Sramana Mitra: Interesting. What level of penetration do you have? How many companies are you rating in this mode?
Tom Turner: We rate around 120,000 enterprises around the globe. Those ratings are consumed by about 1,200 global customers that use BitSight in one of our use cases around third-party risks. That’s looking at vendors in their supply chain, applicants to cyber-insurance and also being able to look at their own rating performance in the context of competition or key benchmark that they use.
Sramana Mitra: Who are your primary customers? Who’s paying you and for what?
Tom Turner: Majority of our customers are in the Fortune 10,000. 20% of the Fortune 500 use BitSight in their third-party risk and benchmarking practices. The majority of what drives our business and the lion’s share of our revenue comes from customers who are using BitSight as part of their third-party assurance for vendors in their supply chain. This is sometimes better known as vendor risk management.
These are a lot of the more highly regulated industries such as banking and insurance. Now we’re seeing retail and energy and utility markets put more precedence around understanding continuous performance of vendors in their supply chain. These are organizations that may monitor 100 or 5,000 key suppliers. What BitSight allows them to do is to do that in an objective fashion.
Sramana Mitra: You are evaluating people’s extranet.
Tom Turner: We look at outcomes that are really important. You want to be able to supplement the outcomes that we measure with any other qualitative or in-depth information from inside the company behind the firewall.
Sramana Mitra: What are the big trends in the ratings space?
Tom Turner: First of all, the cyber security rating space didn’t exist until BitSight came to the market. Now there is a category of companies like BitSight. There are other providers in the market today. The big trend that has helped to make BitSight successful and the need for cyber security rating services relevant is the all-time high awareness on multiple levels.
Sramana Mitra: Yes, and all-time high and growing risk.
Tom Turner: Exactly. This is my 20th year in cyber security. There’s a very different level of conversation in organizations both in terms of tenor and with whom you have this conversation with today versus 20 years ago. What is compounding the overall focus on cyber security as a business risk is the fact that companies are doing a good job securing themselves.
Now, they realize that the biggest risk is actually more outside of their control and exists in this exploding supply chain. You mentioned the all-time high risk. Think of the adoption of cloud services and the way that the surface area increases with the number of companies with whom you integrate. That’s a really important trend. The need to be able to communicate and discuss cyber security at a business level with an audience that while they may be technical, they’re not cyber security experts.
Often, they aren’t technical but these are the Boards of Directors whose ultimate responsibility is to manage risk for a company. That’s a really important drive when you think about giving them something consumable that they can use not just in a single board meeting but across all companies that they preside over. There’s a lot of appeal and need for senior executive discussion around security performance over time.