The past year has seen several high-profile breaches in which lax security practices of third-party contractors played a role. In the Target breach, for example, hackers apparently accessed the retailer's network using login credentials stolen from a company that provided HVAC services for Target.
As is often the case in enterprise software, one's company's problem is another company's opportunity. Startup BitSight Technologies provides quantitative ratings on the security performance of some 30,000 companies around the world, and these ratings help companies make informed decisions on third-party suppliers, said the company's co-founder and CTO Stephen Boyer.
"When we started we focused on third-party risk, because that was the biggest white space in security," he said. "Most companies had the technology to protect themselves but almost nothing to protect against third-party risk."
While graduate students at MIT together, Boyer and BitSight co-founder Nagarjuna Venna started a company called Saperix that focused on vulnerability and network topology risk analysis and that was later purchased by FireMon, a provider of network security management.
Boyer said he got the idea for BitSight while talking to auditors, who worried they didn't get an accurate picture of a company's security during their visits. "They didn't know if a company rushed to get stuff done before they got there, or what they did after they left."
Credit Bureau for Cybersecurity
His vision for tackling the problem was to create a service similar to a credit bureau for cybersecurity. While working with financial services companies to prove the concept and the science behind it, some companies expressed interest in using the ratings to assess their own performance, not just the performance of their suppliers.
"They wanted to share the metrics with their management to get budget, for example," Boyer said. "They were glad to get quantitative measurements from an outside source for the first time. That kind of information is very elusive in cybersecurity," he said, noting that BitSight created a benchmarking product to serve that need.
Prior to that, companies typically engaged a consultant to come in and help create benchmarks, based mostly on employee surveys and brief observation. "That is the equivalent of asking a mortgage applicant 'how good are you at paying your bills' and then writing the mortgage," he said.
In addition to auditors, the target audience for his company's product includes board members and senior executives. BitSight has also begun working with merger and acquisition specialists, private equity firms and other companies that want to make cybersecurity part of their due diligence. To appeal to that audience, BitSight employs a numerical score similar to the FICO credit score used by lenders to assess credit worthiness.
"These people are not always security experts, but they understand a score," Boyer said. "If I tell you a company scored 800, you don't have to know too much about that company or what I am measuring, but you know they are doing a pretty good job with their security."
BitSight employs multiple criteria to produce its ratings. Perhaps the most important, Boyer said, is performance over time. "It's the best metric because it's hard to fake security year over year." The company also looks at empirical evidence of compromise such as malicious code or unexpected software installed on machines and whether a company employs best practices such as regular patching, and use of the latest encryption technology.
BitSight has 150-plus customers, with over a quarter of them in the Fortune 100. While vendor risk management is more of a focus for larger firms than smaller ones, Boyer said interest is growing among smaller companies as their insurers ask them about it. In addition, many of them are suppliers to larger firms and can use BitSight's ratings to show their security practices stand up to scrutiny.
Changing Security Behavior, One Policy at a Time
BitSight's newest product is a ratings service tailored to companies selling cyber insurance. Boyer is especially excited about this market, as he thinks it offers the potential to help companies improve their security postures.
"Part of our early mission was to get people to address the cultural issues that affect security, and incentives and transparency are really the best ways to address those," he said. "We wanted to introduce better incentives for security outcomes. Insurance can do that by setting premiums, which can drive business behaviors because they impact cost. We believe cyber insurance can drive rapid improvement."
As companies get more sophisticated about pooling and transferring their cyber risk to insurers, the insurers must get more sophisticated about buying that risk, Boyer added.
Boyer sees booming business ahead for BitSight, as cybersecurity is seen less as a back-office function and more as a central part of business operations. Even with multiple security technologies such as antivirus, firewall, intrusion detection and data analysis, he said, "there is no way to protect against everything so companies need to get better at risk management, and data and measurement is the best way to go about that."
Fast Facts about BitSight Technologies
Founders: Nagarjuna Venna, Stephen Boyer
Product: BitSight Security Ratings Platform
HQ: Cambridge, Mass.
Employees: 131 worldwide
Customers: 150-plus customers, across a wide range of verticals
Funding: $50 million from Globespan Capital Partners, Menlo Ventures, Flybridge Capital Partners, Commonwealth Capital Ventures, Comcast Ventures and Liberty Global Ventures
Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.