BitSight Bits: Quantifying Security Performance

Nick Gagalis | December 10, 2014 | tag: Security Risk Management

During last month's SANS webinar, Quantifying Security Performance: The What, Why and How of Security Ratings, BitSight CTO and Co-Founder Stephen Boyer answered questions from attendees. Here are some of the most interesting questions people posed, and our answers for each one. There are also two clips from the webinar recording.


How does BitSight gather its data?

We don't take any info directly from companies, so we can remain objective. All of our 100+ data sources provide us with data that is publicly available. We take the objective, empirical things we can normalize across industries without bias towards any organization.

We can see the types of activity emanating from these networks. Historically, it's been about finding the "bad actors in the castle." We can find out more information about the bad actors, including details that can help remediate and/or reduce the risk of a certain threat happening in the future. Through our data, we are able to answer questions like, "where is it coming from?" and, "whose infrastructure is it residing on?" Some companies have vulnerabilities in their networks that have been exploited for years.

We're a small company. How could we fairly compare ourselves to other companies like us, not just the industry leaders?

Our customers build a portfolio of companies they would like to compare themselves to. That can include any companies they choose. There could be some companies with similar network or employee sizes that you include. Our ratings roll up to an industry level too, so you can see the averages across the whole industry.

It's easy to make direct comparisons to companies of any size, like a company you aspire to be or one you're projected to surpass soon.




Are there some types of data more important to the ratings than others?

If there's external evidence of a compromise, that is a crucial problem to address. If there's complete system control from malware that includes keystroke information running in memory for long periods of time, that's a major risk as well. If those issues are widespread, we know there are serious problems with the network.

Our security ratings are not predictive, but they reflect good hygiene, which reduces your company's risk of suffering from major data loss.

What/how much data do you need to make a rating? Why might a company not show up in your ratings?

We follow the same model as companies that evaluate credit scores. We'll decline to give a security rating if we don't have enough data to make an accurate one. For example, sometimes very small law firms don't have big enough network footprints for us to make a strong assertion of their security. We qualify those as either "low data" (meaning there could be enough data in the future) or "unmappable." 

How are ratings normalized, between geography, leadership philosophy, size, etc.?

We normalize our security ratings by employee & network size. Because of the way we formulate our ratings, we can make apples-to-apples comparisons between larger conglomerates and smaller companies.

In addition to normalizing for size, we can also segment into different departments, based on the company's network structure. There are some global organizations with many business divisions that have their networks divided up properly, so we can accurately assess how their departments compare. Whether we can separate companies into smaller parts or not, we rate the company as a whole. 




You can find the recording of the entire webinar here.

For more information on other webinars we have done, please visit our webinars page.


Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with...


3 Ways to Ensure Best-in-Class Third Party Cyber Risk Management

An effective third party cyber risk management program both identifies potential threats and finds ways to mitigate them. Organizations should aspire to the highest possible standards when it comes to their security posture. To do so,...


Cyber Risk Should Be A Growing Concern to the Municipal Bond Market

Following an increase in ransomware cyber attacks, most notably May 2017’s WannaCry attack, U.S. public sector entities are starting to see the effects of these attacks on the almost $4 trillion municipal debt market. As a result,...


Subscribe to get security news and updates in your inbox.