Lecture with Bob Malley, Chief Security Officer at Black Kite

Introduction

• Steve Morgan: Founder of Cyber Security Ventures, Editor-in-Chief at Cybercrime Magazine.
• Bob Malley: Chief Security Officer at Black Kite.
• Black Kite: Provides security rating systems assessing cyber risk across technical, financial, and compliance dimensions.

Bob Malley's Background

• Experience in physical and information security for decades.
• Former policeman, CISO at Commonwealth of Pennsylvania, and worked at PayPal.
• Built third-party risk management program at PayPal.

Transition to Black Kite

• Passion for risk assessment cultivated at PayPal.
• Traditional risk assessment methods (high, medium, low) deemed inadequate.
• Introduced to FAIR (Factor Analysis of Information Risk).
• Attracted to Black Kite for its innovative approach to automating risk analysis.

Understanding Security Ratings

• Analogy: security ratings are like credit scores but for cyber risk.
• Controversy: Many in cyber security dislike security rating services for lack of context and actionable data.
• Examples: Credit scores factor in multiple elements beyond the score itself.

Security Posture

• Cyber Hygiene: An indicator but not definitive.
• Example: SolarWinds breach—average scores can mask potential high risks.
• Challenges: Consistency in cyber hygiene does not guarantee immunity from breaches.

Audience for Security Ratings

• Internal Use: CISO and their teams, translating technical ratings into business terms for senior management.
• External Use: Cyber insurance underwriters assessing risks for policy decisions.

Accuracy and Challenges

• Accuracy: Critical for reliability; guidelines by American Chamber of Commerce.
• False Positives: Historical issues in the industry; smaller control sets often used to claim accuracy.
• Black Kite's Approach: 290+ controls tested against industry guidelines.

Importance in Current Trends

• Gartner's View: Security ratings are a top 10 security project due to regulatory requirements.
• Regulatory Push: Continuous monitoring is increasingly required by regulations (OCC, NYDFS, California Consumer Protection Act).

Challenges for New Entrants in Security Rating Market

• Difficulty in developing a comprehensive, reliable system.
• Entrenchment: Established players dominate; new entrants need significant differentiators.
• CSO Perspective: Organizational and process inertia make switching to new sponsors challenging.

Black Kite Overview

• Founded by an expert in penetration testing for NATO.
• Significant value in automating comprehensive risk assessments across cyber hygiene, financial impact, and compliance.

Implementation and Usability

• Deployment: Easy, initial setup can be done quickly (in a day).
• Collaboration: Requires input on vendor ecosystems and integrates with existing processes through APIs.
• Continuous Monitoring: Provides alerts for significant risk changes in vendor profiles.

Impact of COVID-19

• Increased Importance: Supply chain and remote work vulnerabilities elevate the need for security ratings.
• Trend: Growing reliance on third parties for critical services post-pandemic.

Final Thoughts for CSOs

• Despite past negative experiences, value can be found in well-executed security rating services.
• Due Diligence: Evaluate transparency, scope of digital footprint, vendor interaction capabilities, and ability to communicate in financial terms.

Closing Remarks

• Interview emphasizes the evolution and importance of accurate security ratings.
• Encourages thorough evaluation to find the right solutions for cyber risk management.