From the Server Room to the Board Room: Actionable Security Metrics

Ben Fagan | November 4, 2015

As we highlighted in a recent blog post, a diverse range of companies utilize BitSight Security Ratings to manage cyber risk. Many of our customers are actively using these ratings to manage vendor risks, screen mergers and acquisition targets, underwrite cyber insurance and benchmark security performance. Regardless of how customers use these ratings within their security and risk programs, it is important that the ratings are both actionable and accurate.

Data accuracy is a fundamental principle of BitSight; any security vendor can provide mountains of data but BitSight is a leader in creating ratings based on actual evidence of system compromise. Numerous customers have vetted BitSight’s data and network footprint mapping in order to ensure that they can leverage this information for important business decisions. Yet even with highly accurate ratings, companies need to address perhaps the most fundamental question in the rollout of a ratings solution: Are the ratings actionable?

Risk and security professionals constantly want to determine a company’s risk of a data breach, whether it be to analyze their own company’s security risk or the risk of a third party vendor, insurance applicant or acquisition target. Similar to how lenders use credit scores to measure the risk of a loan default, ratings on cyber security need to effectively inform users of the major consequence of security weaknesses: a data breach. Data breaches have been shown to cause reputational and financial damage to all companies involved. Perhaps more worrying, Verizon recently highlighted that 70% of breaches affect a third party - a third party that may have had no insight into the cause of the breach. This paradigm is now changing, as BitSight provides deep insight -- and is the only security ratings platform that is indicative of the risk of a publicly disclosed data breach.

To determine this, BitSight recently analyzed the ratings of 27,458 companies. By comparing ratings to a database of 2,671 digital data breaches provided by leading insurance consultancy Advisen, BitSight was able to uncover a clear correlation between ratings and breaches. Specifically, BitSight found that companies with ratings of 400 or below were more than five times likely to experience a publicly disclosed data breach than organizations with ratings of 700 or above.


To learn more, you can download this Technical Note on the study and methodology. If you would like an even deeper look into specific risk vectors involved in the ratings of security posture, I strongly recommend attending our upcoming webinar on November 20, From Signal to Action: Security Metrics that Drive Business Decisions. Beyond an overview of the ratings and how they correlate to breaches, BitSight’s CTO Stephen Boyer and Senior Data Scientist Jay Jacobs will be diving into how security and risk professionals can view different security metrics and drive change within their cyber risk management programs.

Suggested Posts

What Companies Using Cloud Services Need To Know About Their Risk Responsibilities

Cloud computing is not new to the cyber world; it’s here to stay. Web services are common in our everyday lives and workplaces, with things like Facebook, Salesforce, JIRA, Adobe, and GSuite all falling into the cloud-based category. But...


Joint Effort with Microsoft to Disrupt Massive Criminal Botnet Necurs

Since 2017 BitSight has been working together with Microsoft’s Digital Crimes Unit (DCU) to understand the inner workings of the Necurs malware, its botnets and command and control infrastructure in order to take disruptive action against...


Forecasting and Advanced Analytics: Building a Solid Security Strategy For 2020

2020 is not only the beginning of a new year, but the start of a new decade, and with it comes the dawn of a new era for the digital world. We’re now in the midst of the once far-off, “futuristic” time periods old books and movies used to...


Subscribe to get security news and updates in your inbox.