BitSight Says Cyber Risk Ratings Are a Good Measure of Internal Risk – Is It Right?
Cyber risk rating companies generally work by identifying all internet domain names and addresses associated with an organization and querying those for potential vulnerabilities such as weak SSL protocols. Until now, organizations have been given a single risk rating that reflects all findings across all internet properties.
Enterprise analytics allows organizations to delineate findings by domain names or geolocation of IP addresses, and then assign those findings to specific parts of their enterprise.
Image source: BitSight logo
“BitSight Enterprise Analytics provides confidence to executives through data. It helps our customers gain insight into risk concentration and changes in potential risk impact throughout their organization over time to help them continuously monitor cybersecurity posture, measure security program performance and allocate limited resources to focus on the areas that will have the greatest impact on their cyber risk management programs,” claims Dave Fachetti, SVP Corporate Strategy & CMO of BitSight.
Our Take
At Info-Tech Research Group, we encourage companies to review their cyber risk ratings in order to fix any problems that may reflect poorly on them. However, the value of risk ratings for deep insight into internal information security is questionable. This is especially true at the enterprise level, where most large organizations should already have mature vulnerability assessment and other audit processes that can probe much deeper than the current state of cyber risk ratings.