BitSight Bits: Quantifying Security Performance

Nick Gagalis | December 10, 2014 | tag: Security Risk Management

During last month's SANS webinar, Quantifying Security Performance: The What, Why and How of Security Ratings, BitSight CTO and Co-Founder Stephen Boyer answered questions from attendees. Here are some of the most interesting questions people posed, and our answers for each one. There are also two clips from the webinar recording.


How does BitSight gather its data?

We don't take any info directly from companies, so we can remain objective. All of our 100+ data sources provide us with data that is publicly available. We take the objective, empirical things we can normalize across industries without bias towards any organization.

We can see the types of activity emanating from these networks. Historically, it's been about finding the "bad actors in the castle." We can find out more information about the bad actors, including details that can help remediate and/or reduce the risk of a certain threat happening in the future. Through our data, we are able to answer questions like, "where is it coming from?" and, "whose infrastructure is it residing on?" Some companies have vulnerabilities in their networks that have been exploited for years.

We're a small company. How could we fairly compare ourselves to other companies like us, not just the industry leaders?

Our customers build a portfolio of companies they would like to compare themselves to. That can include any companies they choose. There could be some companies with similar network or employee sizes that you include. Our ratings roll up to an industry level too, so you can see the averages across the whole industry.

It's easy to make direct comparisons to companies of any size, like a company you aspire to be or one you're projected to surpass soon.




Are there some types of data more important to the ratings than others?

If there's external evidence of a compromise, that is a crucial problem to address. If there's complete system control from malware that includes keystroke information running in memory for long periods of time, that's a major risk as well. If those issues are widespread, we know there are serious problems with the network.

Our security ratings are not predictive, but they reflect good hygiene, which reduces your company's risk of suffering from major data loss.

What/how much data do you need to make a rating? Why might a company not show up in your ratings?

We follow the same model as companies that evaluate credit scores. We'll decline to give a security rating if we don't have enough data to make an accurate one. For example, sometimes very small law firms don't have big enough network footprints for us to make a strong assertion of their security. We qualify those as either "low data" (meaning there could be enough data in the future) or "unmappable." 

How are ratings normalized, between geography, leadership philosophy, size, etc.?

We normalize our security ratings by employee & network size. Because of the way we formulate our ratings, we can make apples-to-apples comparisons between larger conglomerates and smaller companies.

In addition to normalizing for size, we can also segment into different departments, based on the company's network structure. There are some global organizations with many business divisions that have their networks divided up properly, so we can accurately assess how their departments compare. Whether we can separate companies into smaller parts or not, we rate the company as a whole. 




You can find the recording of the entire webinar here.

For more information on other webinars we have done, please visit our webinars page.


Suggested Posts

The BitSight and Moody's Partnership: A New Era For Cybersecurity

Cybersecurity is one of the biggest threats to global commerce in the 21st century.

By providing data-driven insights into cybersecurity, we can empower the marketplace to make better, risk-informed decisions and create a more secure...


4 Critical Success Factors for Effective Security Risk Management

With the average cost of a data breach in the U.S. reaching nearly $8.6 million, your organization can’t afford to ignore cybersecurity risk. Indeed, the need for security risk management is greater than ever. When cyber risk is managed...


IoT Cybersecurity: How Your Organization Can Tame the Wild West

From sensors on the factory floor to those that guide autonomous vehicles, the Internet of Things (IoT) is transforming how we live and work. Over the coming years, IoT will continue to change our world, with the number of connected...


Get the Weekly Cybersecurity Newsletter.