BitSight Technologies CTO Says Security Metrics Can Work


One of the biggest challenges in the security world at large is ground truth and relevant metrics, Boyer said. "I firmly believe nobody has the full picture of the risks posed by their partners," he said. "We're displaying this in a way so people get a quick indicator." BitSight said the performance of an organization over time is the best indicator of its security posture. The information also can provide benchmarking measurements that can be useful to advocate for better security processes and technology upgrades, Boyer said. A company can benchmark itself against its peers and in the future, BitSight plans to add measurements on industry verticals, he said.

"We're trying to introduce into the cybersecurity world the same level of rigor, analysis and risk management that has existed in the financial sector for quite some time," Boyer said.

The company currently has a small group of customers using its service in healthcare, financial services and retail. BitSight said its service is sold as an annual subscription. Pricing has been based on the number of partners that a user wants to rate and monitor, the firm said. Since it is delivered as a SaaS offering, the service may appeal to resellers.

Boyer said his firm is distancing itself from an emerging set of threat intelligence vendors, which provide information about specific security threats. BitSight's service is similar to Arlington, Va.-based Lookingglass Cyber Solutions, which provides threat intelligence monitoring and management enabling visibility into risks posed by partners. Rather than assigning a risk score, Lookingglass provides detailed information on the presence of botnets, hosts associated with cybercriminal networks, unexpected route changes and the loss of network resiliency.

"We're not trying to move from ignorance to negligence," Boyer said. "We'll only provide our customers with the underlying factors used to arrive at a security effectiveness score."

The security community is skeptical about security effectiveness ratings, said Pete Lindstrom, principal and vice president of research at Spire Security. BitSight appears to be heading in the right direction, but it needs to open up its valuation model to affirm the scores it assigns, Lindstrom said.

"There's no doubt a need to monitor your partner ecosystem, but BitSight is heading into treacherous waters because any score is subject to scrutiny," Lindstrom said. "There's value in this, but the challenge is getting everyone to agree upon the empirical evidence behind the arrival of the score."

PUBLISHED SEPT. 10, 2013