BitSight Follows FICO Model as Cybersecurity Ratings Industry Grows
As cyber threats grow more complex and damaging, an independent rating that assesses the strength of a company’s defenses could become a new kind of currency in the business world—akin to a consumer credit score that can make or break one’s financial future.
That’s the vision of Stephen Boyer and his five-year-old company, BitSight Technologies, which created software that culls publicly accessible data to produce a FICO-like cybersecurity rating for some 47,500 companies and organizations, at latest count.
An organization can use the numerical score—which ranges from 250 to 900—to vet potential acquisition targets; monitor the risk of a breach of data shared with vendors and partners; shape the terms of cybersecurity insurance policies; help with internal evaluations of security policies; and more. Investors have poured about $49 million into BitSight, and it also won a $1 million National Science Foundation grant early on, says Boyer, the startup’s co-founder and CTO.
Those bets are starting to pay off. BitSight’s sales last year were five times as high as in 2014, and the Cambridge, MA-based company now counts more than 350 customers in sectors like finance, law, healthcare, and oil and gas, Boyer says. The 180-person company’s clients include insurance giant AIG, grocery chain Safeway, the University of San Francisco, and, interestingly, credit score firm TransUnion.
“There’s been high demand for this type of service,” says Boyer, a former MIT Lincoln Laboratory cybersecurity researcher. This is his second cybersecurity startup—he and his BitSight co-founder, Nagarjuna Venna, previously founded and quickly sold Saperix, a risk analysis firm, about five years ago.
It’s still early days for BitSight and other security ratings companies, which include SecurityScorecard and RiskRecon. But as the sector matures and more organizations use third-party security ratings to make crucial business decisions, scrutiny of the emerging industry will likely grow.
BitSight is already trying to get out ahead of any possible government regulations, Boyer says. “We’re setting ourselves up for that kind of scrutiny,” he says. “I’m down in DC quite a bit on the Hill.”
Those meetings are primarily for briefing regulators about how BitSight gathers and shares security data, he says.
The company has also made efforts to increase transparency and be more accountable to customers, Boyer says. Any companies rated by BitSight, whether they’re customers or not, can request a formal review of their security report. If they aren’t satisfied with the findings, they can appeal it.
That appeal will be overseen by a recently appointed independent ombudsman, Michael Cusumano. He’s an MIT professor who sits on multiple company boards and has consulted for companies like IBM, GE, and Fidelity. Cusumano is also charged with evaluating BitSight’s ratings practices—and ensuring it sticks to them.
“Conflicts of interest can undermine the reputations of ratings agencies, and that is why we don’t share sensitive ratings details with third parties or discuss the specific ratings of companies in public forums,” BitSight CEO Shaun McConnon said in a press release announcing the appointment of Cusumano. “From day one, we have been committed to being objective and ensuring our process is consistent and unbiased.”
Boyer says the ombudsman and other transparency measures weren’t implemented as a result of any issues with BitSight’s practices. Rather, they’re a way to build trust with customers and outside observers. “Because we’re managing this at scale with so many organizations now, we’ve had to be able to show our processes,” Boyer says.
Whether the federal government opts to step in and provide more oversight of the security ratings industry—as it has with credit ratings, for example—is another matter. “Who knows what could happen on the regulatory side,” Boyer says. “It’s always a possibility, but there’s nothing” imminent, he adds.
Cybersecurity expert Mark Weatherford thinks federal regulations for security ratings would be a mistake.
“In the short term,” Weatherford says in an e-mail, “the last thing we need is government stepping in to regulate something that is still maturing, and longer term, I think the cybersecurity threat and vulnerability environment will continue its lively and progressive path, which would make a regulatory environment consistently stagnant and difficult to enforce.”
Weatherford would know, having previously served as the Department of Homeland Security’s deputy undersecretary for cybersecurity and as the chief information security officer for the states of California and Colorado. He now works as the chief cybersecurity strategist for Mountain View, CA-based vArmour.
Cybersecurity “companies that can’t maintain constant ethical scrutiny will die off fairly quickly,” Weatherford continues. “There is simply too much competition.”
BitSight compiles its data in a few ways. It searches for breaches that might be signaled by publicly visible communications between the hacker and malicious software that infiltrated a company’s network, Boyer says.
BitSight’s software also connects to company websites to test for weaknesses, but Boyer is quick to note that it doesn’t do deeper penetration testing. “You have to get authorization to do something that’s intrusive, to really knock on” a system’s door, he says. “What we’re doing is, from a very nonintrusive way, how can I determine what vulnerabilities are there?”
Finally, BitSight tracks … Next Page »