Back in 2011 when Nagarjuna Venna and Stephen Boyer founded BitSight, they had the vision of transforming how organizations evaluate risk and security performance by employing the outside-in model used by credit rating agencies. BitSight pioneered security ratings and came to market in September 2013, the first company to ever offer a security ratings product, establishing the guidelines for how a responsible security ratings organization should do business. Fast forward to now and BitSight is excited to join some of the world’s largest and most risk-focused companies to announce the “Principles for Fair and Accurate Security Ratings.” These Principles — and the global organizations that stand behind them - provide additional validation of the security ratings industry that BitSight created and continues to lead and innovate.
View the timeline to see how we've implemented the Principles over time.
Over the years, BitSight Security Ratings have helped organizations evaluate cyber risk and facilitate collaborative, risk-based conversations with third parties. But becoming the trusted standard in security ratings doesn’t happen overnight. It requires a commitment to data quality and data science, to remaining independent of influence, and to applying security ratings consistently and uniformly across all companies.
BitSight is proud to support and observe the “Principles for Fair and Accurate Security Ratings.” In fact, as further confirmation of our industry leadership, BitSight has always espoused these principles, as shown over our years leading the market.
We’ve always argued that security needs to open the drapes and be more transparent. We improve cybersecurity in the business ecosystem when we’re able to have data-driven risk management conversations with each other. But just as transparency is important for improving cybersecurity, it is also necessary for security ratings organizations to be transparent about their processes and methodologies. This is the foundation of BitSight. From clearly illustrating how we develop asset maps, to what types of data we evaluate and incorporate into security ratings, we are committed to being open with our customers and rated organizations about how we derive our ratings.
2. Dispute, Correction and Appeal:
Organizations should be able to review and challenge their ratings with a clear appeal process. Last year, BitSight announced the appointment of MIT professor and scholar, Michael Cusumano, the first and only security ratings ombudsman, to evaluate our ratings policies and aid organizations in the appeals process. While we are confident in the accuracy and objectivity of our security ratings, we believe that any organization, regardless of whether they are a BitSight customer or not, should have a way to easily and properly dispute their rating. Reporting to the BitSight Customer Advisory Board, Mr. Cusumano reviews issues of accuracy, fairness, and balance regarding BitSight Security Ratings and then recommends approaches to address any issue and update BitSight data or processes as necessary.
BitSight is proud to be the only security rating company with third-party validation of how our ratings correlate to breaches. We incorporate only the most critical, high quality risk vectors into the Security Rating to ensure the results are actionable for customers. Previous BitSight research demonstrates that organizations with a BitSight security rating of 500 or lower are almost 5 times as likely to suffer a publicly-disclosed data breach than those with a 700 or higher. Customers can review their own rating or the ratings of their third parties armed with this knowledge to facilitate data-driven conversations. BitSight updates its rating algorithm annually to increase the breadth of ratings and give a more complete, accurate representation of security risk. More than 750 enterprises have adopted BitSight Security Ratings.
4. Model Governance:
In order to stay current with today’s dynamic threat environment, we update our ratings algorithm once a year, enhancing our statistical models from the addition of tens of thousands of companies to our inventory and feedback from our customers. We constantly work to refine our security ratings and ensure we are incorporating the most accurate risk vectors and updating the corresponding weights in our algorithm. To prepare our customers for this update, we work with them at least 3 months in advance to notify them of the upcoming change and provide remediation guidance. We also make a beta site available at least 1 month in advance so they can experience the changes directly and ensure they are ready.
As the Standard in Security Ratings, independence is a hallmark of BitSight. The management team, data scientists, and technical researchers at BitSight closely monitor the quality of the security ratings, free of influences or interferences such as a rated company’s financial performance, stock price, or other non-security related topics. Even if an organization is not a BitSight customer, they are able to challenge results they see in these reports. We also do not offer any remediation services; we want to solely provide objective security ratings to organizations and not be encumbered with competing priorities.
BitSight firmly believes that integrity and confidentiality are the marks of a true security ratings authority. We have been very transparent about our Code of Conduct. Furthermore, we abide by our Responsible Disclosure policy; unlike other ratings organizations, we never, ever share third party forensics with first parties, nor do we ever publicly discuss specific ratings of companies via public forums (e.g. news outlets, industry events, etc.). Our customers do have the ability to provide their third parties with access to the BitSight Platform, giving the the third party visibility into the security ratings information on their own organization with additional forensics data.BitSight believes in the above Principles and also that security ratings will continue increasing in importance. In fact, we believe that security ratings will be as critical as credit ratings and other factors considered in business partnership decisions in the very near future. Further, security ratings help organizations collaborate on security and have productive data-driven conversations, where they may not have been able to previously. We are proud to be at the forefront of this market and are excited to join other forward thinking, market leading organizations in the publication of these Principles. Customers trust our rigorous standards to safeguard independence, and the above Principles are at the core of our business.