Security Ratings

BitSight Bits: How to Prove that Security Ratings Work

Nick Gagalis | December 23, 2014

During last month's FS-ISAC webinar, Home Depot, the SEC and Increasing Board Oversight: Why Metrics Matter More and More, BitSight CTO and Co-Founder Stephen Boyer answered questions from attendees about why using IT security metrics is more important than ever before. He also performed a live demo of BitSight Security Ratings to show how to prove that security ratings work.

There are a few clips from the webinar below, as well as other uses for Security Ratings and ways you can show your effort is paying off.

ROI Graphic

Is BitSight a replacement or a complement to ISAC data?

There is no replacement for the ISACs. Often times, those are industry-specific threats that are targeting a specific subset or group.

BitSight Security Ratings work best as one of the tools in a holistic information security strategy. By incorporating Security Ratings into a plan with ISAC data and other initiatives, businesses can get a complete understanding of their network's cyber risk posture.

   

 

How can Security Ratings be used to assess third party vendors?

Our clients have used Security Ratings to vet potential acquisition targets, as well as vendors that the company is interested in working with. Whether it is through our continually-updated ratings or a one-time report, both have been used to discover the risk posture of companies in a given ecosystem.

 

 

How can you use the BitSight portal to monitor security events?

BitSight's Events Tab graphs botnet infections, spam propagation, malware servers, potentially exploited hosts and unsolicited communication for you. By mousing over different events on the graph, you can see which risk vectors have been the biggest problem for your network, in terms of both frequency and length of the events. You can also filter by type of event to more easily learn about each specific instance. 

 


 

Other uses of Security Ratings include:

  • Examining current partners to make sure their information security is strong enough to keep the relationship without exposing your company to large amounts of risk.
  • Comparing one company's performance to others or an industry to see if that company is ahead of the curve (or at least doing everything it can to keep its data safe).
  • Receiving alerts for changes in a company's rating to quickly address the issue.

 

Proving that Security Ratings are Worth Using

  • Examine how much the Security Ratings for a critical vendor have risen since your company mentioned the areas for improvement in the vendor's network.
  • If your network has seen a reduction in the remediation time or the number of events happening, show the difference.

Although no company is completely immune from being the next Sony, Security Ratings can help you show that you're doing everything within your power to protect your data.

For more information on quantifying security performance, take a look at a previous version of BitSight Bits.

 

Suggested Posts

Content Security Policy Limits Dangerous Activity… So Why Isn’t Everyone Doing It?

Online services, e-commerce sites, videoconference, delivery services, and all other kinds of services are growing exponentially, exposing users and data to new risks and threats.  Users expect that the sites and services they rely on are...

READ MORE »

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...

READ MORE »

Do You Need to Create Segmented Networks to Protect Critical Assets?

Network segmentation — the act of dividing a network into multiple smaller, isolated networks that are not visible from the outside — has long been used to reduce cyber risk. At its core, segmentation assumes a “zero trust” approach to...

READ MORE »

Subscribe to get security news and updates in your inbox.