Shared Assessments Issues First Ever Unified Third Party Continuous Monitoring Cybersecurity Taxonomy


BitSight, Black Kite, Panorays, RiskRecon, SecurityScorecard Among “Team of Rivals” Endorsing the New De Facto Standard

Shared Assessments introduced the risk industry’s first cybersecurity taxonomy, bringing greater clarity to the definition and identification of cyber events and monitoring surfaces.

A Unified Third Party Continuous Monitoring Cybersecurity Taxonomy” was adopted by security ratings services (SRS) including BitSight, Black Kite, Panorays, RiskRecon and SecurityScorecard, affording the Taxonomy immediate status as a de facto standard. It is expected to be widely adopted among vendors, service providers and outsourcer organizations.

Shared Assessments CEO Andrew Moyad said: “Over the last several years, we have observed increasingly severe consequences for firms that are not sufficiently focused on third party risk management. One critical example is the sharp escalation of increasingly aggressive ransomware attacks across multiple industries.”

To help address these risks, Shared Assessments has worked with many of its member firms to develop a unified cybersecurity taxonomy with the goal of enabling more companies to ease the broad adoption of continuous cyber monitoring services. Such services will help thwart these risks, and many of its member firms either offer or have adopted such continuous monitoring services.

“A consistent lingua franca among risk professionals has never been more important, and the rapidly evolving threat environment and escalating regulatory scrutiny make coalescing around a shared taxonomy all the more urgent. The broad and increasing adoption we’re seeing among major continuous monitoring cyber risk suppliers is a validation of our efforts, representing the latest example of our thought leadership and the added value Shared Assessments provides to our members and their industries,” Moyad said.

Larger organizations may have as many as 40,000 suppliers, making the clarity the Taxonomy affords pivotal in identifying and addressing risks and cyber events. Continuous monitoring gives outsourcing organizations an uninterrupted view of the control posture of the third parties with whom they interact, such as service providers and vendors.

Sam Kassoumeh, COO and Co-founder of SecurityScorecard, said: “The creation of a unified taxonomy of continuous monitoring cybersecurity terms represents a tremendous lift to the security ratings space in which SecurityScorecard is deeply invested, engaged and trusted by our customers. We have been actively involved in this working group since 2019 because standards and frameworks play an important role in helping boards of directors and other senior executives deliver on their mandate of modernizing cybersecurity governance.”

Candan Bolukbas, CTO and Co-founder, Black Kite said: “The Taxonomy solves an important problem. It is a good way for us to align checks and balances and enable buyers to make comparisons. We need to have a common ground to discuss market needs in order to reduce the customer learning curve.”

The Taxonomy lets organizations:  

  • Better understand how events monitored by SRS align with the outsourcer’s control requirements, and vice versa.
  • Compare the services offered by several SRS providers.
  • More easily communicate any issues identified by the SRS and develop mitigation approaches to correct them.
  • Clearly communicate across the third party risk management ecosystem and help boards and leadership teams evaluate cyber threats to the business, and align appropriate resources.

It sheds new light into those risks and events that are or are not being monitored, helping outsourcer organizations in their evaluation and adoption of SRS solutions, and helping organizations improve the alignment of their practices with risks.

“Continuous monitoring cybersecurity taxonomy brings together the collective understandings of cybersecurity monitoring solution providers, outsourcers and third party service providers. Parallel tools and views coalesce into a complementary source for risk quantification,” said Demi Ben-Ari, the Co-founder and CTO of Panorays.

Evan Tegethoff, Vice President of Solutions Consulting with BitSight, said: “More precise and transparent communications enabled by the Taxonomy answer to a constantly changing world with increasing threats and volume of vendors. As a common language and framework, the Taxonomy will advance continuous monitoring as a practice for the risk management field.”

The Unified Third Party Continuous Monitoring Cybersecurity Taxonomy is available at:   https://sharedassessments.org/paper/cm-cybersecurity-taxonomy/


Follow Brilliance Security Magazine on Twitter, Facebook, and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.