Security Ratings

How Does BitSight Work? A Look At Security Ratings & How They're Used

Melissa Stevens | September 14, 2016

Since our foundation in 2011 as the first company to provide a rating for measuring a company’s cyber security, BitSight has become the world-leading security ratings provider. BitSight is used around the world by industry leaders, country governance systems, as well as smaller organizations alike to take control of their cyber footprint, using safe and objective rating techniques. What does BitSight do to stand apart from others in the security industry?

What is BitSight?

BitSight offers the most widely adopted Security Ratings solution by following our mission to change the way the world prioritizes and manages cyber risk. BitSight’s security ratings software helps companies:

  • Understand their own security performance, as well as the performance of their vendors, clients, and other third and fourth parties. 
  • Continuously assess cyber risks within their ecosystem.
  • Have the confidence to make faster, more strategic cyber risk management decisions using objective, verifiable, and actionable data.

What are Security Ratings? 

Security Ratings can be compared to the use of credit scores, which we are mostly familiar with when it comes to larger purchasing decisions or receiving a loan. BitSight’s ratings range from 250 to 900, with a higher rating indicating better cybersecurity performance. These scores are used by CISOs, CIOs, security managers, underwriters, auditors, and many others to address a company’s procedures and level of risk awareness and management. 

Security ratings are objective, outside evaluations and do not require input from any company involved. These ratings are continuously updated—and because BitSight is a software-as-a-service (SaaS) solution, ratings can be accessed in the BitSight Security Ratings Platform from any online browser.

Security ratings take into account things like historical security performance and performance change over time. Alerts are generated to notify users of significant changes in their ratings or those of their third parties, and actionable information is provided to mitigate the specific risk associated with the alert. The BitSight platform is designed to provide a user-friendly experience with little-to-no training needed to understand the data.

 
What Goes Into The BitSight Security Rating Calculation?

BitSight formulates security ratings by gathering security information from billions of stored data points and events that happen online. From this data, we’re able to see the following:

  • Indicators of compromise.
  • Infected machines.
  • Proper or improper configuration of security controls.
  • Positive or poor security hygiene.
  • Potentially harmful user behaviors.

The data is then applied to a network footprint of any company or organization to then be run through an algorithm that analyzes the data for severity, frequency, duration, and confidence indicators. With this information, BitSight is able to create an overall rating of an organization’s security performance. 

BitSight invests heavily in research and development to empower customers with objective, verifiable, and actionable security data. Check out the video below for more details. 

 

How To Apply The BitSight Security Rating

Curious how BitSight can be applied to different use cases? The Security Ratings Platform can be leveraged for multiple uses, including security performance management, third-party vendor risk management, cyber insurance, and mergers and acquisitions.

Security Performance Management

There are a few ways companies use what BitSight does through providing security ratings for their security performance management:

  1. BitSight helps users take a risk-based, outcome-driven approach to managing the performance of their organization’s cybersecurity program through broad measurement, continuous monitoring, and detailed forecasting in an effort to measurably reduce cyber risk.
  2. What does BitSight do to help users benchmark against their industry peers or competitors? It’s easy to see if your security rating is more or less advanced than your industry peers using the standardized rating system BitSight data creates. With this information, organizations can make better decisions on how to efficiently allocate resources for their security program to stay competitive within their peers.
  3. Users facilitate the process of reporting their security data by utilizing their BitSight rating when presenting to their board of directors. Company executives and leadership teams are becoming increasingly concerned with cybersecurity performance, and BitSight’s Security Ratings are a proven and effective way to communicate security performance with the board.

Third-Party Vendor Risk Management

Security ratings can be used during various life-cycle stages of a vendor relationship:

  1. Selection: Companies can look at security ratings to get a sense of the vendor’s security posture before they begin engaging with them. 
  2. Onboarding: Once a vendor has been selected, the vendor will become intertwined with the user’s first-party network. Depending on their criticality, the vendor may have access to the internal network or sensitive data. So while completing onboarding, your company must continue to monitor a vendor’s security performance.
  3. Ongoing: Security ratings are critical for continuous monitoring in long-term vendor relationships. BitSight will alert you if there are any changes to the vendor’s security posture, and will help you keep an eye on your most critical, highest tiered vendors year-long instead of just during a yearly audit.
  4. Termination: If a vendor becomes a large security problem — say they’ve been breached and didn’t tell you, but you found out via the BitSight platform — you can use ratings to help you decide if a vendor relationship needs to be terminated.

Cyber Insurance

Cyber insurance underwriters use ratings to get a sense of a company’s cyber footprint. If an insurance company is looking to underwrite a cyber insurance policy for a big bank and they see the bank has a poor rating, they’re likely to take that into consideration when writing the policy.

On the other hand, if a company is looking for cyber insurance and they have a great BitSight Security Rating, they could shop their rating around to find the best offer. This is another way what BitSight does is helping increase user efficiency in their business operations.

Mergers & Acquisitions

When a company acquires another company, they often assume ownership of every IP address and security process associated with the purchased company. There have been many cases where companies have either merged with or acquired another business that carries a lot of security risk. 

Today, more companies are recognizing this risk — and it is now evaluated on the same stage as credit, financial, or operational risk. What BitSight does is provide security ratings that give the purchasing company a better look at information that could alter their decision to purchase.

The content in this piece was originally published by BitSight in September of 2016, and has been updated as of July of 2020. This updated version includes current information about BitSight, our security rating and third-party monitoring software, and the cybersecurity space.

View our security ratings guide to learn more.security ratings explained


New call-to-action

Suggested Posts

Content Security Policy Limits Dangerous Activity… So Why Isn’t Everyone Doing It?

Online services, e-commerce sites, videoconference, delivery services, and all other kinds of services are growing exponentially, exposing users and data to new risks and threats.  Users expect that the sites and services they rely on are...

READ MORE »

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...

READ MORE »

Do You Need to Create Segmented Networks to Protect Critical Assets?

Network segmentation — the act of dividing a network into multiple smaller, isolated networks that are not visible from the outside — has long been used to reduce cyber risk. At its core, segmentation assumes a “zero trust” approach to...

READ MORE »

Subscribe to get security news and updates in your inbox.