Sramana Mitra: What are you measuring?
Tom Turner: The measurements that we look at fall into four buckets, if you think about it in a somewhat non-technical way. The important thing is these are all outcomes. These are things that are happening; not things that might happen. We collect all of this information globally. The first bucket to think about that’s important for measuring cyber security performance and therefore associated risk is the volume, variety, and frequency of a company’s machine in its environment that has been compromised.
There’s a powerful relationship between the frequency and the duration that an organization might have compromised assets and likelihood of that company subsequently being breached. A first bucket of information is compromised assets. These are computers, servers, mobile devices, laptops that belong to an organization. The second bucket of information is information that reflects the hygiene or the diligence of the organization.
These are things that we can observe from the outside that speak to the culture and performance around security and risk such as how well patched systems are, whether celebrity vulnerabilities that have made the headlines still persist, whether the right controls are in place to minimize the opportunity for people to spear phishing attacks on an organization. With that hygiene information, combined with the compromised asset information, you now start to build a broader picture of how a company is performing and therefore what that performance might mean to you as an organization considering them as a supplier or an acquisition target.
We then look at what the user population as a whole is able to participate in. If we can see that employees at an organization, in general, can participate in file shares such as downloading illegal movies or pirated software, there’s a very tight relationship between such file share participation and compromise occurring in the company. The last thing we look at is just like you and I have a consumer credit report that would reflect bankruptcies if we have them or when you look at commercial bond raising, we keep a very active catalog of breaches that have occurred.
Sramana Mitra: You said something in course of this description that all this information is publicly available. Did I hear that right?
Tom Turner: No. It can all be gathered from outside of an organization’s firewall. It doesn’t require the rated organization to give us any information in order to arrive at our rating. It’s publicly accessible. The nuance there is that some of this information is collected in a proprietary fashion to BitSight but everything is accessible from outside of an organization’s computer infrastructure.
Sramana Mitra: Help me out here. When you say publicly accessible, does that mean that the company that you’re rating has to give you permission to access that?
Tom Turner: No, that means the inverse. Because it’s publicly available, we don’t need permission. We don’t need collaboration. That’s a very nice segue to another really important thing that BitSight provides for its customers. We are very well-known for our ratings. We also deliver a collaboration capability where our customers share access to those ratings with the rated companies because there may be important context that the rated organization wants to add.
We have a collaboration platform that allows our customers and their downstream suppliers to collaborate around the findings of BitSight. The more people participate in that, the more value there is to the overall ecosystem.