BitSight: Rethinking Cybersecurity with Security Ratings
Follow BitSight on :
Carla C. Morss, Managing Director, APAC
“A chain is only as strong as its weakest link.”
While this phrase by Scottish philosopher Thomas Reid dates back to the 18th century, the adage holds true in today’s technological era, where security breaches are often the result of lapses from third-parties who prove to be the weakest links in the supply chain. One small security control gap within the third-party network— be it that of a vendor, supplier, or business partner—can compromise the cybersecurity of every organization in the ecosystem. What firms need is heightened visibility into the extremely valuable and critical aspects of their business.
Existing third-party risk assessment tools and methods such as questionnaires and integrated risk management software only provide point-in-time snapshots of the cyber risk. These fail to paint an accurate picture of the overall security posture of an organization. It is time businesses adopt an effective solution that can continuously measure and monitor the security of their vendors and third-party service providers, including the software, hardware, networks, services, and information. This is precisely where MA-based BitSight’s Security Ratings Platform proves its mettle.
BitSight’s Security Ratings are data-driven, dynamic measurements of an organization’s cybersecurity performance. BitSight continuously collects a massive amount of externally observable security data ranging from vulnerabilities to infections. With this data, BitSight creates ratings that offer a view of the organization’s security effectiveness. These daily ratings, which range from 250 to 900, are derived from objective, verifiable information data points of compromised systems, security diligence, user behavior, and public disclosures. “With this data,” says Carla C. Morss, managing director of the APAC region at BitSight, “an organization can be well-informed about whether or not their third-parties have effective controls in place to protect data or ensure organizational resilience.”
"BitSight’s Security Ratings are data-driven, dynamic measurements of an organization’s cybersecurity performance"
What truly makes BitSight’s approach to cybersecurity a cut above the rest is its Security Ratings Platform’s ability to assess the security situation of a company through publicly observable data, without installing any specific equipment or software, and express it on a day-to-day basis in a form that anyone can understand.
Credible, Predictive, and Scalable Ratings
BitSight’s Security Ratings Platform was pioneered and created by Stephen Boyer and Nagarjuna Venna—fellow MIT graduates—with the mission to transform the way organizations evaluate risk and security performance. Rather than inquiring companies about their security risks, the idea was to assess those risks from the outside by observing the communications coming into and leaving a company’s network. The duo were inspired by the credit rating approach used for assessing financial risk and realized that the cybersecurity realm needed a “credit score” for cyber risk. Hence, they employed the outside-in model used by credit agencies to create a scoring methodology.
For example, lenders such as banks and credit card companies use credit scores to evaluate the potential risk posed by lending money to a particular consumer and to mitigate losses due to bad debts. A consumer’s payment history, credit utilization, and other aspects are taken into consideration when calculating a credit score. BitSight uses a similar approach to give cybersecurity ratings to a company.
BitSight provides data, measurements, and metrics in the form of understandable and accessible reports that are easily digestible, and the ability to benchmark performance
BitSight gathers best-in-class data via the internet, either from different collection points across the globe or from vetted third-party sources. These include 200 billion security events collected on a daily basis across 23 different ‘risk vectors,’ nearly 200,000 of the most accurate network asset maps, and over 12 months of historical data. It also encompasses compromised information and data on infected machines, improper configuration of certain security controls, cybersecurity hygiene, and potentially-harmful user behaviors.
Using a proprietary algorithm, BitSight then analyzes and classifies this externally-observable data to produce a
company’s rating. “BitSight’s data pinpoints issues internal to organizations and also to the external business ecosystem, allowing firms to address risks quickly and efficiently,” informs Carla. With BitSight ratings, security and risk leaders can communicate with vendors and establish well-defined business goals.
Today, BitSight’s rating system is widely recognized as the industry standard. The BitSight platform is leveraged by over 1,800 customers across the world, including seven of the top 10 cyber insurers, one in every four Fortune 500 companies, and more than 50 government agencies and regulators. These industry and government giants bank on BitSight’s technology to make integral risk and business decisions.
Taking a Deeper Dive
Given its ability to offer quick, actionable insights, BitSight’s Security Ratings Platform is proving to be useful for security performance management, third-party vendor risk management, cyber insurance, and mergers and acquisitions.
Talking about the different use cases, Carla notes, “The most common challenge companies face in addressing cyber risk is transparency. They struggle with a lack of continuous monitoring, inconsistent reporting, and other blind spots, which increase vulnerabilities to data breaches and other security incidents.” In light of this, BitSight has added new capabilities and features to its BitSight Security Ratings Platform in order to provide a more detailed, granular performance analytics on specific risk vectors. Organizations can look at the interactive graphs of each risk vector, as well as search for specific records and certificates to get a sense of the vendor’s security posture even before engaging with them.
With its unique approach to cybersecurity, BitSight is bringing greater transparency to the global marketplace, allowing C-suite executives to better understand what is happening and factor security into their decision-making processes. BitSight provides data, measurements, and metrics in the form of understandable and accessible reports that are easily digestible, and the ability to benchmark performance.
Seamlessly Mitigating Complex Cyber Risks
BitSight’s prowess in eliminating cyber risks is evident in the way it has helped numerous enterprises across 22 different industries including, financial services, retail, technology, public sector, energy, manufacturing, utilities, and business services, transform and manage their information security risks.
A recent client success story involves HBF Health, a private health insurance company based in Perth, Australia. Andrew Bullen, HBF’s cyber governance and assurance manager, says, “The private health insurance industry was recently subject to new regulatory standards from the Australian Prudential Regulation Authority (APRA): CPS 234 (Prudential Standard for Information Security), which requires all financial services organizations to have programs and processes in place to manage third-party risks.”
HBF was initially following a traditional approach to assessing risks, which made the entire process extremely cumbersome and involved detailed and expensive audits. Thus, HBF needed to rethink its approach in order to accelerate its ability to make informed decisions and shift left in the business process. As a result, the firm integrated the BitSight platform into the initial stages of its procurement processes to get a complete view of the security posture. This allowed HBF to pre-identify where proceeding with a particular vendor could be risky. HBF also leveraged a combination of BitSight Security Ratings and audits to form a complete picture of each of its third-party relationships, which helped them prioritize their attention to each vendor.
A Promising Future
While successes like these propel BitSight forward, Carla also believes strategic partner alliances have played, and continue to play, a significant part in the firm’s evolution. As a result, BitSight works to maintain close relationships with partners like Trustwave, a Singtel Company in Australia, Hong Kong, and Singapore; Terilogy in Japan; Secure Letter Inc. in Korea; and PCCW Limited in Hong Kong. Moreover, BitSight has also established a strategic global integration partnership with firms such as IHS Markit and ServiceNow to help its customers create a holistic, integrated solution.
Daewon Kim, VP of Secure Letter, which offers wireless security solutions and services to the Korean market, says, “BitSight analyzes various security threats through big data analysis based on the domain information of the company— without installing any additional software or hardware in the enterprise environment—and intuitively expresses the company’s security. The technology can also be extended to numerous partners to easily identify and assess security status and security levels, which provides an innovative new approach.”
As the tech world continues to struggle with ‘how best to deal with the growing issue of malicious hacking and security breaches,’ BitSight’s Security Ratings Platform is at the forefront of helping organizations collectively reduce cyber risks.
According to Miyamura Nobuo of Terilogy, Japan, “Many of our clients in Japan do not have visibility into the security posture for themselves or group companies which can cause serious incidents. The visibility provided by BitSight helps them to prioritize cybersecurity investment for their internal program as well as their subsidiaries."
BitSight's continued expansion in the APAC region allows them to help organizations in the region in their journey to improve their security performance as well as their third-party vendor risk management programs. Carla notes, “Each country is at a different maturity level when it comes to cyber risks. In light of this, we are looking to introduce our solutions to each country as they progress to meet their unique cybersecurity needs. In addition, our expertise and experience let us help organizations meet regulatory compliance requirements, for example compliance with APRA in Australia, C-RAF in Hong Kong, and MAS-TRM.” Alongside, BitSight will continue to focus on its mission to support organizations in evaluating risk and security performance using its proven methodology.
Tien San Chng, global head of worldwide strategic alliances and partnerships at Trustwave, concurs, “We partner with BitSight to help our clients understand their own security maturity, prioritize strategic security investments, and discern how third-party technologies can impact risk. Our collaboration helps organizations reduce the ‘blind spots’ in their cyber risk management program.”
In 2019, Gartner named Security Ratings as a “Top 10 Security Project” stating that security and risk leaders “should leverage security ratings as an additional data point to provide continuous, real-time scoring for their overall digital ecosystem at a low cost in terms of effort, labor, and capital.” As data breaches continue to rise in number and issues surrounding supply chain risk become even more prevalent, with its innovative approach and platform, it is no doubt that BitSight will continue to remain the global ‘go-to’ provider of cybersecurity ratings.