Security Ratings

How Does BitSight Work? A Look At Security Ratings & How They’re Used

Melissa Stevens | September 14, 2016

What is BitSight?

BitSight offers the most widely adopted Security Ratings solution with a mission to change the way the world addresses cyber risk. In doing this, BitSight helps companies:

  • Understand their own security performance, and the performance of their vendors, clients, and other third parties
  • Continuously assess cyber risks within their ecosystem
  • Have the confidence to make faster, more strategic cyber risk management decisions using objective, verifiable, and actionable data

What are Security Ratings? 

Security Ratings are similar to consumer credit scores. They range from 250 to 900, with a higher rating indicating better cybersecurity performance. They are used by CISOs, CIOs, security managers, underwriters, auditors, and many others. They do not require input from any company. These ratings are updated daily—and because BitSight is a software-as-a-service (SaaS) solution, ratings can be accessed in the BitSight Security Ratings Platform from any online browser.

Security ratings take into account things like historical security performance and performance over time. Alerts are generated upon significant changes in ratings, and actionable information is provided to mitigate the specific risk. Minimal training is needed to navigate the BitSight UI, and little-to-no training is needed to understand the data.



How are BitSight Security Ratings calculated?

BitSight formulates security ratings by gathering and storing billions of events that happen online. From this data, we’re able to see the following:

  • Indicators of compromise.
  • Infected machines.
  • Proper or improper configuration of certain security controls.
  • Positive or poor security hygiene.
  • Potentially harmful user behaviors.

The data is then applied to a network footprint of any company or organization. Then all of this raw data and the network footprint run through an algorithm that analyzes the data for severity, frequency, duration, and confidence. With this information, we are able to create an overall rating of an organization’s security performance. 

BitSight invests heavily in research and development to empower customers with objective, verifiable, and actionable security data.


How are BitSight Security Ratings used?

Curious how BitSight works for different applications? The Security Ratings Platform can be leveraged for multiple use cases, including security performance management, third-party vendor risk management, cyber insurance, and mergers and acquisitions. We’ll describe each below and in this guide to using security ratings.

Security Performance Management

There are a few ways companies use security ratings for security performance management:

  1. To take a risk-based, outcome-driven approach to managing the performance of their organization’s cybersecurity program through broad measurement, continuous monitoring, and detailed planning and forecasting in an effort to measurably reduce cyber risk.
  2. To benchmark against their industry peers or competitors. It’s easy to see if your security rating is more or less advanced than your industry peers. With this information, organizations can make better decisions on how to efficiently allocate resources for their security program.
  3. To present to their board of directors. Company executives and leadership teams are increasingly concerned with cybersecurity performance. Security ratings are an effective, accepted way to communicate security performance with the board.

Third-Party Vendor Risk Management

Security ratings can be used during various life cycle stages of a vendor relationship:

  1. Selection: Companies can look at security ratings to get a sense of the vendor’s security posture before they even engage with them. 
  2. Onboarding: Once a vendor has been selected, the vendor will become intertwined with the first-party network. Depending on their criticality, the vendor may have access to the network or sensitive data. So before onboarding, your company must continue to monitor their security performance.
  3. Ongoing: Security ratings are critical for continuous monitoring in long-term vendor relationships. BitSight will alert you if there are any changes to the vendor’s security posture at any time.
  4. Termination: If a vendor becomes a large security problem — say they’ve been breached and didn’t tell you, but you found out via the BitSight platform — you can use ratings to help you decide if a vendor relationship needs to be terminated.

Cyber Insurance

Cyber insurance underwriters use ratings to get a sense of the cybersecurity risk of a company. If an insurance company is looking to underwrite a cyber insurance policy for a big bank, and the bank has a poor rating, they’re likely to take that into consideration when they write the policy.

On the other hand, if a company is looking for cyber insurance and they have a great BitSight Security Rating, they could shop their rating around. This may help them negotiate a better contract with insurance carriers.

Mergers & Acquisitions

When a company acquires another company, they often assume ownership of every IP address associated with the purchased company. There have been many cases where companies have either merged with or acquired a company with a lot of security risk. Today, more companies are recognizing this risk — and it is now evaluated on the same stage as credit, financial, or operational risk. Security ratings provide the purchasing company with information that could alter their bid or even their decision to purchase.

View our security ratings guide to learn ratings explained

New call-to-action

Suggested Posts

BitSight Study: Healthcare Sector is Far Too Vulnerable to Cyber Threats

Healthcare is under attack. Hospitals, doctors’ networks, insurance companies, and others are prime targets for hackers due to the valuable protected health information (PHI) they store and the vital role they play in our nation’s critical...


What Boards of Directors Are Missing about Cybersecurity

Cyberattacks have increased significantly in recent years, bringing vital conversations about cybersecurity into the Boardroom. As Board oversight of cybersecurity has increased, Board members — even those without technical expertise —...


Research Paper Validates Security Ratings’ Correlation to Likelihood of Breach

This spring, the research paper titled “Risky Business: Assessing Security with External Measurements” was published on Cornell’s academic resource site. Authored by former BitSight data scientist, Jay Jacobs, as well as fellow academics...


Subscribe to get security news and updates in your inbox.