A Bit(Short)Sighted Security Rating
Use Cases and Deployment Scope
BitSight Security Ratings was evaluated for use in our vendor management project. BitSight utilizes a proprietary analysis of a domain's online presence to evaluate risk and track changes over time and provide a risk score (much like a credit score). We evaluated BitSight as a way of providing numeric risk values to vendors prior to bringing them into our environment.
Pros
- Security hygiene tracking over time
- Understandable risk score based on observations
- Predictability model of potential cyber security issues based on security habits.
Cons
- Since data is based on public registration IP and domain data can be stale depending on ISP/Domain registration update delays.
- Correcting a false detection is a month-long endeavor and requires the company with the impacted score to clean up BitSight's data.
- Customer service for incorrect data is convoluted and requires a deep understanding of domain registration to correct the data. The responsibility for correcting data is placed solely on the customer's shoulders.
Most Important Features
- Easy to understand risk score
- Industry average vs vendor score for comparisons
- Trending of data over years for well known companies.
Return on Investment
- Wasted resource hours cleaning up data to correct erroneous risk score.
- Extra time spent addressing calls from clients about erroneous risk score data.
- Extra time validating risk score provided by BitSight Security Ratings for potential vendors to ensure valid data.
Alternatives Considered
OneTrust and SecurityScorecard
Other Software Used
ThreatConnect Threat Intelligence Platform (TIP), Proofpoint Emerging Threat Intelligence, Mandiant Advantage Threat Intelligence
