Using Security Ratings to Drive Organizational Performance

Tom Turner | October 26, 2018 | tag: Security Ratings

An increasing number of security and risk teams are using security ratings to effectively assess the impact of their security programs as well as communicate changes to key decision makers — like the Board of Directors. These teams know that their company needs tools that provide an objective and quantitative view of their cybersecurity performance over time.

As a CEO, I have learned the importance of establishing goals and benchmarks and the need to be able to measure performance against them over time. This is an important demand that the people I report to (my Board of Directors) have of me; in turn, it is a critical demand I have of people who report to me.

As adoption of Security Rating Services has rapidly increased, many customers have tied their BitSight Security Rating to broader business goals and initiatives. With senior leadership more involved in security and risk programs than ever before, companies are beginning to set intervals of rating improvement as the benchmark for performance-based raises and compensation. But should they be?

Progress in a fast changing environment like cybersecurity isn't absolute; rather, it's relative based a) on a goal determined by your specific organization and its leadership and b) on the prevailing conditions that confront your market and your peer group. Performance should be based on progress towards that goal as well as performance relative to others you measure yourself against in other business dimensions. So how do you know what a realistic goal is for cybersecurity performance? Setting that goal is the first step, and the next is tracking that progress over time as well as understanding the context for your performance.

Observing my team’s reactions to measurement and benchmarks in all areas of the business (pipeline, conversion rates, customer satisfaction rates, account health measurements) is a healthy lens for understanding how cybersecurity ratings are initially received, but ideally embraced over time.  In the early days of a benchmark or metric there is a tendency to focus on the absoluteness and provenance of data initially, followed by healthy debate on the key indicators and what they mean. If successful, the metric or benchmark delivers a common framework for business understanding and action… and anecdotes serve to illuminate the trend rather than obscuring it.

When thinking about these security performance trends, the measurement of a security rating can help provide context for decision making. Is your company’s security performance getting better or worse? How is your security performance changing relative to the important peer groups and benchmarks for your broader business?  If worse, why is that and what do we need to change or implement as a part of our remediation strategy that we might not have considered? Overall, security ratings can help organizations understand their security performance over time, provide context, and then indicate trends that show improvement and can lead to better decision making.

Security ratings are innovative because they provide a way to quantitatively measure cybersecurity performance, but with that comes certain challenges. Learning to use the measurement to drive performance is a process that takes time but ultimately simplifies internal decision making about cyber risk management.

security rating snapshot

Suggested Posts

Celebrating 10 Years of BitSight: A Co-Founder Looks Back

It’s hard to believe, but BitSight is celebrating our 10 year anniversary this week! I co-founded BitSight in 2011 with my friend and grad school classmate, Nagarjuna Venna. When I think back at our original idea of creating a global...


Use the right cybersecurity analytics to make a business case for risk management

Not long ago, corporate executives would give only passing thoughts to their organization’s cybersecurity postures. Leadership and board members would take notice in the wake of a major data breach, for example, or a couple of times a...


A response to Security Ratings - Love, Loathe or Live With Them

A week ago (which seems like a world ago given everything that’s happened with SolarWinds) Phil Venables -- formerly CISO of Goldman Sachs and now CISO of Google Cloud -- posted an interesting expose on security ratings this week. Phil...


Get the Weekly Cybersecurity Newsletter.