Much like a credit score that measures the creditworthiness of an individual, enterprises are rated today on their security posture by a host of cyber security risk rating companies that have come onto the market in recent years. These independent companies present themselves to organizations as third-party risk evaluators using their proprietary security rating solutions. They generally measure organizations either by scanning their networks or searching for emanations from an organization’s network and measuring various items that produce a security rating.
To augment periodic but more in-depth testing, these cyber security risk rating companies give a lighter but more frequent perspective on security posture. Now, Accenture leverages a broader view and scope of abnormalities that become visible on Accenture’s network, an opportunity gained from the additional knowledge through what the cyber security rating companies report as key security issues to watch for and remediate. Getting to this point, however, required gaining an understanding of each cyber security rating company’s methods of measurements and putting in place additional security hygiene practices.
When tech meets human ingenuity
Accenture’s Information Security group, charged with protecting the information of Accenture, its clients, its business partners and employees, worked through the learning curve of how the cyber security rating companies conduct their measurements. As a result, Information Security methodically matured and evolved an engineered process that put in place several regimes to identify, close and prevent security issues or potential issues on Accenture’s network.
Key regimes include:
Establishing a system to track IP address ownership
Large companies like Accenture own hundreds of thousands of public domains and IP addresses. Tracking who within the company owns which is no simple matter. In response, Information Security set up a team that focuses on identifying owners of every public domain, sub-domain and IP address registered with Accenture’s name. Information Security industrialized this process, leading the team to monitor for new use or registration on a daily basis, confirming ownership is assigned appropriately.
While Accenture already performs regular external vulnerability scanning, Information Security developed a custom solution for detecting additional items that are part of the cyber security risk rating companies’ scope. The solution targeted specific application security findings that Accenture could tailor to its security standards. While some tools exist on the market none of them quite fit the need Accenture had.
Raising visibility within the business
The reporting scorecards measuring cyber security performance generated by the security rating providers are shared with the chief operating officers of Accenture’s businesses on a weekly basis. This reporting enables Information Security to provide relevant remediation actions directly to Accenture teams by integrating the report findings into Accenture’s standard security compliance program.
A valuable difference
As the security rating companies have become established players in the cyber performance measurement market, so too has Accenture benefited from capitalizing on their services and successfully positioning itself. Today, Accenture is highly rated by all the major cyber security risk rating companies and outpaces its peers in ratings. This positioning differentiates Accenture in the realm of information security and enables Accenture to gain the confidence of its clients in this domain.
Ranking high scores as validated by the cyber security benchmarking resources continue to drive Accenture to focus and sustain a more risk-resilient organization, especially given the acceleration Accenture is seeing within the threat landscape.
Meet our lead
Senior Manager – Information Security, Technology and Operations