More thoughts on the BitSight Industry Security Effectiveness Report

Melissa Stevens | December 3, 2013

BitSight-InSight-NN_0In late November, we released the first of our quarterly BitSight Insights reports, in which we analyzed the security effectiveness ratings of 70 Fortune 200 companies in 4 key industries: technology, finance, energy and retail.  We documented some really interesting findings, including the fact that the technology sector lags far behind the other industries we analyzed, and that finance, despite being highly targeted, is actually the most effective at remediating the threats we saw assaulting their systems.

But aside from these findings, something that I think is really important to discuss is what the security ratings actually mean. Up to this point, understanding the security posture of an organization has been a really difficult concept.  It required audits, assessments, questionnaires, penetration tests and more. There was also no easy, objective means of benchmarking organizations against each other in order to measure how effective the controls and instruments in place were against attacks.  Compound that with a lack of consistency around breach reporting (and a hesitancy to share), we're quite often left in the dark when it comes to determining the security effectiveness of the organizations we do business with.

I know it sounds like I am tooting the BitSight horn here, but this moment is kind of a big deal!  If you think about it, the majority of the reports and data points that we see published by the security industry are focused on either counting the volume and origination of attacks, or surveying those on the front lines to assess their opinions on how well they are doing at defense.  These are important data points, and we all learn a lot from reading them.  But what the BitSight report shows is something useful in an entirely different way; we show- using objective, data-driven methods- how effective we are at fighting the battle. We believe that measuring and understanding actual outcomes allows companies to more effectively manage their security risk.

We're really excited to be able to bring this information to light, and hope that you're looking forward to future insights reports as much as we are!

Suggested Posts

What Companies Using Cloud Services Need To Know About Their Risk Responsibilities

Cloud computing is not new to the cyber world; it’s here to stay. Web services are common in our everyday lives and workplaces, with things like Facebook, Salesforce, JIRA, Adobe, and GSuite all falling into the cloud-based category. But...


Joint Effort with Microsoft to Disrupt Massive Criminal Botnet Necurs

Since 2017 BitSight has been working together with Microsoft’s Digital Crimes Unit (DCU) to understand the inner workings of the Necurs malware, its botnets and command and control infrastructure in order to take disruptive action against...


Forecasting and Advanced Analytics: Building a Solid Security Strategy For 2020

2020 is not only the beginning of a new year, but the start of a new decade, and with it comes the dawn of a new era for the digital world. We’re now in the midst of the once far-off, “futuristic” time periods old books and movies used to...


Subscribe to get security news and updates in your inbox.