Security Ratings

How Does BitSight Work? A Look At Security Ratings & How They’re Used

Melissa Stevens | September 14, 2016

What is BitSight?

BitSight offers the most widely adopted Security Ratings solution with a mission to change the way the world addresses cyber risk. In doing this, BitSight helps companies:

  • Understand their own security performance, and the performance of their vendors, clients, and other third parties
  • Continuously assess cyber risks within their ecosystem
  • Have the confidence to make faster, more strategic cyber risk management decisions using objective, verifiable, and actionable data

What are Security Ratings? 

Security Ratings are similar to consumer credit scores. They range from 250 to 900, with a higher rating indicating better cybersecurity performance. They are used by CISOs, CIOs, security managers, underwriters, auditors, and many others. They do not require input from any company. These ratings are updated daily—and because BitSight is a software-as-a-service (SaaS) solution, ratings can be accessed in the BitSight Security Ratings Platform from any online browser.

Security ratings take into account things like historical security performance and performance over time. Alerts are generated upon significant changes in ratings, and actionable information is provided to mitigate the specific risk. Minimal training is needed to navigate the BitSight UI, and little-to-no training is needed to understand the data.



How are BitSight Security Ratings calculated?

BitSight formulates security ratings by gathering and storing billions of events that happen online. From this data, we’re able to see the following:

  • Indicators of compromise.
  • Infected machines.
  • Proper or improper configuration of certain security controls.
  • Positive or poor security hygiene.
  • Potentially harmful user behaviors.

The data is then applied to a network footprint of any company or organization. Then all of this raw data and the network footprint run through an algorithm that analyzes the data for severity, frequency, duration, and confidence. With this information, we are able to create an overall rating of an organization’s security performance. 

BitSight invests heavily in research and development to empower customers with objective, verifiable, and actionable security data.


How are BitSight Security Ratings used?

Curious how BitSight works for different applications? The Security Ratings Platform can be leveraged for multiple use cases, including security performance management, third-party vendor risk management, cyber insurance, and mergers and acquisitions. We’ll describe each below and in this guide to using security ratings.

Security Performance Management

There are a few ways companies use security ratings for security performance management:

  1. To take a risk-based, outcome-driven approach to managing the performance of their organization’s cybersecurity program through broad measurement, continuous monitoring, and detailed planning and forecasting in an effort to measurably reduce cyber risk.
  2. To benchmark against their industry peers or competitors. It’s easy to see if your security rating is more or less advanced than your industry peers. With this information, organizations can make better decisions on how to efficiently allocate resources for their security program.
  3. To present to their board of directors. Company executives and leadership teams are increasingly concerned with cybersecurity performance. Security ratings are an effective, accepted way to communicate security performance with the board.

Third-Party Vendor Risk Management

Security ratings can be used during various life cycle stages of a vendor relationship:

  1. Selection: Companies can look at security ratings to get a sense of the vendor’s security posture before they even engage with them. 
  2. Onboarding: Once a vendor has been selected, the vendor will become intertwined with the first-party network. Depending on their criticality, the vendor may have access to the network or sensitive data. So before onboarding, your company must continue to monitor their security performance.
  3. Ongoing: Security ratings are critical for continuous monitoring in long-term vendor relationships. BitSight will alert you if there are any changes to the vendor’s security posture at any time.
  4. Termination: If a vendor becomes a large security problem — say they’ve been breached and didn’t tell you, but you found out via the BitSight platform — you can use ratings to help you decide if a vendor relationship needs to be terminated.

Cyber Insurance

Cyber insurance underwriters use ratings to get a sense of the cybersecurity risk of a company. If an insurance company is looking to underwrite a cyber insurance policy for a big bank, and the bank has a poor rating, they’re likely to take that into consideration when they write the policy.

On the other hand, if a company is looking for cyber insurance and they have a great BitSight Security Rating, they could shop their rating around. This may help them negotiate a better contract with insurance carriers.

Mergers & Acquisitions

When a company acquires another company, they often assume ownership of every IP address associated with the purchased company. There have been many cases where companies have either merged with or acquired a company with a lot of security risk. Today, more companies are recognizing this risk — and it is now evaluated on the same stage as credit, financial, or operational risk. Security ratings provide the purchasing company with information that could alter their bid or even their decision to purchase.

View our security ratings guide to learn ratings explained

New call-to-action

Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


Do You Need to Create Segmented Networks to Protect Critical Assets?

Network segmentation — the act of dividing a network into multiple smaller, isolated networks that are not visible from the outside — has long been used to reduce cyber risk. At its core, segmentation assumes a “zero trust” approach to...


Cloud outsourcing poses new challenges for regulators and Financial Services

Cyber risk and regulatory compliance are two sides of the same coin in the Financial Services sector. Together, they spur Financial Services companies to take action to protect customers, their business and the global financial ecosystem...


Subscribe to get security news and updates in your inbox.