Whether you're a CISO or Vice President, you understand that information technology has changed the way people do business. For better, it has brought speed, scale, and functionality to all aspects of commerce and communication. For worse, it has brought the risks of data exposure, data breaches, and outage. The damage that can be done to a business through its technology is known as cybersecurity risk (or cyber risk), and with the increasing consequences of such incidents, managing cyber risk, especially third-party risk management and vendor risk management, is fast becoming a critical aspect of any organization. The specialized nature of cyber risk requires the translation of technical details into business terms. Security ratings and cyber risk assessments serve this purpose, much like a credit score does for assessing the risk of a loan. But the methodologies employed by solutions in this space vary greatly, as do their results.
BitSight and SecurityScorecard focus on external cyber risk management.
In this comparison, we’ll look at what matters in a solution and see how BitSight, SecurityScorecard and UpGuard stack up for managing internet-facing primary risk and third party vendors.
Cambridge-based BitSight offers a platform for quantifying the external cybersecurity posture of organizations using publicly accessible data. The resulting FICO-like BitSight security ratings can then be used in various use cases: shaping/pricing cyber risk insurance policies, due diligence research for private equity and M&A activities, and more.
Additionally, the BitSight Discover solution identifies and monitors third/fourth parties to highlight security risks and single points of failure in an organization’s supply chain.
Like BitSight, NYC-based SecurityScorecard uses data gleaned from traffic to/from an organization as well as other publicly accessible data to build security ratings for evaluating vendors and partners, pricing cyber risk insurance policies, among other use cases. The platform also monitors so-called "hacker chatter", social networks, and public data breach feeds for indicators of compromise. Additionally, the company offers its ThreatMarket database on a standalone basis and its Malware Grader tool for free.