Not all cybersecurity analytics are created equal: What CISOs should look for

weighted scale
Jake Olcott
Written by Jake Olcott
VP of Communications and Government Affairs, Bitsight

Cybersecurity leaders are always working to make smarter investments to improve their programs. Not only do they look to reduce risk from the expanding attack surface and manage supply chain risk, they’re also juggling external pressures from regulators, insurers, and shareholders. As leaders look to technology solutions to help, many look at data analytics to reduce their organization’s risk, manage exposure, and improve overall program performance.

But not all analytics are useful. Some are built on data and methodology that is scientifically shown to be correlated with risks and incidents. Others are not as rigorous—and relying on these analytics can cause CISOs to make less optimal decisions or even expose their organization to greater risk.

What to look for in providers of cybersecurity analytics

With a slew of analytics and ratings options available today, CISOs need to ensure that the actionable risk insights they receive from solution providers are built on strong, market-leading data with clear correlation to outcomes. There are a few things that CISOs should look for in their cybersecurity ratings providers to give them insight into the strength and accuracy of the analytics:

  1. Organizational mapping process. The best analytics are based on comprehensive asset mapping. Accurate asset mapping can help CISOs understand their attack surface and potential exposure, as well as their third party vendors, business associates, and supply chain partners. CISOs should ensure that their solution provider gives them expansive, differentiated visibility into organizational assets, such as organizational structures, business units, and subsidiaries. And, they should ask a vendor about their patented processes for mapping organizations. Machine automation and human curation combine to produce more accurate, robust results than automation alone. 
  2. Cybersecurity data insights. CISOs should look for organizations who have access to unique, critical telemetry to provide high-confidence insights into security issues affecting organizations inside and outside of the firewall. It is important for analytics vendors to have established partnerships with telemetry providers because no one organization can provide comprehensive data insights.
  3. Proven correlation to cybersecurity incidents. CISOs should ask to see if their vendor collects publicly disclosed cybersecurity incidents and scientifically correlates those analytics to incidents. But CISOs can go one step further and ask for third-party validation of the analysis. Leveraging analytics with proven correlation to cybersecurity incidents gives CISOs the support they need to make decisions.
  4. Review board. Having a policy review board to rigorously govern the back-end algorithm ensures they are accurate and reliable. Not only that, but it also enables a transparent process for resolving disputes. 

Trusted, validated data analytics empower CISOs to reduce their organization’s risk of experiencing a cybersecurity incident—and to ensure they’re working with third parties who are less likely to experience an incident. They depend on cybersecurity analytics providers for objective, accurate data to help them make the best decisions. Bitsight stands apart in these four areas:

  1. Bitsight’s unique organization mapping is managed by over 90 people with a combination of hand curation and machine automation, holding over 20 patents for its mapping processes alone.
  2. We have a global infrastructure that allows us to scan and collect critical security telemetry from around the world. Bitsight also partners with over 100 data providers to collect data—giving CISOs unique insights into security issues like malware, IoT devices, exposure, and vulnerabilities.
  3. Bitsight’s analytics have the strongest correlation in the industry to the likelihood of a cybersecurity incident (please see the next section to see this information covered in more detail).
  4. Bitsight is the only organization on the market with a Policy Review Board. It provides a systematic dispute resolution process to all rated entities, customer or not. The Board rigorously governs our ratings algorithm updates to ensure they adhere to our principles and policies.
     

Bitsight produces superior data analytics compared to competitors.

CISOs need to make sure the analytics they’re leveraging are the best out there. While these four areas are all important, a strong correlation to outcomes sets some partners apart from others. 

A series of independent studies from the Marsh McLennan Cyber Risk Analytics Center show that Bitsight produces superior data analytics compared to competitors. Marsh McLennan recently assessed the strength and accuracy of cybersecurity ratings and analytics providers, including Bitsight. Marsh McLennan conducted an independent correlation analysis of Bitsight’s analytics and Marsh McLennan’s proprietary cyber claims and incident data. 

A review of the studies shows that Bitsight not only offers more quantitative analytics that are correlated to the likelihood of experiencing a cybersecurity incident, but the analytics are more quantitatively correlated to outcomes. These include 14 analytics, twice the number compared to a competitor. Key takeaways include: 

  • The Bitsight Security Rating is proven to have a statistically significant correlation with cybersecurity incidents. Some competitors don't have a disclosed correlation between their security rating and cybersecurity incidents.   
  • Bitsight’s analytics have superior signal strength. For example, five Bitsight analytics were found by Marsh McLennan to have a correlation coefficient of 0.2 or better, including two analytics stronger than 0.25. Competitors don’t have any analytics with a correlation coefficient of 0.2 or better.  
  • Bitsight’s Patching Cadence analytic has nearly twice a better signal compared with a competitor’s similar Patching Cadence analytic.

The Marsh McLennan study is yet another third party study validating the accuracy and meaningfulness of Bitsight's analytics. Bitsight is still the only security ratings provider with multiple, independent third party studies proving that its analytics have statistically significant correlation to critical outcomes, including cybersecurity incidents, data breaches, and company stock performance.

To learn about Marsh McLennan’s analysis, please read the full report.
 

BitSight Marsh McLennan CTA

The most statistically significant and correlated with the likelihood of cyber incidents? Marsh McLennan’s study proves just how spot on our cybersecurity performance measurement is.