Using Security Ratings to Drive Organizational Performance

An increasing number of security and risk teams are using security ratings to effectively assess the impact of their security programs as well as communicate changes to key decision makers — like the Board of Directors. These teams know that their company needs tools that provide an objective and quantitative view of their cybersecurity performance over time.

As a CEO, I have learned the importance of establishing goals and benchmarks and the need to be able to measure performance against them over time. This is an important demand that the people I report to (my Board of Directors) have of me; in turn, it is a critical demand I have of people who report to me.

As adoption of Security Rating Services has rapidly increased, many customers have tied their BitSight Security Rating to broader business goals and initiatives. With senior leadership more involved in security and risk programs than ever before, companies are beginning to set intervals of rating improvement as the benchmark for performance-based raises and compensation. But should they be?

Progress in a fast changing environment like cybersecurity isn't absolute; rather, it's relative based a) on a goal determined by your specific organization and its leadership and b) on the prevailing conditions that confront your market and your peer group. Performance should be based on progress towards that goal as well as performance relative to others you measure yourself against in other business dimensions. So how do you know what a realistic goal is for cybersecurity performance? Setting that goal is the first step, and the next is tracking that progress over time as well as understanding the context for your performance.

security ratings snapshot example

Request your free Security Rating Snapshot to find the gaps in your security program and how you compare to others in your industry.

Get Your Rating
Button Arrow

Observing my team’s reactions to measurement and benchmarks in all areas of the business (pipeline, conversion rates, customer satisfaction rates, account health measurements) is a healthy lens for understanding how cybersecurity ratings are initially received, but ideally embraced over time. In the early days of a benchmark or metric there is a tendency to focus on the absoluteness and provenance of data initially, followed by healthy debate on the key indicators and what they mean. If successful, the metric or benchmark delivers a common framework for business understanding and action… and anecdotes serve to illuminate the trend rather than obscuring it.

When thinking about these security performance trends, the measurement of a security rating can help provide context for decision making. Is your company’s security performance getting better or worse? How is your security performance changing relative to the important peer groups and benchmarks for your broader business? If worse, why is that and what do we need to change or implement as a part of our remediation strategy that we might not have considered? Overall, security ratings can help organizations understand their security performance over time, provide context, and then indicate trends that show improvement and can lead to better decision making.

Security ratings are innovative because they provide a way to quantitatively measure cybersecurity performance, but with that comes certain challenges. Learning to use the measurement to drive performance is a process that takes time but ultimately simplifies internal decision making about cyber risk management.