Startup BitSight Aims to Measure IT Security From Outside the Firewall
Startup BitSight Technologies aims to measure how seriously a business focuses on security by analyzing a host of external factors.Before a company or individual borrows money, they have to undergo a credit check as proof of their financial security. In the future, companies that want to do business with each other may have to show a similar rating that grades their information security. On Sept. 10, security startup BitSight Technologies launched a service that uses a number of external measures to rate how likely a company is to fend off compromises and protect any data entrusted to them. Is spam coming from a firm's domain? Lower their score. Have they taken steps to protect their domain-name records? Raise their score. "Ratings have shown themselves to be a very robust way for organizations to understand and manage the risk in a way that abstracts some of the complexity," Stephen Boyer, founder and CTO for BitSight, told eWEEK. "There is a real chasm between the tech folks and the business decision makers, and so the credit-rating model—like it or love it—has introduced time and cost efficiencies into the system for people to quantitatively build models around." Because service providers and suppliers are under increasing attack, BitSight has focused first on rating companies that supply products and services to others, grading their security using a measure similar to credit scores. The service, dubbed the Partner SecurityRating, will focus on giving companies insight into how secure their business partners are likely to be, Boyer said.
Just like credit services cannot see into an actual household, BitSight's security service cannot peer into a company's internal network, but it can use external data to infer whether there is a potential security problem inside the company or to deduce whether the company takes security seriously. BitSight rates businesses' information security on a scale of 250 to 900, based on publicly available information and threat-intelligence feeds.