Security Ratings

BitSight Bits: How to Prove that Security Ratings Work

Nick Gagalis | December 23, 2014

During last month's FS-ISAC webinar, Home Depot, the SEC and Increasing Board Oversight: Why Metrics Matter More and More, BitSight CTO and Co-Founder Stephen Boyer answered questions from attendees about why using IT security metrics is more important than ever before. He also performed a live demo of BitSight Security Ratings to show how to prove that security ratings work.

There are a few clips from the webinar below, as well as other uses for Security Ratings and ways you can show your effort is paying off.

ROI Graphic

Is BitSight a replacement or a complement to ISAC data?

There is no replacement for the ISACs. Often times, those are industry-specific threats that are targeting a specific subset or group.

BitSight Security Ratings work best as one of the tools in a holistic information security strategy. By incorporating Security Ratings into a plan with ISAC data and other initiatives, businesses can get a complete understanding of their network's cyber risk posture.



How can Security Ratings be used to assess third party vendors?

Our clients have used Security Ratings to vet potential acquisition targets, as well as vendors that the company is interested in working with. Whether it is through our continually-updated ratings or a one-time report, both have been used to discover the risk posture of companies in a given ecosystem.



How can you use the BitSight portal to monitor security events?

BitSight's Events Tab graphs botnet infections, spam propagation, malware servers, potentially exploited hosts and unsolicited communication for you. By mousing over different events on the graph, you can see which risk vectors have been the biggest problem for your network, in terms of both frequency and length of the events. You can also filter by type of event to more easily learn about each specific instance. 



Other uses of Security Ratings include:

  • Examining current partners to make sure their information security is strong enough to keep the relationship without exposing your company to large amounts of risk.
  • Comparing one company's performance to others or an industry to see if that company is ahead of the curve (or at least doing everything it can to keep its data safe).
  • Receiving alerts for changes in a company's rating to quickly address the issue.


Proving that Security Ratings are Worth Using

  • Examine how much the Security Ratings for a critical vendor have risen since your company mentioned the areas for improvement in the vendor's network.
  • If your network has seen a reduction in the remediation time or the number of events happening, show the difference.

Although no company is completely immune from being the next Sony, Security Ratings can help you show that you're doing everything within your power to protect your data.

For more information on quantifying security performance, take a look at a previous version of BitSight Bits.


Suggested Posts

BitSight Study: Healthcare Sector is Far Too Vulnerable to Cyber Threats

Healthcare is under attack. Hospitals, doctors’ networks, insurance companies, and others are prime targets for hackers due to the valuable protected health information (PHI) they store and the vital role they play in our nation’s critical...


What Boards of Directors Are Missing about Cybersecurity

Cyberattacks have increased significantly in recent years, bringing vital conversations about cybersecurity into the Boardroom. As Board oversight of cybersecurity has increased, Board members — even those without technical expertise —...


Research Paper Validates Security Ratings’ Correlation to Likelihood of Breach

This spring, the research paper titled “Risky Business: Assessing Security with External Measurements” was published on Cornell’s academic resource site. Authored by former BitSight data scientist, Jay Jacobs, as well as fellow academics...


Subscribe to get security news and updates in your inbox.