New study reveals where organizations both hit and miss the mark across industries
BOSTON – December 12, 2023 – Bitsight, a leader in managing and monitoring cyber risk, today announced the results of a joint study with Google analyzing how organizations perform across cybersecurity controls in the Minimum Viable Secure Product (MVSP) framework—a minimum security baseline for enterprise-ready products and services.
Cybersecurity Control Insights: An Analysis of Organizational Performance found that while every industry in 2023 has a high pass rate for 10 of the 16 MVSP controls studied, many organizations are still failing on controls critical to protecting themselves against cyber incidents. The findings indicate that organizations across all industries have several areas in which they must improve their vulnerability management program to reduce exposure to potential breaches. Notably, 2023 Computer Software industry Fail rates for Dependency Patching and Time to Fix Vulnerabilities—which map to Bitsight analytics correlating to the likelihood of a breach—did not improve from 2020 rates as much as the macro average, leaving other industries vulnerable to third-party risk given their reliance on computer software.
“These findings shed light on critical areas where organizations across all industries, including the computer software industry, are struggling to meet even minimum cybersecurity standards. We also see areas that are strengths and where organizations are improving,” said Stephen Boyer, Co-founder and CTO, Bitsight. “By identifying gaps, strengths, and improvements, we hope to empower organizations and business leaders with knowledge to take action in enhancing their strategies, effectively benchmark performance, and learn from successful peers to strengthen their overall cybersecurity posture.”
The joint report found that eight MVSP controls—including Self-assessment, Dependency Patching, Vulnerability Prevention and Time to Fix Vulnerabilities—have either high 2023 Fail rates, low Pass rates, or both across all industries. This research comes at a time when it’s more important than ever for organizations to properly assess their cybersecurity performance. Business leaders around the world need to understand where their companies’ vulnerabilities lie and how they match up with others to better manage increasingly complex cyber risks and stakeholder demands. By understanding the pass and fail rates of MVSP controls organizations will be better armed with the knowledge to benchmark their security performance and improve their cybersecurity strategies to mitigate and reduce vulnerability.
“It is more important than ever for business leaders to be fully aware of the organization’s application security risk, and how they are performing compared to their peers,” said Chris John Riley, Staff Security Engineer, Google. “If organizations want to build and maintain a mature security posture in today’s turbulent and fast moving environment, they need leaders that prioritize security management and a culture of constant improvement. Using frameworks like the MVSP, organizations can take the initial necessary steps to develop a strong security culture within their organizations.”
For this study, Bitsight and Google collaborated to create a methodology to measure organizational cybersecurity performance using Bitsight analytics across the Minimum Viable Secure Product (MVSP) framework. The study specifically analyzed the cybersecurity performance within the MVSP framework of nearly 100,000 organizations around the world across 16 cybersecurity controls and nine industries. Google validated the statistical approach employed in this analysis, including the mapping of Bitsight telemetry to MVSP controls, and Bitsight did not have access to any Google owned data.
MVSP is a minimalistic security checklist for B2B software and business process outsourcing suppliers, consisting of 25 controls across four key areas – Business, Application Design, Application Implementation, and Operational. MVSP is also backed by Google, Okta, and other major technology companies with the goal of ensuring that all companies building B2B software or otherwise handling sensitive information adhere to a minimally viable security posture for their product.
Bitsight is a global cyber risk management leader transforming how organizations manage exposure, performance, and risk for themselves and their third parties. Companies rely on Bitsight to prioritize their cybersecurity investments, build greater trust within their ecosystem, and reduce their chances of financial loss. Built on over a decade of market-leading innovation, its integrated solutions deliver value across enterprise security performance, digital supply chains, cyber insurance, and data analysis.