Cyber security risk is growing exponentially. How do you measure and benchmark such risk?
Sramana Mitra: Let’s start by having your introduce yourself as well as BitSight to our audience.
Tom Turner: I’m the CEO of BitSight Technologies. BitSight is a cyber security ratings company. We take a big data analytics approach to measuring the outcomes that have happened to hundreds of thousands of companies around the world so we can understand their security and risk performance.
Our customers use that information to understand third parties that are important to their business. These are vendors and their supply chain. These are companies that they may own or invest in. They are potentially companies they might want to underwrite from a cyber insurance standpoint. They could even be organizations that might think of acquiring them.
Sramana Mitra: How does it work? When you say rating, talk a bit about architecture and technology in the context that you are working in.
Tom Turner: The problem that the co-founders were trying to solve is a problem that exists in many forms of third party assurance. There’s an information asymmetry that exists between my company and other organizations that I might want to do business with. There are things I’d like to know about them in order to make me feel that they’re a good business partner and are low risk and that they bring potentially high advantage to my business.
The way that that is currently done in all forms of assurance is a very qualitative way which is to engage in conversations, to send questionnaires and ask for audits in order to understand how our supplier might perform. The challenge in that is you want to be able to complement that qualitative form with a form of assurance that can get you to scale. You need to be able to do that in a continuous fashion so it can’t be periodic in nature because the cyber security landscape is changing very quickly as we see from the headlines.
Third and just as important, because cyber security is truly a business topic, you need to bring a level of objectivity and measurement to complement all the other forms of assurance that are qualitative in nature. What that means from our architecture is, we build a SaaS platform and deliver that to our customers that collect information at an internet scale daily.
The information that we look at is publicly accessible on all companies. This means that we can measure companies in a uniform fashion, no matter where they are in the globe and no matter what industry they are in. We will then be able to have a continuous view of those performance characteristics that are important for understanding how is the security and risk posture of that organization and how does the measurement of that complement or move away from the qualitative assurances that that company might give me in the form of day-to-day business.