Taking an Ethical Approach to Digital Risk Protection


August 9, 2021

As a provider of digital risk insights Darkbeam naturally holds a position of trusted advisor with our clients, and as such it is very important for us to adopt a transparent and ethical approach to acquiring, analysing, and delivering our data.

We understand the need for our insights to be both understandable, and yet of practical benefit. There is a balance to be struck between providing a high level view of external risk without resorting to over simplification or overly generic risk ratings. If information provided is distilled down to a simple good/bad approach the nuance and inherent complexity is lost, leading to misleading red flags and an over statement of risk. Which in turn can lead to management or other areas of the business, as well as organisations looking at the cyber threats from within their own supply chain seeing risk where there isn’t, and passing issues to the relevant IT teams unnecessarily, and time wasted on debate around an organisations cyber posture.

Cyber security is a growing industry in the UK and it’s vital for high standards of practice and technical expertise to be at the heart of the profession as it develops.” - NCSC 9th February 2021

Within Darkbeams Horizon platform we aim to avoid this conflict by being transparent around our data collection, analysis, and scoring methodology. We have adopted a scoring mechanism with a gradient ranging from 0-999 – the more vulnerabilities and exposure surfaced the higher the score, and the RAG system for each test is designed to highlight the results based on the priority that they should be investigated. We have also linked each individual test to a recognised industry framework (MITRE ATT&CK) as well as CVE’s and CWE’s. This allows IT/Cyber security practitioners to efficiently understand the ground truth of how their domain presents itself to an outside observer - such as a hostile attacker, and ultimately resolve issues identified, whilst simultaneously allowing management to track the overall external health, not just of their own domain but across their entire supply chain, in a meaningful way.

The purpose of the insights delivered through Horizon are not to create fear, uncertainty, or dread, but to present a real time view of a domains external cyber hygiene, a “hackers” eye view – what we call the ground truth. This will result in critical vulnerabilities being resolved in a timely and efficient manner, or reassurance that an organisations external cyber posture and digital foot print is entirely as intended. Our tests are laid out in clear language, and the results fully disclosed and mapped to frameworks, leading to clear and accurate intelligence that is actionable and auditable. The integrity and veracity of data is integral to our ethical approach to digital risk protection, and transparency is at the heart of what we do.

Justin Leary