BitSight Security Ratings www.bitsighttech.com
Trends 2 www.bitsighttech.com
Increasing governance and assurance required Subsidiary Third Party Risk Risk Management Management Fourth Party Risk Benchmarking Management Cyber Security Insurance Mergers & Risk Acquisitions www.bitsighttech.com 3
Cyber Risk is Increasing CYBER INCIDENTS THE TARGETS THE DAMAGE CONTINUE TO INCREASE ARE BROAD IS SEVERE ● ● ● Volume 1st party Financial loss (# of attacks) ● ● 3rd party Reputational harm ● Speed of attacker ● Legal liability ● Nth party ● Sophistication of ● Operational attacker disruption
Market Conditions BOARD EXPECTATIONS BUSINESS IMPACT vendors granted access to a company’s of organizations will report to the board on 100% 181 cyber risk at least 1x / year, by 2020 network per week of board members can’t interpret of all breaches linked directly or indirectly to 91% 63% cybersecurity reports 3rd parties REGULATORY ENVIRONMENT MARKET IMPACT will be spent in 2020 on information security $100B Oversight Continues to Increase worldwide in estimated cybersecurity insurance $10B GDPR FFEIC HK CFI premiums by 2020 DFAR NY DFS NIST $2T cyber crime costs by 2020
The power of objectively measuring cybersecurity performance…. What would it enable for YOU? 6
Key Questions How do diverse stakeholders have a sensible conversation about Cyber Security? • Language - Risk posture vs. vulnerability checklist ? Impact vs. events. Non technical language • Consistency of measurement – Absolute and relative, Universal Metrics Standard across a critical mass of organizations • Business Context – What is in it for me? How to relate cyber security to business • Outcome vs activity – Results rather than effort • Objective versus subjective – Data centric but in context BitSight brings data-driven efficiency and automation to the cyber risk evaluation process by providing a COMMON METRIC (ratings) to be used in a cyber risk decision framework:
The Key Questions Who are the consumers of Cyber security information? • The Board • Procurement • Compliance • Vendor Risk Management Common Language • Audit Different perspectives / context • Operational Risk Subject to specific risks • CISO Info Sec Cyber security • Business process owners • Supplier Managers • CIO / CRO
BitSight Security Ratings Enable Measurement BitSight Security Ratings LIKE CREDIT RATINGS... BOSTON, MA • Data-driven rating of security HEADQUARTERS performance ADVANCED 450+ 740 - 900 EMPLOYEES • Non-intrusive SaaS platform INTERMEDIATE $150M+ 640 - 740 CAPITAL RAISED FROM • Continuous monitoring BLUE CHIP INVESTORS BASIC EXPERIENCED 250 - 640 • Objective, quantitative measurement LEADERSHIP TEAM WITH RECORD OF GROWING SUCCESSFUL COMPANIES GLOBAL THE LARGEST, MOST ENGAGED ECOSYSTEM OFFICES IN SINGAPORE, LISBON AND RALEIGH 2011 1,500+ 25,000+ 20,000+ 160,000+ 105,000+ 15M+ FOUNDED Customers Users Ecosystem Monitored Pieces of User- Domains Worldwide Comments & Tags Organizations Generated Content
How do security ratings help? BitSight Security Ratings: LIKE CREDIT RATINGS... • Provide a measurable range of risk • The only ratings solution with a third party verified correlation to breaches. <400 x5 • Data-driven rating of security performance 400-500 x4 • Non-intrusive SaaS platform x3 500-600 • Continuous monitoring with 12 month history x2 600-700 >700 • Active Oversight AT SCALE Strong, Validated Correlation to breach If the Botnet Grade is B or lower If the security rating drops below If 50% of computers run 2x 5x 3x 400 as compared to an or the File Sharing grade is outdated Operating organization with a 700 or higher B or lower System versions or the Open Ports grade is F Security ratings are an objective, continuous, external measure of an organization’s overall cyber security posture
3 levels of information – tailored for stakeholder needs 1. Security Rating - Overall Cyber Risk posture rating Dashboard, Management reports ‘view from the bridge’, trending 2 Risk Vectors – Rating for groupings of like events Risk hunting, thematic reviews, Audit selection + scoping Operational reports 3 Events – specific incidents or vulnerabilities Remediation, preparation for on-site audits Activity reports
Translating Security Data into Actionable Ratings Security Ratings Risk Vector Factors within Ratings Organizational security performance ratings ranging from 250 - 900 derived from verifiable, outside-in security data User Behavior 10% Compromised Systems 55% Diligence 35%
Botnet event detail
Measuring Performance Across a Large Portfolio 15
Better Data Enables Smarter Prioritization of Risk Vendor Tiering enables quick identification of critical vendors with issues …. … and Asset prioritization provides context on the most pressing issues facing these critical vendors Other ratings providers cannot provide the extensive visibility of security issues (see previous slide) or business critical assets (no API, mail server, or database visibility) meaning customers don’t get the most comprehensive view of the most important issues facing their most critical vendors.
Leading Organizations Use BitSight 20% 4 40+ 4 50% of the world’s cyber of Fortune 500 of the top 5 Investment government agencies, of the Big 4 companies use Banks use BitSight for including US and Global Accounting Firms insurance premiums BitSight Vendor Risk Financial Regulators, use BitSight are underwritten by Management use BitSight BitSight customers 1,500+ CUSTOMERS ACROSS THE GLOBE
Third Party Risk Management 18 www.bitsighttech.com
TPRM: Customer Pain Points Vendor Ecosystem Customer Existing Processes Gather important data through questionnaires or Tier 1 Vendors Existing processes episodic assessments to learn about vendors highly focused on Critical to business function with potential network access or Tier 1 vendors policies, procedures, controls sensitive data sharing Tier 2 Vendors Send risk manager to do onsite assessments to Important vendors that may verify vendor policies, procedures, controls have access to network, data or company premises Tier 3 Vendors Perform penetration tests to get point-in-time Long tail of vendors with less analysis of vendor security vulnerabilities network/technology relationship Current processes are expensive, time consuming, and don’t provide continuous visibility across an organization’s entire ecosystem of vendors. 19
Cyber Security Challenge Difficult to scale traditional approaches: Questionnaires, audits, penetration tests, manual efforts, etc. www.bitsighttech.com
BitSight Value in TPRM Program Vendor Ecosystem Customer Existing Processes ● Expand visibility across all vendors to identify highest-risk vendors Cost-effective continuous visibility across all tiers Tier 1 Vendors Questionnaires Critical to business function with ● Drive efficiency and automation across potential network access or sensitive data sharing existing workflows and processes ● Prioritize action and allocate resources to Tier 2 Vendors Onsite assessments Important vendors that may address dynamic risks across vendor have access to network, data or population company premises ● Integrate ratings data throughout vendor Tier 3 Vendors Penetration tests lifecycle processes including selection, Long tail of vendors with less onboarding, ongoing monitoring and network/technology relationship termination BitSight Security Ratings are a cost-effective, data-driven metric that enables better prioritization of risk and allocation of resources to make effective risk decisions within an organization’s TPRM program 21
BitSight TPRM
Third Party Monitoring Produces Measurable Results at Scale for Goal: Monitor the information security disposition of critical third party service providers Actions by BitSight Results Monitor thousands of third parties 9 X Evaluate risk rating for each provider Determine risk areas for Third party action expansion coverage with same FT employees 23
Security Performance Management 24 www.bitsighttech.com
Security Performance Management Capabilities Operational Value Business Management Value Prioritization Peer Analytics Progress Tracking Launch in Q1 Future Enhancement Remediation Benchmarking Forecasting 25 CONFIDENTIAL
Peer Analytics
One Example of Impactful Results from Vendor Collaboration Onboarded 496 suppliers and engaged with BitSight Security Ratings as part of this process 56 % 50 Saw a Rating Increase Average points increased across this group 276 * Suppliers on-boarded between May 1 st and October 31. Ratings compared between May 1 st and Dec 4th 28
Recommend
More recommend