Startup BitSight Aims to Measure IT Security From Outside the Firewall

Startup BitSight Technologies aims to measure how seriously a business focuses on security by analyzing a host of external factors.

Before a company or individual borrows money, they have to undergo a credit check as proof of their financial security. In the future, companies that want to do business with each other may have to show a similar rating that grades their information security.

On Sept. 10, security startup BitSight Technologies launched a service that uses a number of external measures to rate how likely a company is to fend off compromises and protect any data entrusted to them. Is spam coming from a firm's domain? Lower their score. Have they taken steps to protect their domain-name records? Raise their score.

"Ratings have shown themselves to be a very robust way for organizations to understand and manage the risk in a way that abstracts some of the complexity," Stephen Boyer, founder and CTO for BitSight, told eWEEK. "There is a real chasm between the tech folks and the business decision makers, and so the credit-rating model—like it or love it—has introduced time and cost efficiencies into the system for people to quantitatively build models around."

Because service providers and suppliers are under increasing attack, BitSight has focused first on rating companies that supply products and services to others, grading their security using a measure similar to credit scores. The service, dubbed the Partner SecurityRating, will focus on giving companies insight into how secure their business partners are likely to be, Boyer said.

Just like credit services cannot see into an actual household, BitSight's security service cannot peer into a company's internal network, but it can use external data to infer whether there is a potential security problem inside the company or to deduce whether the company takes security seriously. BitSight rates businesses' information security on a scale of 250 to 900, based on publicly available information and threat-intelligence feeds.

Negative factors include whether the company's computers are included on blacklists for spamming, been used in a distributed denial-of-service attack or communicated with a known botnet. Positive factors include visible steps taken by a company to increase their security, such as locking their domain, using sender policy framework to authenticate their email server, and using a service or security product to protect their Website from known attacks.

"If a company potentially loses a deal because they are not up to snuff, then they will likely allocate the budget to improve their security posture," Boyer said.

Ratings for industries can show which groups of companies have a good security track record, and which ones need to pay more attention to security. For example, the financial-services industry, which is widely considered an early adopter of security technologies, is the best performing industry, although it is not perfect, Boyer said. Meanwhile, legal service firms have done poorly as a group, he said.

"Legal services [are] actually a real poor performer, and that concerns a lot of our customers, because they hold the keys to the kingdom," Boyer said.

BitSight recently closed a $24 million round of venture funding.