BitSight vs SecurityScorecard

October 31, 2017

Estimated Time to Read:9 minute read

When it comes to assessing enterprise cyber risk, leading vendors are taking different approaches to quantifying and evaluating digital risk exposure. BitSight and SecurityScorecard are two companies that focus strictly on external measures of cyber risklet's see how they stack up in this comparison.

The accurate quantification of cyber risk is a highly complicated, difficult affair for enterprises with significant IT infrastructures and digital supply chains—indeed, many factors both internal and external to the firm in question come into play when painting a holistic picture of its susceptibility to digital failures, whether it be in the form of misconfiguration-induced outages or data breaches.

Download: The Buyer's Guide to Third-Party Risk Management

In terms of the cyber threat landscape, high profile security incidents are increasing in frequency and severity; security professionals now regard data breaches as inevitable consequences of transacting in today's digitized business landscapes. For this reason, a shift in enterprise focus from cybersecurity protection to cyber risk management is currently underway and different vendors have emerged to provide solutions that measure varying aspects of digital risk. Two of these companiesBitSight and SecurityScorecard—focus on publicly accessible data sources when performing vendor assessments and security benchmarking.

BitSight

Cambridge-based BitSight offers a platform for quantifying the external cybersecurity posture of organizations using publicly accessible data. The resulting FICO-like cybersecurity ratings can then be used in various use cases: shaping/pricing cyber risk insurance policies, due diligence research for private equity and M&A activities, and more. 

Reduce-Risk-Security-Ratings.png
The BitSight UI. Source: bitsighttech.com.

Additionally, the BitSight Discover solution identifies and monitors third/fourth parties to highlight security risks and single points of failure in an organization’s supply chain.

SecurityScorecard

Like BitSight, NYC-based SecurityScorecard uses data gleaned from traffic to/from an organization as well as other publicly accessible data to build security ratings for evaluating vendors and partners, pricing cyber risk insurance policies, among other use cases. The platform also monitors so-called "hacker chatter", social networks, and public data breach feeds for indicators of compromise.

Screen Shot 2017-02-22 at 2.45.09 AM.png

The SecurityScorecard UI. Source: securityscorecard.com.

Additionally, the company offers its ThreatMarket database on a standalone basis and its Malware Grader tool for free.

 

Side-by-Side Scoring: BitSight vs. SecurityScorecard

1. Capability Set

BitSight and SecurityScorecard measure cyber risk based on a myriad of external measures and reputational indicators such as infected servers (i.e., public servers spewing malware), documented data breaches, issues with website security, and other publicly available data. This makes them suitable for determining third party vendor and partner-induced risk, but ill-equipped for gauging an enterprise's complete cyber risk posture.

  Bitsight SecurityScorecard
Capability Set 3 out of 5 3 out of 5

2. Usability / Learning Curve

Both platforms are modern SaaS platforms that are well-designed and trivial to get up to speed with. BitSight uses a 250 to 900 scoring system (a higher number indicating better cybersecurity performance) while SecurityScorecard employs an A to F grading methodology.

  Bitsight SecurityScorecard
Usability/Learning Curve 5 out of 5 5 out of 5

3. Community Support

Neither BitSight or SecurityScorecard have much in terms of online community support resources, though in the past BitSight hosted an online customer community called BitSight Connect (now unavailable).

  Bitsight SecurityScorecard
Community Support 3 out of 5 3 out of 5

4. Release Rate

Both security ratings platforms are relatively new offerings on the market—unfortunately, neither have made their full release histories available publicly. 

  Bitsight SecurityScorecard
Release Rate 3 out of 5 3 out of 5

5. Pricing and Support

Pricing is not publicly available for either products—though in BitSight's case, the single monitoring of one company cost $2,500 in the past, on an annual subscription.

Support resources and information are noticeably absent from both BitSight and SecurityScorecard's websites, though the latter provide offer a secured customer support portal for its users.

  Bitsight SecurityScorecard
Pricing and Support 3 out of 5 3 out of 5

6. API and Extensibility

SecurityScorecard's ThreatMarket offers a RESTful API for interacting with its services remotely or via integrations. Similarly, BitSight also offers an API for integrating its cybersecurity ratings platform into custom environments.

  Bitsight SecurityScorecard
API and Extensibility 4 out of 5 4 out of 5

7. 3rd Party Integrations

BitSight offers limited integrations with select partners such as GRC solutions provider Rsam and information services provider Markit, among others. Similarly, SecurityScorecard also offers integrations with GRC platforms such as Archer.

  Bitsight SecurityScorecard
3rd Party Integrations 3 out of 5 3 out of 5

8. Companies that Use It

Some of SecurityScorecard's customers include Netflix, McDonald's Allstate, Symantec, Pepsi, and KPMG, to name a few. Not to be outdone, BitSight also boasts some impressive names on its customer list including Lowe's, Target, Ferrari, and The Hartford, and T-Mobile, among others.

  Bitsight SecurityScorecard
Companies that Use It 5 out of 5 5 out of 5

9. Predict Capabilities

Both platforms use similar mechanisms to perform vendor risk assessments and cybersecurity ratings. By capturing and analyzing external data related to a company's IP addresses and public-facing servers, BitSight and SecurityScorecard are able to build enterprise risk profiles and dynamic scores over time—for example, detected malware traffic and public security breaches lower a company's score. Unfortunately, because they focus exclusively on externally sourced data, BitSight and SecurityScorecard fall short in providing a comprehensive assessment of an enterprise's cyber risk posture, leaving out the internal security posture of an enteprise's IT infrastructure.

  Bitsight SecurityScorecard
Predict Capabilities 3 out of 5 3 out of 5

10. CSTAR

BitSight's 884 CSTAR score falls short due to website perimeter security flaws such as missing HTTP strict transport security and disabled DNSSEC. SecurityScorecard's scores a lower 789 CSTAR score for numerous security flaws like disabled HTTP strict transport security, unsecured cookies, and lack of DMARC/DNSSEC.

  Bitsight SecurityScorecard
CSTAR Bitsight CSTAR Score Bitsight CSTAR Score
 
Read More: What is Vendor Risk Scoring?

Scoreboard and Summary

  Bitsight SecurityScorecard
Capability Set 3 out of 5 3 out of 5
Usability / Learning Curve 5 out of 5 5 out of 5
Community Support 3 out of 5 3 out of 5
Release Rate 3 out of 5 3 out of 5
Pricing and Support 3 out of 5 3 out of 5
API and Extensibility 4 out of 5 4 out of 5
3rd Party Integrations 3 out of 5 3 out of 5
Companies that Use It 5 out of 5 5 out of 5
Predict Capabilities 3 out of 5 3 out of 5
CSTAR Bitsight CSTAR Score Bitsight CSTAR Score
Total 3.6 out of 5 3.6 out of 5


Cyber risk is multi-faceted and encompasses a broad spectrum of internal and external data points, from the state of internal IT assets to the security fitness of third party vendors. BitSight and SecurityScorecard focus on external measures ideal for assessing third party risk and generating—in BitSight's words— "outside-in" security performance ratings. This makes both solutions ideal for use cases involving vendor risk management and industry benchmarking, but not for measuring and quantifying an enterprise's complete cyber risk posture.

 Download: The Buyer's Guide to Third-Party Risk Management

Share this post: