As communicated in January, Bitsight will conduct a ratings algorithm update (RAU) on July 10, 2024, as part of our ongoing efforts to optimize our methodology to provide the best external indicator of the performance of cybersecurity controls.
Today, we’re excited to announce that our 2024 RAU is available to preview in the Bitsight applications. Here is some background information to help you understand more about the change, what it means to your organization, and how to make the most of the three-month preview period leading up to the algorithm update in July.
What is the Bitsight ratings algorithm?
The Bitsight Security Rating is a quantitative measurement that organizations worldwide use to understand and demonstrate the effectiveness of their cybersecurity controls and practices. The rating is calculated daily using an algorithm that turns reliable and verifiable signals about an organization’s cybersecurity controls and observed activity into an objective measurement of its overall risk posture.
The ratings algorithm used to calculate each organization’s Bitsight Security Rating considers 24 risk vectors that are grouped into four categories:
Weights are applied to individual risk vectors, and subsequently to the above parent categories, based on their forecasted impact on organizational risk.
Why is the algorithm changing?
While stability is a critical attribute of any ratings system, it’s also important for a methodology to adapt in measured ways to changes in the risk landscape and improvements in the quality of data signals. This follows a well-established model used across other ratings industries in areas such as credit and insurance.
Simply stated, as the world around us changes, we need to adapt with it to ensure that our rating continues to be the best external indicator of how well organizations’ cybersecurity controls are performing.
At Bitsight, with these aims in mind, we adopted an annual cadence for RAU updates beginning last year. We always approach these updates with three guiding principles in mind:
- Achieve the highest possible correlation between Bitsight ratings and real-world cybersecurity outcomes.
- Make our algorithm as easy as possible to understand and explain to stakeholders so that they can take action.
- Provide the necessary information for informed decision-making about how improvements to an organization’s cybersecurity controls can impact its posture and rating.
What is changing as part of the 2024 RAU?
While we made a wide-ranging set of changes to our ratings algorithm in 2023, our 2024 RAU is focused on a single risk vector: Patching Cadence.
The Patching Cadence risk vector evaluates how long, on average, known vulnerabilities have remained unpatched in an organization’s environment. Patching Cadence is assigned a 20 percent weight in the overall calculation of an organization’s Bitsight rating.
Along with weight, Finding Lifetime is another factor that determines how measurements of a specific risk vector affect an organization’s rating. Presently, Patching Cadence has a lifetime of 300 days. This means that a finding that negatively impacts Patching Cadence will continue to have an adverse impact on an organization’s Bitsight rating until 300 days from the time the vulnerability was last seen as unremediated.
The 2024 RAU will change the lifetime of Patching Cadence findings from 300 days to 90 days.
The weight applied to Patching Cadence by the ratings algorithm will not change as part of the 2024 RAU.
What is the rationale for this change?
This change was driven by our commitment to integrate user feedback in developing an algorithm that helps organizations leverage the algorithm’s underlying principles to improve their cybersecurity controls.
When we developed the 2023 ratings algorithm, we deemed it necessary to maintain a lifetime for Patching Cadence that was longer than the lifetime for most other risk vectors in order to achieve a high level of correlation with real-world outcomes.
In the time since the 2023 RAU, we have enhanced our Patching Cadence signal-gathering capabilities in two critical areas:
- We made substantial improvements to our proprietary vulnerability scanning infrastructure, increasing performance, depth of scanning, and overall data resilience.
- We ramped up our investment in vulnerability research, which increased the number of unique vulnerability types we can evaluate by nearly 30 percent.
In our research, we found that most of the predictive power of the Patching Cadence risk vector comes from vulnerabilities seen in the more recent past. We found that 90 days was a sufficient amount of time to consider observed vulnerabilities. Collectively, these improvements allow us to achieve a high confidence level in our understanding of vulnerability risk, enabling us to reduce the lifetime of Patching Cadence findings and create a more responsive measure of an organization’s remediation time.
How can I understand the impact this change will have on my organization’s Bitsight rating?
Starting today, you can view a preview of your organization’s rating under the future algorithm alongside your existing rating through your Bitsight dashboard. This will help you understand how the 2024 RAU will apply to your unique situation.
This preview will be updated weekly for the next three months until the 2024 RAU is implemented on July 10. During this time, you will also see regular reminders in the product to take advantage of the preview period to understand the impact of the RAU on your organization’s rating.
The preview period is also the ideal time to communicate proactively with your stakeholders about any expected changes to your rating.
Learn more about the Bitsight Security Rating
If you would like to learn more about how the Bitsight Security Rating works and view examples of its correlation with real-world cybersecurity outcomes, be sure to visit our security ratings overview page.