Security Ratings

Using Security Ratings to Drive Organizational Performance

Tom Turner | October 26, 2018

An increasing number of security and risk teams are using security ratings to effectively assess the impact of their security programs as well as communicate changes to key decision makers — like the Board of Directors. These teams know that their company needs tools that provide an objective and quantitative view of their cybersecurity performance over time.

As a CEO, I have learned the importance of establishing goals and benchmarks and the need to be able to measure performance against them over time. This is an important demand that the people I report to (my Board of Directors) have of me; in turn, it is a critical demand I have of people who report to me.

As adoption of Security Rating Services has rapidly increased, many customers have tied their BitSight Security Rating to broader business goals and initiatives. With senior leadership more involved in security and risk programs than ever before, companies are beginning to set intervals of rating improvement as the benchmark for performance-based raises and compensation. But should they be?

Progress in a fast changing environment like cybersecurity isn't absolute; rather, it's relative based a) on a goal determined by your specific organization and its leadership and b) on the prevailing conditions that confront your market and your peer group. Performance should be based on progress towards that goal as well as performance relative to others you measure yourself against in other business dimensions. So how do you know what a realistic goal is for cybersecurity performance? Setting that goal is the first step, and the next is tracking that progress over time as well as understanding the context for your performance.

Observing my team’s reactions to measurement and benchmarks in all areas of the business (pipeline, conversion rates, customer satisfaction rates, account health measurements) is a healthy lens for understanding how cybersecurity ratings are initially received, but ideally embraced over time.  In the early days of a benchmark or metric there is a tendency to focus on the absoluteness and provenance of data initially, followed by healthy debate on the key indicators and what they mean. If successful, the metric or benchmark delivers a common framework for business understanding and action… and anecdotes serve to illuminate the trend rather than obscuring it.

When thinking about these security performance trends, the measurement of a security rating can help provide context for decision making. Is your company’s security performance getting better or worse? How is your security performance changing relative to the important peer groups and benchmarks for your broader business?  If worse, why is that and what do we need to change or implement as a part of our remediation strategy that we might not have considered? Overall, security ratings can help organizations understand their security performance over time, provide context, and then indicate trends that show improvement and can lead to better decision making.

Security ratings are innovative because they provide a way to quantitatively measure cybersecurity performance, but with that comes certain challenges. Learning to use the measurement to drive performance is a process that takes time but ultimately simplifies internal decision making about cyber risk management.

security rating snapshot

Suggested Posts

Do You Need to Create Segmented Networks to Protect Critical Assets?

Network segmentation — the act of dividing a network into multiple smaller, isolated networks that are not visible from the outside — has long been used to reduce cyber risk. At its core, segmentation assumes a “zero trust” approach to...

READ MORE »

Cloud outsourcing poses new challenges for regulators and Financial Services

Cyber risk and regulatory compliance are two sides of the same coin in the Financial Services sector. Together, they spur Financial Services companies to take action to protect customers, their business and the global financial ecosystem...

READ MORE »

Financial services in Asia Pac face regulatory driven scrutiny of cyber risk management

The evolution of the technology environment and related security threats is so fast paced it often seems businesses and regulators are playing an endless game of catch-up.

READ MORE »

Subscribe to get security news and updates in your inbox.