Should Security Ratings Require Independent Verification?
Tags:
As a recent Forrester report highlighted, there are many cybersecurity ratings available. Security ratings have a valuable place in your overall cyber risk mitigation strategy, for many reasons.
Not all security ratings are equal though.
One criteria that was omitted from the report is whether ratings have been independently verified. To date, Bitsight remains the only rating that has been independently verified to correlate to either the increased likelihood of breach or company performance
What Does Independent Verification Mean?
In short, it means that a third party has done a statistical study to determine if the rating accurately correlates to what it says it is going to. Cyber security ratings were designed to indicate whether a company is at increased risk of cyber security breach.
Like credit ratings, security ratings are not designed to be predictive, but to indicate likelihood of a negative event. They externally examined the effectiveness of cyber risk mitigation efforts, tools and hygiene to indicate the probable overall risk of breach a company faces due to their observable cybersecurity posture.
Why Does It Matter
Frankly, unless it’s been proven to be correlative, a rating is just a number.
A ratings service needs to be proven to be measuring the right data and that its model is correlated to a greater or lesser risk of cybersecurity breach. Security ratings are strategic business tools that are used to make important decisions within the organization. They are used to measure the effectiveness of security controls put in place, decide which vendors present too great of a security risk to work with, communicate to the board of directors about cyber risk mitigation, and make investment and prioritization decisions.
In a world where breaches like SolarWinds and Hafnium have become an accepted fact of life, do you want to use a rating that has not been independently verified to make those business decisions?
The risks of doing so are non-trivial. Since ratings are used to inform strategy, you want to ensure you’re using the ratings that provide the most accurate information possible. Since ratings services are often used to verify vendor risk assessments, they need to be up to date and comprehensive. Because they’re used to verify the effectiveness of your cyber security risk mitigation efforts, they need to measure the right things to give you the peace of mind that you’ve taken the right steps to reduce your risk.
Why Bitsight?
Bitsight of course conducts our own research into the effectiveness of our model to correlate to breach. But to date, Bitsight remains the only cybersecurity ratings service that has been independently verified to correlate to likelihood of breach.
A recent study by IHS Markit, a financial modeling firm, found that companies with a low Bitsight rating were 4x more to be breached than companies with a higher rating.
AIR, a global insurer, conducted a study which also showed that companies with a Bitsight rating of less than 500 were statistically more likely to suffer a breach than companies with a rating over 700.
Bitsight data has been found to be so accurate, in fact, that Solactive, another financial firm, has used our data for correlating security performance to stock price. Their research found companies with a strong Bitsight rating outperformed the market by up to 7%.
With Bitsight, you have the peace of mind of knowing that organizations that absolutely depend on accurate data have chosen Bitsight data because they’ve independently verified that it works.
Is It A Cybersecurity Rating If It’s Not Independently Verified?
One of the hallmarks of a rating as laid out in The US Chamber of Commerce’s "Principles for Fair and Accurate Security Ratings,” is that “Rating companies should provide validation of their rating methodologies”. So far, Bitsight is the only ratings company that has been truly able to do that . Everyone else is just checking their own homework. When you choose a partner for a task as important as knowing whether your cyber security risk mitigation investments are working, you should have confidence that you’re getting the best, most accurate data available.