SOC 2 vs. Security Ratings

Yesterday a CISO in the insurance space asked me about what I thought about looking at something in an audit report like a SOC 2 vs. something from a ratings vendor like SecurityScoreCard or BitSight . . .

The fact is, 90% security teams are doing some sort of due diligence on third parties. For anywhere from 10–30% of the vendors they care about they’re reading SOC reports, asking for pen tests and painstakingly analyzing 20, 50, 100, 200 question questionnaires. And they’re getting value from that — they’re finding areas that need work and issues that could lead to breach and they’re following up and trying to do something about it.

But this process is fraught with problems. It’s too slow, can’t scale and requires a level of engagement from the vendor that’s frequently lacking. Security teams are left with huge gaps in visibility and are stuck delivering information too late in the game to make enough difference.

So what about the other 70–90% of vendors they care about but just don’t have time to perform due diligence on? Well for many security or risk teams that’s where the security ratings vendors come in.

As CISOs widely point out, the processes these tools utilize to determine ratings are questionable and their results commonly lack relevance or accuracy.

So why are they used? I got the following answer to that question from the head of risk at a global financial services company that sticks with me:

“They are better than nothing.”

While I am sure many CISOs will contend still with that answer, in a world where dozens, hundreds, in some cases thousands of vendor relationships just can’t be meaningful assessed due to the practical limitations in doing so, the ability to quickly pull some data on a company, hand it to a buyer and say ‘ask them to fix it,’ is a big deal. Now, if an auditor, risk committee, regulator or partner asks them what they’re doing about third party risk they have at least one leg to stand on, whereas before they had none.

Regardless of if that’s security theater or a valuable reminder for a buyer and a third party to at least think about security, the underlying need is clear:

Companies need to be able to assess third party cyber risk at a speed and scale that just can’t be accomplished by collecting surveys and reading documents AND provide a level of intelligence, insight and accuracy that can’t be accomplished with security ratings.

The solution lies in adopting a more advanced approach to third-party risk management—one that combines automation, AI, and deep intelligence. By leveraging AI-driven TPRM platforms like VISO TRUST, security teams can automate the tedious tasks of gathering and assessing vendor data, eliminating the inefficiencies of manual reviews and inconsistent security ratings. These platforms go beyond surface-level metrics, providing real-time, actionable insights into a vendor’s security posture through the use of security artifacts and continuous monitoring, offering a much higher level of precision and relevance than ratings vendors can deliver.

With such a platform, security teams can finally address the vast majority of vendors that traditionally slip through the cracks. Instead of being forced to rely on incomplete data or no data at all, they can quickly and accurately assess a vendor’s risk profile at scale.

This not only reduces the time and resources required for assessments but also enhances overall visibility and control over the third-party ecosystem. Security teams can now proactively address risks before they become a threat, ensuring that no vendor relationship is left unchecked.

In today’s fast-paced business environment, where companies are scaling rapidly and their third-party networks are expanding just as quickly, traditional risk management methods are no longer sufficient. To stay ahead, organizations must shift from reactive, manual processes to automated, intelligence-driven solutions that can keep up with the speed of business.

By doing so, they not only strengthen their security posture but also build trust with stakeholders and partners, demonstrating a proactive commitment to safeguarding sensitive data and mitigating third-party risks.

#security #thirdpartysecurity #vendorsecurity #thirdpartyriskmanagement #thirdpartyrisk #tprm #vendorriskmanagement #vendorrisk #cyber