BitSight Follows FICO Model as Cybersecurity Ratings Industry Grows
(Page 2 of 2)
risky behavior within organizations. An example is monitoring peer-to-peer websites to see if employees are downloading business applications like Microsoft Office or AutoCAD, Boyer says.
Boyer admits there are limitations to BitSight’s ratings system since it relies solely on publicly available information. “Ideally, you would love to have private info,” he says.
The problem is that even if a company wanted to share internal data with BitSight, there might be “gaps or errors” in the data provided, Boyer says. And company executives often think their security measures are “fantastic,” but the reality is different from their perception, he says.
The traditional way to measure a company’s cybersecurity health involves filling out a questionnaire, followed by an auditor visit. But that can be a time-consuming process, and cyber threats mutate so quickly that the audit is basically stale the day it gets turned in, Boyer says.
Moreover, it’s not feasible for large enterprises to perform manual cybersecurity assessments when they work with hundreds or thousands of third-party vendors. “Do that math and it just becomes intractable very, very quickly,” Boyer says.
Ultimately, BitSight aims to make manual audits obsolete with its system—an automated, empirical process that constantly gathers data and becomes more useful and informative over time, Boyer says. “You see where your risk might be, and you focus your time and attention there,” he says.