Whether you're a CISO, Vice President or individual contributor, you understand that information technology has changed how we do business, for better and for worse.
Technology has brought speed, scale, and better customer experience to all aspects of commerce and communication, but it has also increased cybersecurity risk, particularly data breaches, cyber attacks, and other cyber threats.
The consequences of poor risk management, particularly third-party risk management and vendor risk management, are increasing in cost, reputation, and regulatory impact. According to research done by the Ponemon Institute, the average cost of a data breach globally has grown by 12 percent in the last five years to $3.92 million.
Beyond financial costs, the reputational and regulatory impact is growing due to increasingly stringent general data protection and breach notification laws around the world. Examples include GDPR, PIPEDA, FIPA, the SHIELD Act, CCPA, and LGPD.
Many of these new regulations are extraterritorial, meaning they apply to any organization who processes the personally identifiable information (PII) or other sensitive data of any individual protected by the law, regardless of whether your organization operates in their jurisdiction.
What this all means is there is no excuse for mismanagement of your first-party and third-party cyber risk. Increasingly, you will be expected to assess the security performance of vendors who are deeper in your supply chain, i.e. fourth-party risk.
An increasingly popular way to do this is through security ratings (or cybersecurity ratings) providers who offer an instantaneous assessment of cyber risk, much like a credit score does for assessing credit risk.
The issue is that the methodologies employed by these threat intelligence tools vary greatly, as do their results.
For example, BitSight, SecurityScorecard, and RiskRecon largely focus on security assessments of business partners, third-party vendors, and service providers. Read our guide on SecurityScorecard vs BitSight to learn how they stack up.
In contrast, UpGuard has a complete continuous monitoring risk management solution that can handle internal risk with our behind-the-firewall Core product, vendor risk management with our Vendor Risk product, and data leak detection and cybersecurity performance monitoring with our UpGuard BreachSight product.
In this comparison, we'll help you understand what to look for in a solution and see how BitSight, RiskRecon, and UpGuard stack up for managing Internet-facing first and third-party risk.
But before we dive into the specifics, it's important to understand what security risk ratings are.
BitSight Technologies Overview
BitSight Technologies is a Cambridge-based platform for quantifying the external cybersecurity posture of organizations using publicly accessible data. The resulting FICO-like BitSight security rating can then be used by underwriters for pricing cyber insurance, 3rd party research for third-party risk teams, and due diligence research for private equity and M&A activities, and more.
These security ratings can be used for security performance management and the assessment of third and fourth-party risk. BitSight recently announced it raised $60 million in a Series D funding round.
RiskRecon is headquartered in Salt Lake City, UT with a presence in Boston, MA and representatives around the world. RiskRecon makes it easy to gain deep, risk contextualized insight into the cybersecurity risk performance of all third-parties by continuously monitoring across 11 security domains and 41 security criteria.
Like BitSight, it can be used for third-party risk management, enterprise risk management, and mergers & acquisitions.