Security Ratings

A Security Rating Versus A Security Score

Noah Simon | July 18, 2016

Assessing the cybersecurity posture of trusted vendors, suppliers, and other business parties is a very complex task. With so many different elements involved to secure a network, it’s rare that a company is simply just “good,” “average,” or “bad.”  A complete picture of an organization’s security is more nuanced. Furthermore, as the cybersecurity landscape evolves seemingly at the speed of light, the need for detail and granularity is paramount.

The founders of BitSight chose a rating scale as a performance metric for this very reason. Third party risk management can require in-depth conversations with companies, and having a more precise view of a company’s security posture makes for a more valuable and transparent conversation. Compared to a score, which connotes a broad, static result, a rating offers more context into performance.

The Oxford Dictionary definitions help to further distinguish these two:

Score: The number of points, goals, runs, etc., achieved in a game by a team or an individual

Rating: A classification or ranking of someone or something based on a comparative assessment of their quality, standard, or performance.

Comparative assessment is a key differentiator between a score and rating. Organizations that are trusting third parties with sensitive data cannot afford to simply know that some of their business partners have a score of “A” versus a score of “C.” Context into their security performance over time, how they compare to similar companies in the same industry, and how they compare to other vendors is far more helpful. Without this context, organizations may be selecting, onboarding, and continuously monitoring vendors with a limited view of their overall risk.

Screen_Shot_2016-07-18_at_11.30.46_AM.png

A comparison of two companies in the Business Services industry (all companies shown are fictitious).

Take the example of a general manager for a baseball team. When spending millions of dollars on signing a pitcher, is it sufficient to only know that the player won 9 games and lost 3 in the last year? A savvy manager would want to know more. What is their career earned run average? How do they perform against left-handed batters versus right-handed batters? The list could go on and on, but more data points translate to greater confidence when making business decisions.

BitSight Security Ratings are built with a detailed set of parameters that go beyond a static score, giving a real-time view into an organization’s security posture. Armed with more data points, organizations can now mitigate third party cyber risk during the selection, onboarding, and monitoring stage of business lifecycles.

What is the BitSight Security Rating of your business and its third parties? Sign up here to find out!

Suggested Posts

BitSight Study: Healthcare Sector is Far Too Vulnerable to Cyber Threats

Healthcare is under attack. Hospitals, doctors’ networks, insurance companies, and others are prime targets for hackers due to the valuable protected health information (PHI) they store and the vital role they play in our nation’s critical...

READ MORE »

What Boards of Directors Are Missing about Cybersecurity

Cyberattacks have increased significantly in recent years, bringing vital conversations about cybersecurity into the Boardroom. As Board oversight of cybersecurity has increased, Board members — even those without technical expertise —...

READ MORE »

Research Paper Validates Security Ratings’ Correlation to Likelihood of Breach

This spring, the research paper titled “Risky Business: Assessing Security with External Measurements” was published on Cornell’s academic resource site. Authored by former BitSight data scientist, Jay Jacobs, as well as fellow academics...

READ MORE »

Subscribe to get security news and updates in your inbox.