The Importance of Responsible Disclosure in Security Ratings

Last year, BitSight was proud to help drive the Principles for Fair and Accurate Security Ratings, published by the US Chamber of Commerce and supported by over 40 global organizations. The establishment of these Principles demonstrates the momentum and maturity of the security ratings market that BitSight pioneered in 2011. The Principles were designed to promote fairness in reporting of cybersecurity performance and encourage the adoption of security ratings across all industry sectors.

One of the important aspects the US Chamber of Commerce highlights is Confidentiality, which we refer to as Responsible Disclosure. Essentially, every security ratings company is obligated to not publicize company ratings and keep all sensitive information confidential to the party to which that sensitive information is attributed. The purpose of the Principles and Responsible Disclosure is to not only earn, but to also maintain, the market’s trust in this new category of ratings. At BitSight, we take this responsibility very seriously.

BitSight, along with three other security ratings companies, signed on to these Principles, therefore committing to adhere to the tenets. However, some are now rationalizing the Confidentiality Principle in an effort to justify the public disclosure of companies’ ratings and share sensitive security data with organizations other than the company to which it relates. There are several reasons why it is not in the best interest of this market’s maturity for ratings companies to publicize a company’s rating, and further, why it is truly irresponsible to broadly expose sensitive security information about a company.

The Difference Between Trust and Transparency

In the Chamber of Commerce’s official release, they list Confidentiality as one of the six official Principles for Fair and Accurate Security Ratings. By working with companies like BitSight to publish these guidelines, the Chamber of Commerce’s objective was to establish a baseline by which all participatory companies must abide.

The Principles for Fair and Accurate Security Ratings included the following requirements within Confidentiality: “Information disclosed by a rated organization during the course of a challenged rating or dispute shall be appropriately protected. Rating companies should not publicize an individual organization’s rating. Rating companies shall not provide third parties with sensitive or confidential information on rated organizations that could lead directly to system compromise.”

There is no ambiguity to “Rating companies should not publicize an organization's rating.” Ratings companies who have signed onto the Principles and publicize a company’s rating violate this commitment. Rationalizing this action through an argument that the underlying data is available (and therefore, this is about transparency) doesn’t justify violating a commitment that many organizations worked hard to collectively agree to. As is almost always the case in matters of sensitivity, transparency can violate trust. At BitSight, we’re firm believers in transparency. We have a comprehensive dispute resolution process, which reflects our desire to be transparent with the appropriate party and information. In matters of sensitivity, judgement in what can be shared (and with whom) is a crucial step in building trust with all parties. Broad transparency of this sensitive data violates trust. Even worse, simply publishing information without context does not meet the test of transparency. In the case of security ratings, it hurts the overall advancement of the market.

security ratings snapshot example

Request your free Security Rating Snapshot to find the gaps in your security program and how you compare to others in your industry.

Get Your Rating
Button Arrow

Externally Observable Data Doesn’t Equate to Publicizing Ratings

The argument seems to be that since the data collected to form security ratings is publicly sourced, the rating data is already available to the greater population. Somehow this then makes it acceptable to share this data with a broader group of companies. And, this same argument seems to follow that publicizing a company’s rating is also acceptable. Even if you accepted that the underlying data was publicly available, the ratings are a derived output of the accumulation of massive amounts of that data and are not public. In addition, a large, thoughtful group of people, in their effort to create the Principles to advance and mature this market, determined collectively that the ratings should not be publicized.

Just because something is externally visible, it does not mean that it is obvious. Some of the data BitSight collects, while certainly externally accessible, is not obvious and not easily observed by the public. The over 80 billion daily events that BitSight collects must be brought together in a well-organized, specific, and company-attributed manner that creates a level of detailed, aggregated points of vulnerability specific to a company and, at least in our offering, are definitely unique and sensitive. We believe that making this sensitive data available to any company other than the one to which the sensitive data is attributed presents the risk of being significantly more harmful than helpful.

As the leader in the security ratings market, BitSight takes Responsible Disclosure and the Principle of Confidentiality very seriously. We understand that to remain both a true security ratings company and the leader in this space, we must abide by this Principle (and all the others) to provide a valuable, trusted service for our 1,000+ customers, their hundreds of thousands of vendors, and the total worldwide market of BitSight’s rated companies.