Reflect Your Security Posture More Accurately: The Bitsight Ratings Tree

BitSight Ratings Tree, person working on laptop utilizing the ratings tree

Companies are looking to proactively manage cybersecurity program performance over time. Your program needs the right KPIs and cybersecurity analytics that everyone in your company and ecosystem can trust so you can stay resilient against ransomware and cyber attacks. A security rating is a great way to see your overall performance, but what about knowing how different locations, teams, or even networks are performing? 

If your organization as a whole performs well but you have significant gaps in a certain IP range, it's only a matter of time before an attacker exploits them. The Bitsight Ratings Tree gives you insight into the different portions of your business to identify gaps and weaknesses in your program performance. These KPIs and metrics provide true understanding for the Board and executive teams.

Focus Attention on the Most Critical Areas

The Ratings Tree enables you to peel back the layers of your organization, visually representing the relationships between the parent organization and child entities. By defining the relationship between the parent and sub-entity, you can see how the individual infrastructure and findings of each sub-entity impacts the top-level Security Rating, letting you distinguish how the performance of a specific child entity impacts the parent. For example, if an organization has ten subsidiaries and one of them has a greater risk of experiencing a cyber breach it will absolutely impact the parent organization. 

Understanding these relationships clarifies areas that are performing poorly and, therefore, need more attention and investment to ultimately improve your overall security posture. By narrowing the focus, you can more quickly drill down and address where issues stem from.


For example, say your company is grouped by region. Except for one, all regions are tagged yellow with an “intermediate” rating. This outlier region is tagged red with a “basic” rating. The visual components of the tree immediately call attention to this, and it is clear this region is having the most negative effect on the top-level parent rating. Ultimately, this signifies that this area is most at risk of experiencing a breach or hurting your cybersecurity posture.

Represent Your Organization in a Way That Makes Sense

The Rating Tree reflects how child entities are organized under the parent entity. The mapping is made possible by using automation to search data sources and understand a company’s internet footprint. A technical research team also curates the data to ensure assets are updated for the parent and subsidiaries, meaning there is both a technical and human element to the information displayed in the Ratings Tree.

You may want to carve this up differently depending on the insights you’d like to gain.  For example, many security leaders need to report progress and instill confidence in the status of cybersecurity investments, and they may want to show clearly how different regions are performing. The Ratings Tree feature of “self-publishing” allows you to create entities that make sense and omit infrastructure you cannot wholly control, creating what is referred to as a Primary Rating. The self-publishing capabilities empower you to create the best view representing your security performance and share the most relevant and impactful insights with leadership.

You can map child entities in a variety of ways that make sense to your organization, including:

  • Region
  • Business leaders, such as information security officers
  • Company department
evolution of the ciso whitepaper

In the midst of facilitating organization-wide digital transformation, the CISO also must undergo his or her own professional transformation to keep up with a world in serious need of cybersecurity leaders. 

Communicate to Leadership More Effectively

The Ratings Tree is another avenue to helping your board understand why certain efforts and investments may be concentrated in one area over another. Imagine putting the visual in front of leaders with the regional mapping example discussed above. By showcasing a breakdown of the business by entities and where each security performance rating falls, leadership immediately understands that one region's red, “basic” rating requires immediate attention. The clear callouts of ratings by entity creates an opportunity for more meaningful discussion and understanding.

When you need to reflect your organization’s security posture in a more detailed and accurate view, the Bitsight Ratings Tree should be the first place you go to understand more. If you’re ready to learn more about your Security Rating, get a free security ratings report from Bitsight.