Updated on May 30, 2018 by Kaushik Sen
If you’re involved in IT risk or security, you’ve probably encountered BitSight. It is one of a wave of promised solutions to a growing problem: how to manage the risks posed by your IT vendors in the cloud.
The legacy approach to solving this problem is a combination of spreadsheet-based vendor assessments, sporadic penetration tests and vulnerability scans. If you combine this with subjective measurement and scoring of risk, you are probably taking on a lot more risk than you should.
BitSight promises to translate the technical complexity of cyber security exposure into a single security rating, a score you can take to management and the board. You can also use BitSight's security ratings for various purposes such as pricing cyber risk insurance policies, or due diligence for M&A activities.
This sounds great! A measurable, repeatable approach to managing cyber risk. But before you commit, consider two alternatives that are competitive to BitSight.
Both SecurityScorecard and UpGuard CyberRisk promise to do what BitSight does. Better, faster and with additional capability. Let me take you through some of the key differences.
You can’t automate everything about assessing your vendor security risk.
Both SecurityScorecard and UpGuard CyberRisk provide a way to create, send and monitor security questionnaires. An essential part of your vendor risk management strategy, questionnaires often uncover issues related to the vendor’s policies and procedures that can lead to risk exposure.
BitSight does not help you manage security questionnaires.
All three products promise to ‘score’ your vendors. What does this mean? Based on a set of automated (or semi-automated) checks, all three products calculate a score that assesses each vendor's security posture. Timing is critical here, as you need to find issues and quickly close them.
BitSight takes days to score a new vendor. In a world where cyber risk is evolving quickly, you can’t afford to leave vendors unmonitored.
SecurityScorecard promises an instant score - unless your company is not already in their database, in which case their scan can take days to perform. So, not quite instant all the time.
UpGuard provides accurate, instant scoring for any vendor or website, meaning that you aren’t left waiting to find out how your vendors are putting you at risk.
But hold on, isn’t the whole point of all these tools and features to prevent data breaches? This is the most significant exposure to your business, the black swan events. A breach of customer data has the power to hurt severely. Just ask Equifax, Uber or Yahoo.
UpGuard's BreachSight is the only cyber risk product that actively finds data breaches for you. Powered by the pioneering work done by our Cyber Risk Research team, there is no comparable product in the market.
With over 3 million data breaches found we believe this is an epidemic. Your critical metric should be ‘breaches prevented’, not ‘issues found’.
Look, there are many products out there with various features and differences between them. BitSight, SecurityScorecard and UpGuard Cyber Risk are all very capable. But you won’t yet find a silver bullet solution that covers every possible aspect of managing IT vendor risk.
It may be helpful to ask yourself what problem you are really trying to solve. We at UpGuard have a different view to our peers. Data breaches are here to stay. We give you the ability to find and close them before they hurt your business and your customers.
If you’d like to learn how, let us know and we’d love the opportunity to show you.
Misconfigurations are an internal problem that emanate from within the IT infrastructure of any enterprise; no hacker is necessary for massive damage to occur to digital systems and stored data. And the problem is pervasive, with Gartner estimating anywhere from 70% to 99% of data breaches result not from external, concerted attacks, but from internal misconfiguration of the affected IT systems.