Regardless of whether you're a CISO, Vice President of Security or an individual contributor, it's safe to say you understand the importance of cybersecurity risk management. Information technology has increased the speed, scale, and convenience of all aspects of commerce while increasing the risk of data leaks, data breaches, malware, and other cyber threats.
The financial impact of poor cybersecurity is reflected in the ever-increasing cost of data breaches globally, which grew to $3.92 million in 2019 according to research done by the Ponemon Institute.
The bad news is that the scope of what is considered sensitive information is growing rapidly, as are the number of extraterritorial data protection laws. Extraterritorial means your organization must comply with them if you process any of their citizen's data, regardless of whether you operate in their jurisdiction.
These new laws bring increased reputational and regulatory impact, which is why many organizations are investing in security ratings tools to help them instantly assess security postures and to scale their vendor risk management program. The financial, reputational, and regulatory risks of mismanagement of first, third, and increasing fourth-party risk are too large to ignore.
The issue is, as you likely know, cyber risk management is a team sport that requires the translation of technical details like security postures, cybersecurity risk assessments, vendor questionnaires, and information security policies into terms non-technical stakeholders can grok.
We believe security ratings are one of the easiest ways to do this without adding operational overhead to your organization. They provide instantaneous assessments of cyber risk, much like a credit score does for credit risk.
And we're not the only ones that think that. According to Gartner, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships…these services will become a precondition for business relationships and part of the standard of due care for providers and procurers of services. Additionally, the services will have expanded their scope to assess other areas, such as cyber insurance, due diligence for M&A and even as a raw metric for internal security programs.
We wrote the post to solve the main issue many of our prospects face: the increasing number of security ratings providers to pick from including BitSight, SecurityScorecard, RiskRecon, CyberGRX, and Panorays.
For example, BitSight, SecurityScorecard, and RiskRecon focus primarily on the assessment of business partners, vendors, and service providers, if you want to see see how these services stack up read our other comparison posts:
In contrast, UpGuard has a complete continuous monitoring risk management solution that handles behind-the-firewall risk with Core, vendor risk management with Vendor Risk, and data leak detection and cybersecurity performance management with UpGuard BreachSight.
In this post, we'll help you understand what to look for in a security ratings solution, so you can make an informed decision about whether to go with BitSight or UpGuard.
But before we dive into the specifics, it's important to understand what security risk ratings are and why they are important.
Table of contents
- What are security ratings?
- BitSight Technologies overview
- UpGuard overview
- BitSight vs. UpGuard in-depth comparison
- Scoreboard and summary
- Other security ratings platform comparisons
What are security ratings?
Security ratings are a data-driven, objective, and up-to-date measurement of an organization's external security posture. This means the collective security status of all their Internet-facing software, hardware, services, networks, information, vendors, and service providers.
Just as a FICO score aims to provide a quantitative measure of credit risk, security ratings provide a quantitative measure of cyber risk, which can be used and understood by non-technical stakeholders.
The higher the security rating, the better the organization's security posture.
Security ratings are commonly used for assessing the cybersecurity of external organizations like vendors, investment targets, insurance applicants, as well as assessing internal risk, and to improve decision-making and communication around cybersecurity performance management.
- Understanding third-party risk and fourth-party risk (vendor risk) posed by supply chain, third-party vendor, and business partner relationships.
- Cyber insurance underwriting, pricing and risk management by allowing insurers to gain visibility into the security program of those they insure to better assess and price their insurance policies.
- Investment in or acquisition of a company by providing organizations with an independent assessment of an investment or M&A target's information security controls.
- Enabling governments to better understand and manage theirs and their vendors' cybersecurity performance, a key component of FISMA compliance.
- Continual assessment of internal cybersecurity posture, providing CISOs with a simple, understandable rating that can be presented to key stakeholders including C-Suite and board members.
- Benchmarking and comparison to industry peers, competitors, sectors, and vendors. This can assist with decision-making and provide context about what security controls or mitigations your organization needs to invest in.
- Providing assurance to customers, insurers, regulators and other stakeholders that your organization cares about preventing security issues like data breaches, malware, phishing, and ransomware.
BitSight Technologies overview
BitSight Technologies is a Cambridge-based company that aims to quantify the external cybersecurity posture of organizations using publicly accessible data. Its FICO-like BitSight security rating is used by underwriters for pricing cyber insurance, 3rd party research for third-party risk teams, and due diligence research for private equity and M&A activities, and more.
Additionally, these security ratings are used for security performance management and the assessment of third and fourth-party risk.
BitSight UI. Source: bitsight.com
UpGuard was founded in 2012 in Sydney, Australia by technologists from Australia's largest banks. Using their first-hand experience, they built a platform to fill an important need in the nascent DevOps market, reducing the risk of incidents through proactive documentation and configuration management.
With proprietary, patented data visualization and risk analysis algorithms, UpGuard gave Operations and Security teams the ability to discover and understand their risk exposure within the data center and cloud to reduce cybersecurity risk.
We then took this expertise and applied it to the assessment of external security postures, allowing you to instantly assess an organization's external security posture instantly. UpGuard is headquartered in Mountain View, California, with offices in Sydney, Hobart, Auckland, Mexico City, Madrid, Denver, Portland, and Atlanta.
BitSight vs. UpGuard in-depth comparison
Learn about how BitSight and UpGuard compare across ten categories including capabilities, usability, community support, release rate, API and extensibility, third-party integrations, customers, predictive capabilities, and security ratings.
Both BitSight and UpGuard provide security ratings that aggregate different risks into a single score that allow immediate and easy comparison of different organizations, vendors, and service providers.
- BitSight: a FICO-like rating between 250-900.
- UpGuard: Provides a score between 0 and 950 along with the following letter grades, A: 801-950, B: 601-800, C: 401-600, D: 201-400, F: 0-200. You can request your free security rating by clicking here.
Security rating calculation methodology
While both services provide a security rating, the underlying methodology is different. BitSight relies on IP reputation which attempts to attribute malware traffic based on IP addresses, while UpGuard scans for misconfigurations which means looking at an organization's actual Internet footprint. These misconfigurations are then used to determine potential attack vectors and vulnerabilities that can lead to data breaches. Read our guide on why IP attribution isn't a good solution here.
- BitSight: Relies primarily on IP reputation.
- UpGuard: Runs hundreds of individual checks including email security and email spoofing risks (SPF, DKIM, and DMARC), website security (SSL, HSTS, header exposure), phishing and malware risk, explicit checks for 200 services across thousands of ports (mail, app, user auth, file sharing, voice, administration, database, unidentified, and open ports), domain hijacking risk (DNSSEC and domain registry issues), reputational risks (CEO rating and employee rating), credential management (exposure to known data breaches and data leaks detected by our data leak detection engine) and results of intelligent security questionnaires.
Not every solution provides the same level of coverage. If your organization employs small specialist vendors they may not be covered by a solution. As you know, any vendor that handles sensitive data is a potential risk that should be continuously monitored and accounted for.
- BitSight: 170,000 supported organizations
- UpGuard: 2,000,000 organizations scanned daily
2. Usability and learning curve
User experience, design, and functionality play a large role for many people when deciding what solution to go with. The easier it is to get up to speed, the faster you can get your money's worth. Both BitSight and UpGuard offer their services via SaaS with minimal installation or configuration needed, and are easily accessible from a web-based dashboard that can help you find, assess, and remediate risk.
- BitSight: Provides high-level summation of vendor risk allowing easy comparison of vendors.
- UpGuard: High-level summation of risk with the ability to drill down into precise technical details. Each risk is prioritized based on extensive research conducted by our in-house security team, and where possible remediation and protection suggestions are provided. Additionally, we have a library of pre-built questionnaires that can be sent and managed with the UpGuard platform including a pandemic (e.g. coronavirus), ISO 27001, PCI DSS, NIST Cybersecurity Framework, CCPA, and Modern Slavery questionnaires. Read our full guide on the top security questionnaires here.
|Usability and learning curve||4/5||5/5|
3. Community support
The easier it is to access information about a company, the quicker customer and prospects can get up to speed, reduce their operational overhead, and decide on which product to purchase. Additionally, both BitSight and UpGuard's blogs are useful sources of information for cybersecurity awareness training. How much each company invests in their community speaks volumes about its mission and focus.
- BitSight: Company and product blog.
- UpGuard: The UpGuard cybersecurity and risk management blog is updated four times a week and our breach research blog has uncovered and secured some of the largest data breaches.
4. Release rate
Technology is always changing. New vulnerabilities are added to CVE on a daily basis, and attackers are constantly finding new zero-day exploits. The speed at which a security ratings vendor can incorporate changes determines how well they can respond to new threats and customer requests. Additionally, they should continue to update, adjust, and improve their security ratings methodology to reflect changes to the threat landscape.
UpGuard has always adopted DevOps principles internally to develop, test, and release software, ensuring fast and consistent releases that have been tested for quality.
5. Pricing and support
Security ratings providers can be expensive, with opaque pricing policies designed to put the power in the hands of the vendor. Their vendor risk solutions are typically priced on a per vendor, per year basis except in some cases where one-off reports can be generated for a set price. BitSight is more expensive than UpGuard, and may price out some small to medium-size businesses while relegating even larger companies to manage only their most at-risk vendors. That said, both provide professional services to assist with setup, training, and maintenance.
- BitSight: Public pricing information is not available. Pricing is reported to start at $20,000 plus $2,000-$2,500 per vendor per year.
- UpGuard: UpGuard has a transparent pricing model for UpGuard Vendor Risk and UpGuard BreachSight, which you can view here. Vendor Risk pricing starts at $179 for a one-time report on a vendor or $29 per month per vendor billed annually. UpGuard BreachSight pricing starts at $299 per month billed annually. If you have any questions, please let us know via firstname.lastname@example.org.
|Pricing and support||1/5||5/5|
6. API and extensibility
While both BitSight and UpGuard offer security ratings inside their platforms, you may also want to access the scores outside of their platform and consolidate them into another product or service. Both solutions offer standard APIs to pull data into other enterprise applications.
|API and extensibility||4/5||4/5|
7. Third-party integrations
APIs are useful for technical staff, but not all vendor risk management teams have access to developers. This is why standard third-party integrations are an important part of decision-making.
- BitSight: Offers integrations with RSA Archer GRC, CyberGRX, OneTrust Vendorpedia, ProcessUnity, MetricStream, and more.
- UpGuard: Integrates with GRC platforms, ticketing systems like ServiceNow, and more.
The best proof comes from each solution's customers. BitSight and UpGuard both have impressive customer lists, none more distinguished than the other.
- BitSight: Customers include The University of North Florida, Snam, EPAM, and PROSA.
- UpGuard: Customers include NASA, the New York Stock Exchange (ICE), Morningstar, Akamai, Bill.com, IAG, and ADP. Read our customer case studies here and our Gartner reviews here.
9. Predictive capabilities
At the end of the day, the entire point of using these threat intelligence tools is to stop security incidents from happening in the first place. This makes the ability of a solution to prevent data breaches and other cyber attacks the main consideration. What differentiates BitSight and UpGuard are how well their methodology determines actual attack vectors, as well as their ability to detect data breaches and data leaks before they end up for sale on the dark web.
- BitSight: The IP reputation methodology helps catch active malware installations, but that’s only one possible way a data breach can occur.
- UpGuard: As UpGuard checks for misconfigurations across your Internet footprint, many important breach vectors are covered, including phishing, ransomware susceptibility (like WannaCry), man-in-the-middle attacks, DNSSEC, vulnerabilities, email spoofing, domain hijacking, and DNS issues. For example, we were able to detect data exposed in a GitHub repository by an AWS engineer in 30 minutes. We reported it to AWS and the repo was secured the same day. This repo contained personal identity documents and system credentials including passwords, AWS key pairs, and private keys. We're able to do this because we actively discover exposed datasets on the open and deep web, scouring open S3 buckets, public Github repos, and unsecured RSync and FTP servers. Our data leak discovery engine continuously searches for keyword lists provided by our customers and is continually refined by our team of analysts, using the expertise and techniques gleaned from years of breach research. The UpGuard methodology is continuously refined based on the actual data breaches we have discovered and reported to the world in the New York Times, Bloomberg, Washington Post, Forbes, and TechCrunch.
10. Security rating
Finally, let's take a look at how BitSight and UpGuard compare when assessed by UpGuard's platform on March 23, 2020. Although both platforms have a good security rating, UpGuard leads by 213 points.
- BitSight: 706/950 or B letter grade
- UpGuard: 919/950 or A letter grade
Scoreboard and summary
|Usability and learning curve||4/5||5/5|
|Pricing and support||1/5||5/5|
|API and extensibility||4/5||4/5|
Deciding between BitSight and UpGuard is a hard decision. What you choose will depend on the objectives of your organization, your risk appetite, and ultimately your budget.
We recommend asking for a free trial of each platform that you want to assess, so you can use each platform before deciding. You can book a free tailored 7-day trial on UpGuard's platform here.
While IP reputation can sometimes detect malware signals that are attributed to the IP address space owned by a company, UpGuard’s cyber resilience strategy looks at each company’s internet footprint and examines all of the vectors by which data exposure and service outage occur, including misconfigurations, a leading cause of successful attacks, and one undetected by IP reputation tactics.
Additionally, our vendor questionnaire library can help you go beyond security ratings and to the assessment of internal security controls that aren't as easily determined. UpGuard is also the only company to offer an internal cyber risk management solution, Core, allowing organizations to completely manage primary risk as well.
UpGuard's easy to use platform is a complete security ratings platform that gives you great insight into your security posture and your vendors and how your organization's security posture is perceived from the outside. Giving you and your business partners a clear understanding of how and where to improve your cybersecurity and information security to prevent cyber attacks and reduce cybersecurity threats.
Try UpGuard for free for 7 days by clicking here. Before your 7-day trial begins, we'll provide you and your team with a free, personalized 45-minute onboarding call with one of our cybersecurity experts. They’ll help you get the most out of the UpGuard platform by showing you how to:
- Continuously monitor your third-party vendors
- Detect and remediate any leaked credentials and data exposures
- Instantly assess your external security posture
Other security ratings platform comparisons
If you'd like to compare other security ratings software, see our other comparison posts:
- BitSight vs. SecurityScorecard
- SecurityScorecard vs. RiskRecon
- BitSight vs. RiskRecon
- RiskRecon vs. UpGuard
- CyberGRX vs. UpGuard
- BitSight vs. CyberGRX
- SecurityScorecard vs. CyberGRX
- CyberGRX vs. RiskRecon
- Whistic vs. UpGuard
- BitSight vs. Whistic
- SecurityScorecard vs. Whistic
- CyberGRX vs. Whistic
- RiskRecon vs. Whistic
- BitSight vs. Prevalent
- SecurityScorecard vs. Prevalent
- Prevalent vs. RiskRecon
- Prevalent vs. CyberGRX
- Prevalent vs. Whistic
- Prevalent vs. UpGuard
- NormShield vs. SecurityScorecard
- RiskIQ vs. UpGuard
- RiskIQ vs. BitSight
- RiskIQ vs. SecurityScorecard
- NormShield vs. UpGuard
- NormShield vs. BitSight
- NormShield vs. RiskRecon
- SecurityScorecard vs. UpGuard
- Prevalent vs. NormShield