NormShield and BitSight provide security ratings services (SRS). Security ratings services focus on the analysis of publicly accessible, external data sources to perform vendor assessment, security benchmarking, and risk analysis.
Although each player has a different approach to analyze and evaluate a company's security posture, each provider uses similar resources and techniques to collect data. Common data sources include the internet, hacker sites, social media, internet-wide scanners, reputation services, dark web, and sinkholes.
These services are becoming increasingly popular, largely due to the increasing cost of data breaches, which is now nearly $4 million.
Cybersecurity vendor risk management (VRM) is a top priority for CISOs, Vice Presidents of Security, and other members of senior management, frequently at the Board level. In addition to financial costs, regulatory and reputational costs are increasing too.
Governments have enacted laws and regulations designed to promote or even require the establishment of third-party cyber risk management programs to identify, assess, and mitigate risks created by vendors, fourth-parties, and customers.
For example, in the United States, California has introduced CCPA, and Florida has introduced FIPA to protect the personally identifiable information of its constituents. Outside of the United States, GDPR, LGPD, and PIPEDA are three relevant extraterritorial laws from the European Union, Brazil, and Canada, respectively. Alongside the protection of PII and PHI, many of these laws have introduced mandatory data breach notification requirements, which have significantly increased the reputational impact of inadequate vendor and cybersecurity risk management practices.
Adding to this, security teams have more to do than ever before. The job now encompasses much more than improving security postures and writing information security policies. Today, one of the most sought after skills is the ability to translate technical details from cybersecurity risk assessments and vendor questionnaires into terms that non-technical stakeholders can understand.
The good news is that that's what third-party risk management tools can help you do. The issue is that not all security ratings services are equal in terms of usability, analytics, compliance, technical depth, and threat intelligence capabilities.
Use this post to make an informed decision when comparing NormShield, BitSight, and UpGuard, so you can decide which tool is right for you.
NormShield is a cyber risk rating platform that leverages open-source threat intelligence and non-intrusive cyber reconnaissance to provide information about your vendor risk at scale.
It collects a wide range of information without touching the target customer. It leverages advances in data science and machine learning to provide higher frequency and precise real-time risk assessments.
Like other security ratings providers, its data collection provides continuous risk monitoring of third-parties.
BitSight Technologies is a Cambridge-based company that aims to quantify the external cybersecurity posture of organizations using publicly accessible data. Its FICO-like BitSight security rating is used by underwriters at insurance companies for pricing cyber insurance, 3rd party research for third-party risk teams, and due diligence research for private equity and M&A activities, and more.
Additionally, security ratings can be used for security performance management and the assessment of third and fourth-party risk.