BitSight Bits: How to Prove that Security Ratings Work

Nick Gagalis | December 23, 2014 | tag: Security Ratings

During last month's FS-ISAC webinar, Home Depot, the SEC and Increasing Board Oversight: Why Metrics Matter More and More, BitSight CTO and Co-Founder Stephen Boyer answered questions from attendees about why using IT security metrics is more important than ever before. He also performed a live demo of BitSight Security Ratings to show how to prove that security ratings work.

There are a few clips from the webinar below, as well as other uses for Security Ratings and ways you can show your effort is paying off.

ROI Graphic

Is BitSight a replacement or a complement to ISAC data?

There is no replacement for the ISACs. Often times, those are industry-specific threats that are targeting a specific subset or group.

BitSight Security Ratings work best as one of the tools in a holistic information security strategy. By incorporating Security Ratings into a plan with ISAC data and other initiatives, businesses can get a complete understanding of their network's cyber risk posture.



How can Security Ratings be used to assess third party vendors?

Our clients have used Security Ratings to vet potential acquisition targets, as well as vendors that the company is interested in working with. Whether it is through our continually-updated ratings or a one-time report, both have been used to discover the risk posture of companies in a given ecosystem.



How can you use the BitSight portal to monitor security events?

BitSight's Events Tab graphs botnet infections, spam propagation, malware servers, potentially exploited hosts and unsolicited communication for you. By mousing over different events on the graph, you can see which risk vectors have been the biggest problem for your network, in terms of both frequency and length of the events. You can also filter by type of event to more easily learn about each specific instance. 



Other uses of Security Ratings include:

  • Examining current partners to make sure their information security is strong enough to keep the relationship without exposing your company to large amounts of risk.
  • Comparing one company's performance to others or an industry to see if that company is ahead of the curve (or at least doing everything it can to keep its data safe).
  • Receiving alerts for changes in a company's rating to quickly address the issue.


Proving that Security Ratings are Worth Using

  • Examine how much the Security Ratings for a critical vendor have risen since your company mentioned the areas for improvement in the vendor's network.
  • If your network has seen a reduction in the remediation time or the number of events happening, show the difference.

Although no company is completely immune from being the next Sony, Security Ratings can help you show that you're doing everything within your power to protect your data.

For more information on quantifying security performance, take a look at a previous version of BitSight Bits.


Suggested Posts

Celebrating 10 Years of BitSight: A Co-Founder Looks Back

It’s hard to believe, but BitSight is celebrating our 10 year anniversary this week! I co-founded BitSight in 2011 with my friend and grad school classmate, Nagarjuna Venna. When I think back at our original idea of creating a global...


Use the right cybersecurity analytics to make a business case for risk management

Not long ago, corporate executives would give only passing thoughts to their organization’s cybersecurity postures. Leadership and board members would take notice in the wake of a major data breach, for example, or a couple of times a...


A response to Security Ratings - Love, Loathe or Live With Them

A week ago (which seems like a world ago given everything that’s happened with SolarWinds) Phil Venables -- formerly CISO of Goldman Sachs and now CISO of Google Cloud -- posted an interesting expose on security ratings this week. Phil...


Get the Weekly Cybersecurity Newsletter.