More thoughts on the BitSight Industry Security Effectiveness Report
Melissa Stevens | December 3, 2013
In late November, we released the first of our quarterly BitSight Insights reports, in which we analyzed the security effectiveness ratings of 70 Fortune 200 companies in 4 key industries: technology, finance, energy and retail. We documented some really interesting findings, including the fact that the technology sector lags far behind the other industries we analyzed, and that finance, despite being highly targeted, is actually the most effective at remediating the threats we saw assaulting their systems.
But aside from these findings, something that I think is really important to discuss is what the security ratings actually mean. Up to this point, understanding the security posture of an organization has been a really difficult concept. It required audits, assessments, questionnaires, penetration tests and more. There was also no easy, objective means of benchmarking organizations against each other in order to measure how effective the controls and instruments in place were against attacks. Compound that with a lack of consistency around breach reporting (and a hesitancy to share), we're quite often left in the dark when it comes to determining the security effectiveness of the organizations we do business with.
I know it sounds like I am tooting the BitSight horn here, but this moment is kind of a big deal! If you think about it, the majority of the reports and data points that we see published by the security industry are focused on either counting the volume and origination of attacks, or surveying those on the front lines to assess their opinions on how well they are doing at defense. These are important data points, and we all learn a lot from reading them. But what the BitSight report shows is something useful in an entirely different way; we show- using objective, data-driven methods- how effective we are at fighting the battle. We believe that measuring and understanding actual outcomes allows companies to more effectively manage their security risk.
We're really excited to be able to bring this information to light, and hope that you're looking forward to future insights reports as much as we are!