University of Surrey

Using Bitsight to Shine a Light on Cyber Risk Internally and Across its Vendor Portfolio

University of Surrey Logo
Ambrose Neville
Head of Information Security at the University of Surrey

“Bitsight shines a light on things we don’t already know from an external perspective. This allows us to prioritize and target our efforts, whether they are preventative or detective security controls.”

Video Url
CBF68EC0-893E-4ABF-8357-660D42DCE02C@1x

Like all higher education institutions, the University of Surrey takes cybersecurity very seriously. Any security incident can compromise student data, interrupt learning and research, and harm the reputation and ranking of the university.

However, with a student population of more than 16,000 students – many of them accessing the university wireless network using their own unprotected devices – hackers have thousands of potential entry points.

“We can’t risk an infected student device connecting to our wireless network, which, like many universities, is very open,” said Ambrose Neville, Head of Information Security at the University of Surrey.

The university also relies on hundreds of vendors and partners to achieve its mission of providing excellent education and delivering social and economic impacts through research and innovation. To mitigate the risk of a cyber-attack originating from a third-party, the university needed visibility into cyber risk hidden within its vendor portfolio.

“Our goal was to discover things we didn’t already know about a vendor's security program,” said Neville.

To address these imperatives, the University of Surrey chose Bitsight for Security Performance Management (SPM) and Bitsight for Third-Party Risk Management (TPRM). The combined solutions provide deep insights into internal and third-party risk profiles.

Now, the University of Surrey can:

  • Measure its internal security posture using Bitsight for SPM.
  • Discover hidden risk in its attack surface.
  • Detect high-risk vendors and work with them to reduce their own risk and, as a result, pose fewer threats to the university.
  • Monitor vendor security performance over time.
  • Benchmark security performance against peer organizations.

With Bitsight for SPM, the University of Surrey can now discover risks hidden across its digital ecosystem, including individual student assets – on a continuous basis.

“We get a lot of telemetry from many sources, but Bitsight stands out because it alerts us when a compromised student device connects to the wireless network. For example, when a bot on a device begins communicating with a sinkhole, we receive an early warning that the asset is connected to our network and needs to be dealt with,” said Neville.

Bitsight also provides much-needed context into security performance. The system ranks areas of critical or disproportionate risk and informs targeted remediation efforts.

“Bitsight shines a light on security vulnerabilities from an external perspective,” said Neville. “This allows us to prioritize and target our efforts, whether they are preventative or detective security controls.”

Using Bitsight Security Ratings, Neville and his team can also track security performance and risk improvements over time – an important feature for any organization, but particularly for a university that prides itself on protecting students’ data.

Security ratings use data-scanning technology to provide an outside-in view of an organization’s security posture and measure cyber risk. Ratings can range in value from 250 to 900, with the current achievable range being 300-820, with a higher rating indicating better cybersecurity performance. In fact, Bitsight is the only security ratings provider with proven third-party validation of its ratings, which have been demonstrated to correlate with data breach risk as well as business financial performance.

Explained Neville: “Growing and maintaining a Bitsight rating in our industry is hard because of the openness of our networks. However, by scoring our security program we can have data-driven conversations with business owners about risk.”

“Ratings also validate that we are doing the right things and are a proxy for how well our security initiatives are working,” he continued. “We can even benchmark our performance against our peers to get a sense of how we’re doing compared with similar-sized institutions.”

Ambrose Neville
Head of Information Security at the University of Surrey

“Bitsight opens conversations with our vendors’ security teams. By informing them about risks they may not know about, we set ourselves up for successful business relationships from the get-go - while protecting both our business and our vendors’ business.”

In addition to gaining insights into internal security performance, the University of Surrey also needed an efficient and scalable process to evaluate vendors and other third-parties quickly and securely.

Through Bitsight for TPRM, the university improved its processes dramatically. Bitsight provides an immediate, near real-time view into each third-party’s security posture – during onboarding and for the term of the relationship.

Bitsight’s dashboard-based findings can also be shared with vendors. Per Neville: “Bitsight opens conversations with our vendors’ security teams. By informing them about risks they may not know about, we set ourselves up for successful business relationships from the get-go - while protecting both our business and our vendors’ business.”

Technology is only the beginning. Bitsight’s responsive support team is also on-hand to speed up the onboarding process. “One of my favorite things about Bitsight is how responsive the team is. When we need to onboard a new vendor, Bitsight's Customer Success and Support Team responds quickly, adding data about that vendor to the platform, allowing us to meet business needs quickly."