BitSight Bits: Quantifying Security Performance

During last month's SANS webinar, Quantifying Security Performance: The What, Why and How of Security Ratings, BitSight CTO and Co-Founder Stephen Boyer answered questions from attendees. Here are some of the most interesting questions people posed, and our answers for each one. There are also two clips from the webinar recording.


How does BitSight gather its data?

We don't take any info directly from companies, so we can remain objective. All of our 100+ data sources provide us with data that is publicly available. We take the objective, empirical things we can normalize across industries without bias towards any organization.

We can see the types of activity emanating from these networks. Historically, it's been about finding the "bad actors in the castle." We can find out more information about the bad actors, including details that can help remediate and/or reduce the risk of a certain threat happening in the future. Through our data, we are able to answer questions like, "where is it coming from?" and, "whose infrastructure is it residing on?" Some companies have vulnerabilities in their networks that have been exploited for years.

We're a small company. How could we fairly compare ourselves to other companies like us, not just the industry leaders?

Our customers build a portfolio of companies they would like to compare themselves to. That can include any companies they choose. There could be some companies with similar network or employee sizes that you include. Our ratings roll up to an industry level too, so you can see the averages across the whole industry.

It's easy to make direct comparisons to companies of any size, like a company you aspire to be or one you're projected to surpass soon.

Are there some types of data more important to the ratings than others?

If there's external evidence of a compromise, that is a crucial problem to address. If there's complete system control from malware that includes keystroke information running in memory for long periods of time, that's a major risk as well. If those issues are widespread, we know there are serious problems with the network.

security ratings snapshot example

Request your free Security Rating Snapshot to find the gaps in your security program and how you compare to others in your industry.

Get Your Rating
Button Arrow

Our security ratings are not predictive, but they reflect good hygiene, which reduces your company's risk of suffering from major data loss.

What/how much data do you need to make a rating? Why might a company not show up in your ratings?

We follow the same model as companies that evaluate credit scores. We'll decline to give a security rating if we don't have enough data to make an accurate one. For example, sometimes very small law firms don't have big enough network footprints for us to make a strong assertion of their security. We qualify those as either "low data" (meaning there could be enough data in the future) or "unmappable."

How are ratings normalized, between geography, leadership philosophy, size, etc.?

We normalize our security ratings by employee & network size. Because of the way we formulate our ratings, we can make apples-to-apples comparisons between larger conglomerates and smaller companies.

In addition to normalizing for size, we can also segment into different departments, based on the company's network structure. There are some global organizations with many business divisions that have their networks divided up properly, so we can accurately assess how their departments compare. Whether we can separate companies into smaller parts or not, we rate the company as a whole.