this space. We can apply our knowledge of AI and risk management in new ways which help companies better protect sensitive data under their care.
SD: What are some industries that use FICO’s technology and why?
DC: FICO works with businesses in more than 100 countries. This includes the majority of the world’s top financial institutions, telecommunications companies, retailers, and insurers, as well as more than 100 government agencies. While we are best known for helping people get credit, our solutions also work behind the scenes to help companies make more informed decisions.
For example, we help ensure that millions of airplanes and rental cars are in the right place at the right time. We help protect billions of accounts from fraud. We monitor transaction streams in the fight against money laundering which funds terrorism and human trafficking. We help insurers assess the risk of underwriting cyber insurance policies, and organizations across many industries work with us to quantify cyber risk across their supply chains. Anywhere that organizations need to fight fraud or reduce risk, you can usually find a FICO solution.
SD: How can FICO’s products and solutions protect its customers from threats?
DC: A couple of years ago we introduced the FICO Cyber Risk Score. It’s an empirically derived score that quantifies the risk of an organization suffering a material breach event. People use it to assess their own organization as well as their business partners and suppliers. The intent is to provide an impartial score that companies can use to rank-order risk based on the sensitivity of data being shared or the nature of the relationship.
The score itself relies on a diverse set of risk signals, which we continually collect, that are used to develop a forward-looking assessment of cyber risk. This is computed by taking these time-series signals and comparing them to the historical behaviors of organizations that ultimately did, and did not, suffer a breach event. We’re not looking for specific vulnerabilities, we’re looking for behaviors that are proven to be indicative of higher risk environments.
We’ve seen companies use the score, as well as the underlying details, to remediate previously unknown issues and report their progress to the most senior levels of the organization. In fact, some corporate boards and asked to see the FICO Cyber Risk Score for all third-parties in their vendor portfolio.
In an effort to help all companies improve their security posture we’ve made the score available, for free, on our website. Users can register for an account and view the score for their specific company.
SD: What is the number one threat in cybersecurity today?
DC: The Achilles heel of even the most secure networks continues to be human users. Despite increasing investments in IT security technology and personnel, it’s social engineering that has proven to be the toughest threat to contain. This can be a simple phishing email or a very sophisticated business email compromise (BEC) attack where an unsuspecting employee is deceived by organized criminals. These same human factors apply to network management and hygiene. Ultimately, it comes down to the people that are tasked with adherence to corporate security policies and protocols as well as ongoing systems maintenance.
The good news is that human behaviors can be assessed over time and performance improvements can be made. In fact, these behaviors represent some of the elements that contribute to the FICO Cyber Risk Score. We look at things like misconfigurations, open ports, sloppiness in certificate management, and the quality of website construction. While these factors alone do not define the security posture of an organization, they do provide valuable insight into human behaviors – things like a lack of adherence to best practice, evidence of lack of consistent policy, and engineering skill gaps – that can elevate cyber risk.
SD: How will the cyberthreat landscape change in the next five years?
DC: We’re just beginning to see greater attention and resources being applied to third-party risk management. This will be one of the hottest topics in cybersecurity for the foreseeable future. Until recently, many organizations focused their cybersecurity efforts almost entirely on their own networks despite the fact that the majority of breaches originate with third parties. Today, many companies have no knowledge of their partners’ security practices. We’re now seeing a definitive shift towards assessment and risk quantification associated with these third-party relationships.
The regulators are also emphasizing the need for companies to evaluate and monitor the security practices are their business partners. In today’s connected business environment companies are still responsible for protecting their data even as it passes through other organizations in the supply chain. In Europe, this is detailed quite clearly in the recently adopted General Data Protection Regulation (GDPR).
Now, consider the fact that some large companies have thousands of third-party relationships. The dated approach of asking vendors to complete subjective security questionnaires and surveys will no longer work. The approach doesn’t scale and provides no ongoing insights between security audits. This is exactly why we developed the FICO Cyber Risk Score, so any organization can monitor the cyber risk of other companies that they do business with.