Since the Company’s businesses are geographically distributed with historically autonomous operational aspects, it can be challenging for senior executives to holistically view and act on strategic priorities like cybersecurity. As a result, this company turned to Bitsight.
Through alignment of perspective, engagement, and execution, Bitsight helps us create a singular narrative of security.”
An Energy Company (“Company”) who owns a $100 billion portfolio of discrete energy sector utilities serving over 10 million customers, needed a more systematic way to understand and strengthen its risk posture. The Company’s practices and procedures among individual business units vary due to legacy operational autonomy. As as result, they’ve undertaken a long-term goal of emphasizing alignment around a centralized set of core and common principles. This includes a shared focus on governance, risk, and assurance extending from first party concerns to also include risk management for over 1,700 third-party relationships.
Bitsight helps the Company continually improve its internal security practices and hold third-party partners to equally high standards.
Since the Company’s businesses are geographically distributed with historically autonomous operational aspects, it can be challenging for senior executives to holistically view and act on strategic priorities like cybersecurity.
The Company engaged Bitsight to help turn their many disparate data points into actionable security and compliance insights for company stakeholders. “We have a very distributed structure that we’re trying to align with unified tools,” said the Company Administrator. “The ability to interpret technical findings and create executive actionability is the number one utilization of Bitsight in our environment.”
This includes driving alignment among the company’s operating businesses, as well as providing risk insights to its parent holding company about its complete portfolio of businesses.
The fact that Bitsight has persisted — and that the rating remains a fresh indicator — speaks volumes about the viability of the tool,”
In addition to supporting the executive team, Bitsight is utilized by functional leaders across the various businesses to measure and prioritize their security execution.
Company leaders challenged all of the individual businesses to achieve and maintain an “Advanced” Bitsight rating of 800 or higher.
“Our organization has a long history of friendly competition inside the Company,” the Company Administrator said. “Reporting first-party ratings to the executive suite drove immediate change.” The Company sustained this momentum for several years, continuing to rely on Bitsight ratings as a guiding measurement. “The fact that our first-party portfolio of energy companies consistently have the highest security ratings for their Industry, as measured by Bitsight, has some bragging rights attached to it,” the Company Administrator added.
The industries that the Company operates in require significant collaboration with third-party partners and vendors, often through technology integrations. This makes it increasingly important for the security team to consider the 1,700 third-party relationships as an extension of their attack surface.
The Company has robust contractual obligations for its third parties, and Bitsight helps hold them accountable to these standards by surfacing third-party risk insights, empowering the Company to respond systematically when incidents occur.
“We’re taking Bitsight-tracked security incidents and feeding that information into a dashboard that will automatically send out requests for information to our supply chain function and alert the global security operations center,” the Company Administrator said. “We then do an impact assessment and, when necessary, feed incidents into a vendor-compromised process.”
Implementing Bitsight’s complete solution proved to be far more cost-effective compared to integration of various point or other indicator solutions."
Given the role that utilities play in critical infrastructure, it’s vital for the Company to maintain strong governance practices and compliance with evolving cybersecurity industry frameworks. This requires a variety of internal and external audits, each with unique information requirements.
Bitsight streamlines the company’s evidencing of activities in these areas by making indicators of security practices and outcomes accessible to interpretation by layman auditors. The company is also using Bitsight in innovative ways to bring more transparency and sophistication to its corporate governance practices. A recent example is a newly created “virtual tear sheet” to report ratings and findings to stakeholders who do not use the Bitsight interface directly in an intuitive and approachable way. “It’s super exciting. It looks like a subway map.” the Company Administrator said. “We’re leveraging the Bitsight API to automatically feed charts and graphs of findings about first-party risk.”
The Company values the fact that Bitsight improves and innovates its products in an ongoing fashion without compromising its role as a consistent and trusted measurement of risk posture. “The fact that Bitsight has persisted — and that the rating remains a fresh indicator — speaks volumes about the viability of the tool,” the Company Administrator said. “But it’s also evolving with new risk vectors, priorities, and functionality as well.” The Company appreciates the convenience and financial advantages of having a single platform that provides insights into many aspects of their first and third-party risk posture.