As the standard in security ratings, BitSight Technologies is used by organizations around the world for vendor risk management, mergers & acquisitions, benchmarking security performance, and cyber insurance underwriting. BitSight users include CISOs, Chief Risk Officers, Risk Managers, Security Directors, and Cyber Insurance Underwriters from organizations in all industries. Companies that are public or private, for-profit or nonprofit, as well as government agencies all depend on BitSight’s Security Ratings to make better-informed decisions about the security posture of their own organization, their key vendors, potential acquisitions, and their insureds.
The independence and transparency of our Security Ratings are hallmarks of BitSight Technologies. We pioneered the security ratings industry on these principles and with over 2,000 users, from more than 350 companies, representing 22 distinct industries worldwide, we are the market leader. Customers trust our rigorous standards to safeguard independence and integrity is the core of our business.
About Our Ombudsman
A trusted ratings firm must offer a formal appeals process and an independent third party verifying that the appeals process is fair and unbiased. Organizations may wonder whether BitSight Security Ratings are applied consistently and uniformly across all companies. While we are confident in the accuracy of our data, we believe that any organization using BitSight Security Ratings should have a way to properly dispute their ratings. The BitSight ombudsman reviews issues of accuracy, fairness, and balance regarding BitSight Security Ratings. The ombudsman recommends approaches to address any issue and update BitSight data or processes as necessary.
The ombudsman for BitSight Technologies is Michael Cusumano, an MIT professor and scholar. Named as one of the most influential people in technology and IT by Silicon.com, Professor Cusumano is a Board director of several companies and has consulted for more than 90 organizations worldwide including IBM, Ford, Nokia, and Fidelity. He has published dozens of books and publications on the topic of strategy and organizational development that have had a major impact on the high technology industry. As ombudsman, he does not report to any internal teams at BitSight; instead he reports directly to the BitSight Customer Advisory Board.
BitSight has a formal appeals process, outlined below, as well as comment capabilities that are used by both customers and noncustomers. If you are dissatisfied with the results of the appeal and would like to request an additional review of your BitSight Security Ratings through our ombudsman, email firstname.lastname@example.org.
Code of Conduct
Conflicts of interests can undermine the reputation of ratings agencies. A prime example was seen during the 2008 financial crisis, when many credit rating agencies inflated the ratings of numerous Wall Street firms. To maintain the integrity of its Security Ratings and industry research, BitSight Technologies follows a strict code of conduct, as outlined below:
- Provide transparency about the security ratings process.
- Standardize treatment for customers and noncustomers.
- Practice responsible disclosure, including not sharing sensitive information with other companies.
- Provide a robust ratings appeals process.
- Offer assistance from an independent ombudsman as needed.
- Accept payment only from the company purchasing a rating, not the company being rated (although a company can buy their own rating).
- Facilitate participation and engagement with standards bodies and regulators.
The following are key questions about our guiding principles on independence, objectivity, and integrity.
- How does BitSight collect its data?
BitSight Security Ratings are based on hundreds of different data sources. Some sources are proprietary, some leverage partner relationships, and some are obtained through open source collection. In all cases, our data scientists and technical researchers carefully qualify, cross-check, and maintain each source. Each new candidate source undergoes rigorous evaluation prior to its incorporation into BitSight Security Ratings. The global threat and vulnerability landscape is always changing, so after we have incorporated a source into the BitSight Security Ratings, we constantly monitor it for accuracy. For more information, review BitSight Data.
- How does BitSight protect the independence and objectivity of its security ratings?
The management team, data scientists, and technical researchers at BitSight closely monitor the quality of the security ratings, free of influences or interferences such as a rated company’s financial performance, stock price, or other non-security related topics. BitSight maintains a Code of Conduct (see above) that describes our core business practices. BitSight employs a formal appeals process that can be used by both customers and non-customers if they are dissatisfied with any piece of analysis by BitSight. If an organization questions a piece of analysis done by BitSight, and the organization is still dissatisfied with the results of their appeal, an independent ombudsman will provide an additional layer of verification, ensuring that BitSight’s response is consistent across every organization.
- What if I receive a BitSight Security Rating? What happens next?
BitSight allows its customers to share Security Ratings directly with other organizations, providing a way for those organizations to analyze their security performance and view recommended remediation steps. BitSight does not charge those organizations to see their Security Ratings report. Customers can also provide their vendors access to the BitSight Platform, giving the vendor visibility into the Security Ratings information on their own company with additional forensics data, which is only available to them, and not to other companies that may have purchased a Security Rating. BitSight does not share sensitive ratings information with other companies nor does the company publicly discuss specific ratings of companies via public forums (e.g. news, events, etc.).
- What guidelines and procedures are in place to ensure the balance and accuracy of BitSight Security Ratings?
BitSight Security Ratings are subject to a rigorous review process by members of BitSight’s technical research team. This process is designed to surface any inconsistencies in the ratings methodology, data collection, and conclusions. Rating quality is based upon the accuracy of the risk vectors that comprise them. Security events, which make up 60% of a BitSight Security Rating, are especially important. Billions of new security events are observed around the globe on a daily basis, but many of these are simply noise or false positives. What really matters for security ratings is evidence of actual compromise, such as a botnet that has invaded your network and may be sending sensitive personally identifiable information (PII) to a command and control center. Based on information from AnubisNetworks, a BitSight subsidiary, and numerous other global data sources, BitSight is able to detect evidence of actual attacks and measure information such as frequency, duration, and confidence. We do this through correlation and cross-checking against internally-developed sources, external vendors, and publicly accessible data.
For BitSight to accept a security event, it must pass our event quality criteria based on different data factors. We have over 490 criteria and 160 factors; different checks are applied to different data, ensuring that unreliable data is filtered out and never makes it into a BitSight Security Rating. We thoroughly test and cross-check new data sources and risk vectors against existing data sources to ensure quality. We continually check the quality of existing data sources, which is why the number of quality criteria and factors is continuously increasing.
Mapping IPs to companies is a highly complex and dynamic challenge: IP addresses are continually sold, exchanged, or reallocated. Entirely automated processes very often misallocate IPs or miss entire IP blocks. As a result, IP mappings based on automated processes alone are highly unreliable. BitSight combines automated processes with hand curation. We maintain teams of researchers who create and maintain maps of IP addresses of companies. To keep our error rate as low as possible, their IP allocations are cross-checked before they are incorporated into the BitSight Security Ratings.
- How does BitSight protect its customers’ sensitive security data?
BitSight firmly believes that integrity is the mark of a true security ratings authority. BitSight does not share sensitive information (e.g. IP details or event forensics) with other companies, nor do we publicly discuss specific ratings of companies via public forums (e.g. news outlets, industry events, etc.). We believe that we can provide valuable insight into security posture through aggregate and industry trends. We do not believe in discussing companies publicly without consent, as this can pose a security risk to an organization. Transparency in the name of press coverage is irresponsible and counterproductive.
- Do BitSight investors or board members have influence over an individual company’s security rating?
No. BitSight Security Ratings for individual companies are developed without the influence, review, or approval of our investors, shareholders, or Board of Directors.
- Does a company need to be a BitSight customer to be included in BitSight Security Ratings?
No. The BitSight Platform includes security ratings for nearly 50,000 companies, some of which are BitSight customers and some of which are not. BitSight Security Ratings are generated regardless of a company’s status as a BitSight customer. If you are not a BitSight customer, and you receive a BitSight Security Rating from a business partner, you can appeal your BitSight Security Rating by emailing email@example.com.
- Is a company allowed to review BitSight’s Security Ratings prior to publication?
BitSight Security Ratings are impartial and are not influenced by individual organization reviews. They are produced daily through an automated process and not sent to rated companies for review. However, BitSight has a formal appeals process that can be used by both customers and non-customers if they are dissatisfied with any piece of analysis by BitSight. Companies usually send us documentation from Internet Service Providers indicating that a particular IP block is no longer in use by the company. In some instances, a company may hire a firm to audit their IP space. Documentation from these audits can also be used as part of the BitSight Security Rating appeal process.
- What recourse does an organization have if they regard BitSight Security Ratings to be biased, inaccurate, or unfair?
While we are confident in the accuracy of our data, we believe that any organization using BitSight Security Ratings should have a way to properly dispute their ratings. If you disagree with any of BitSight’s findings, you can request a review of the IP addresses assigned to it, verify that the ranges are correct, and request additions or omissions directly through the BitSight Platform. Removing IP addresses requires the submission of appropriate evidence, such as authorized changes to Internet registries. Alternatively, organizations can use BitSight annotations to add clarifying notes about their IP maps; the company’s third parties or business partners who are BitSight customers will then have access to that organization’s notes. If you are still dissatisfied with the Security Ratings data, you can request an additional review through our ombudsman.