Security ratings firm BitSight announced on Sept. 5 that it is expanding its offerings with the launch of the new BitSight Forecasting service.
The BitSight Forecasting capability builds on BitSight’s existing ratings service that helps organizations measure and benchmark cyber-security posture and maturity. With Forecasting, BitSight now enables organizations to estimate the impact of different technology and process changes on their cyber-security risk score.
“As we have gotten broader adoption of our platform, we have seen organizations set targets for where they want to be,” Stephen Boyer, founder and CTO of BitSight, told eWEEK. “BitSight Forecasting is really a way to give teams a way to understand what performance will look like in six to 12 months and what are some of the key things they can do to reach their targets.”
BitSight was founded in 2011 and launched its inaugural service for rating organizations’ cyber-security in 2013. The company has raised a total of $151 million in venture capital, including a $60 million Series D round announced on June 28 and $40 million in Series C funding announced in September 2016.
Boyer said that a common question that he has heard over the years from organizations is if they are spending enough on cyber-security. He noted that the question of how much is being spent isn’t always the right question; rather it’s more important to understand how different investments can lead to different outcomes and impact on an organization’s overall cyber-risk.
Modeling cyber-risk to be able to forecast the impact of changes is not a trivial exercise. Boyer said that BitSight has a whole team of data scientists that continuously build and update forecasting models. Boyer added that BitSight is already tracking a large volume of companies through its existing rating service, which provides a valuable data set that informs the forecasting model.
“In the world of Big Data, better data and more data wins,” he said.
Using the past history for a given organization, its’ peers in the same industry as well as other industries, Boyer said that BitSight builds out machine learning and statistical models from previous performance and then uses those models to forecast the future. The model enables BitSight Forecasting users to understand how different inputs and process changes will impact cyber-risk in the future.
Making An Impact
What makes an impact in one organization on future cyber-risk might not be the same for all organizations. For example, Boyer said that the Financial Services industry is generally already pretty good at patch management, but there are other areas where there are gaps such user access policies.
“We’re measuring culture by proxy, we get to see outcomes that are a confluence of execution and culture,” Boyer said.
Boyer said that improving security is not as easy as just telling every organization to go out and patch their system. Rather he said that there are different things that organizations can do including training, technology and process improvement that will yield different results based on each individual organization’s circumstances. That said, Boyer did note that almost every organization can benefit from the use of network isolation or segmentation technologies that can limit risk.
There also isn’t always a direct relationship between financial investments in cyber-security and improved cyber-risk.
“You could spend a lot of money on things that may not matter, that might not be directly impactful,” Boyer said. “We have seen organizations spend a lot of money updating certain services that no one uses, rather than focusing on where the attackers are going which are key asset and hosts.”
Looking forward, Boyer said that BitSight will be working on ways to better integrate cyber-security ratings into business processes, in a more data driven and automated approach.
“You’ll see from us in the future increasing visibility and higher degrees of collaboration capabilities to help organizations better quantify and manage their state of risk,” he said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.