Q&A with Stephen Boyer, BitSight's CTO and Cofounder

I received the following questions from an inquisitive undergraduate student eager to learn more about BitSight and security ratings. He posed excellent and insightful questions, and I thought that I would share our exchange in case others might be wanting to ask the same questions. Thanks, Nick!

BitSight rates companies on their level of security across different vectors. How do you assure potential customers that these ratings are credible?

BitSight customers put our ratings to the test every day. Our consistent execution with respect to quality and dependability has earned the trust of some of the world's largest, most prestigious, and demanding organizations.

In addition to the demands and scrutiny of each of our customers, we have undergone a process review and ratings attestation by one of the world's top-ranked audit firms who needed to perform the audit before it could our recommend and include our service as part of an offering to its clients.

I see cyber security as a black swan business--even if a company is 99% secure, that small vulnerability could be exploited and take down the whole business. Do you think it’s dangerous to assign a number or a grade to a company’s security status? Could this lead to overconfidence amongst boards of directors and CEOs?

I agree that an attacker only needs to exploit a single vulnerability to penetrate and potentially damage an organization. BitSight does not claim to see all security outcomes, and a high rating does not guarantee perfect security outcomes (i.e. no control failures or breaches). That would be reckless and no approach could even begin to make that claim. In fact, we aren't "protecting" systems but rather measuring outcomes. We are in the risk management business. There are no perfectly secure systems. There will always be some chance of a failure; however, the data have proven and continue to prove that high performing organizations take deliberate actions and execute better from a protection, detection, and response perspective than lower performing organizations. Different organizations doing different things are getting different results. These outcomes are measurable by BitSight and factor into the ratings.

Just like with credit scores, there is a spectrum or spread of performance that can be used to model, price and better manage risks. A high credit score is not a guarantee that you will not default on your debt but rather the results of a model that is comprised of a historical track record compared against others that demonstrate that default is less likely. Our research has continued to support this analogy in security ratings. Here is one of our latest pieces of research that provides backing for these assertions. We see that high performing organizations work to protect against failures but have realized that they can't prevent all failures. Given the organizational acceptance that eventually some control will fail, high performing organizations have also invested in capabilities to respond and recover quickly before catastrophic failure.

It is important to remember that BitSight provides key metrics for performance, but its ratings and service do not constitute a complete risk management program. CEO's and Boards need data to drive better risk management practices. The absence of data has created an environment of what we refer to as "optimism bias." Many executives have been overconfident in their security performance in many cases because they lacked the data to tell them otherwise. We are advancing the state of risk management by providing risk managers and executives accessible metrics that drive better data-driven questions and conversations about managing security risk that were never before possible.

You raised a $24mm Series A in 2013 from Menlo, Flybridge, and a few others. How did you choose your investors and was it hard to get them to buy into such a large series A?

In every case we were introduced to investors by a trusted reference. We had all had either worked directly with the investor previously or had contacts or associates who had.

Our investors believed in the incredible team that we had assembled and the large and transformative market opportunity that we were creating. We also had extremely supportive and influential customers who could vouch for the value of our service and vision.

You make money from selling company ratings to cyber insurance agencies, performing cyber due diligence for M&A transactions, monitoring 3rd party risk and by allowing companies to benchmark their security against competitors. Which of these lines of business do you see as most compelling both now and in the future?

The three core use cases for BitSight are third party risk management, benchmarking, and cyber insurance. M&A, portfolio management, competitive assessments, and regulatory oversight all fit within those use cases as well. All three use cases are supported by a single ratings platform. Although the ratings have distinct use cases and can stand alone, together they support a much more standards-based systemic risk management approach.

For example, each Board of Directors needs to know how its own organization is performing with respect to its peers and its industry to drive better governance and protect shareholder value. With security ratings, the board now has an industry standard metric by which it can hold management accountable for its security investment decisions and execution. Additionally, as the Board considers cyber risk transfer strategies it may consider obtaining cyber insurance coverage. The Board can use security ratings to demonstrate to its insurance carrier that its organization has executed inline with its industry benchmark. On the other side of the risk transfer equation, the insurance carriers and underwriters can use security ratings to understand the level of risk that they are underwriting by examining empirical and historical data and building intelligent underwriting models.

Many recent high-profile breaches have taught us that the insurance carrier isn't just underwriting the risk of the insured but also the risks in the insured's supply chain. Given this extended ecosystem risk that flows to the carrier on a claim, the insured, as encouraged by its carrier, can use security ratings as a better way to manage its third party risks. Armed with better data and insight, the insured company can have more directed and prioritized data-driven conversations with its vendors to manage and mitigate risks introduced by poorer performing vendors. The Board can now track the performance of the company's vendor portfolio and we have now come full circle. The benchmarking service is the easiest for organizations to acquire and implement because most organizations are already accustomed to doing benchmarking activities today.

Fewer organizations have sophisticated third party risk management programs today but this is changing. The regulatory mandate to better scrutinize vendors and continuously monitor the supply chain is prompting organizations across industry sectors to implement better third-party risk management practices.

Cyber insurance is the fastest growing area of all insurance growing at about 54% a year. The adoption of BitSight's security ratings by the world's largest cyber insurance underwriters, (ex. ACE, AIG, & Liberty), will continue driving the need for benchmarking and third party risk management. Insurance will ultimately shape in large part how firms invest and execute on security because it will impact their premiums and in some cases their ability to operate. The example of Progressive Insurance is illustrative in this context. Progressive has a device that their insureds / customers can install in their vehicles to measure driving habits (read empirically derived outcomes). From those measurements, Progressive can adjust the price of their customer's policies based on observed behaviors (ex. how fast you drive). Progressive can write better risk-adjusted policies because they have better data and the drivers are incented to drive responsibly. BitSight Security Ratings are enabling this type of measurement-based risk management capability for the growing cyber insurance sector and will incent businesses to “drive” their cyber security efforts responsibly.

Nick Normile is a Wharton undergrad. See his cybersecurity newsletter here.