Should Security Ratings Require Independent Verification?

Brian Thomas | March 11, 2021 | tag: Cybersecurity

As a recent Forrester report highlighted, there are many cybersecurity ratings available. Security ratings have a valuable place in your overall cyber risk mitigation strategy, for many reasons.

Not all security ratings are equal though.

One criteria that was omitted from the report is whether ratings have been independently verified. To date, BitSight remains the only rating that has been independently verified to correlate to either the increased likelihood of breach or company performance 

What Does Independent Verification Mean?

In short, it means that a third party has done a statistical study to determine if the rating accurately correlates to what it says it is going to. Cyber security ratings were designed to indicate whether a company is at increased risk of cyber security breach.

Like credit ratings, security ratings are not designed to be predictive, but to indicate likelihood of a negative event. They externally examined the effectiveness of cyber risk mitigation efforts, tools and hygiene to indicate the probable overall risk of breach a company faces due to their observable cybersecurity posture

Why Does It Matter

Frankly, unless it’s been proven to be correlative, a rating is just a number.

A ratings service needs to be proven to be measuring the right data and that its model is correlated to a greater or lesser risk of cybersecurity breach. Security ratings are strategic business tools that are used to make important decisions within the organization. They are used to measure the effectiveness of security controls put in place, decide which vendors present too great of a security risk to work with, communicate to the board of directors about cyber risk mitigation, and make investment and prioritization decisions. 

In a world where breaches like SolarWinds and Hafnium have become an accepted fact of life, do you want to use a rating that has not been independently verified to make those business decisions?

The risks of doing so are non-trivial. Since ratings are used to inform strategy, you want to ensure you’re using the ratings that provide the most accurate information possible. Since ratings services are often used to verify vendor risk assessments, they need to be up to date and comprehensive. Because they’re used to verify the effectiveness of your cyber security risk mitigation efforts, they need to measure the right things to give you the peace of mind that you’ve taken the right steps to reduce your risk.

Why BitSight?

BitSight of course conducts our own research into the effectiveness of our model to correlate to breach. But to date, BitSight remains the only cybersecurity ratings service that has been independently verified to correlate to likelihood of breach.

A recent study by IHS Markit, a financial modeling firm, found that companies with a low BitSight rating were 4x more to be breached than companies with a higher rating.

AIR, a global insurer, conducted a study which also showed that companies with a BitSight rating of less than 500 were statistically more likely to suffer a breach than companies with a rating over 700.

BitSight data has been found to be so accurate, in fact, that Solactive, another financial firm, has used our data for correlating security performance to stock price. Their research found companies with a strong BitSight rating outperformed the market by up to 7%. 

With BitSight, you have the peace of mind of knowing that organizations that absolutely depend on accurate data have chosen BitSight data because they’ve independently verified that it works.

Is It A Cybersecurity Rating If It’s Not Independently Verified?

One of the hallmarks of a rating as laid out in The US Chamber of Commerce’s "Principles for Fair and Accurate Security Ratings,” is that “Rating companies should provide validation of their rating methodologies”. So far, BitSight is the only ratings company that has been truly able to do that . Everyone else is just checking their own homework. When you choose a partner for a task as important as knowing whether your cyber security risk mitigation investments are working, you should have confidence that you’re getting the best, most accurate data available.

 

Want to Learn More About Why BitSight Is A Leader? Download Your Complimentary Copy of the 2021 Forrester New Wave Today.

New call-to-action

Suggested Posts

5 Essential Elements of a Municipal Cyber Security Plan

Cyberattacks on state and local governments are on the rise. In 2020, more than 100 government agencies, including municipalities, were targeted with ransomware – an increasingly popular attack vector

These incidents are costly and...

READ MORE »

Do You Have What it Takes to Achieve Digital Resilience?

The term “digital resilience” has gained momentum over the past few years as cybersecurity threats have grown, but what does it really mean? And how can a company become digitally resilient?

READ MORE »

What’s Most Notable in Biden’s Cybersecurity Executive Order?

In light of recent significant attacks targeting the U.S. government, the Biden administration issued an Executive Order (EO) on cybersecurity on May 8, 2021.

Overall, the EO starts to fill in some critical gaps in US government...

READ MORE »

Subscribe to get security news and updates in your inbox.