BitSight Follows FICO Model as Cybersecurity Ratings Industry Grows
June 6, 2016
As cyber threats grow more complex and damaging, an independent rating that assesses the strength of a company’s defenses could become a new kind of currency in the business world—akin to a consumer credit score that can make or break one’s financial future.
That’s the vision of Stephen Boyer and his five-year-old company, BitSight Technologies, which created software that culls publicly accessible data to produce a FICO-like cybersecurity rating for some 47,500 companies and organizations, at latest count.
An organization can use the numerical score—which ranges from 250 to 900—to vet potential acquisition targets; monitor the risk of a breach of data shared with vendors and partners; shape the terms of cybersecurity insurance policies; help with internal evaluations of security policies; and more. Investors have poured about $49 million into BitSight, and it also won a $1 million National Science Foundation grant early on, says Boyer, the startup’s co-founder and CTO.
Those bets are starting to pay off. BitSight’s sales last year were five times as high as in 2014, and the Cambridge, MA-based company now counts more than 350 customers in sectors like finance, law, healthcare, and oil and gas, Boyer says. The 180-person company’s clients include insurance giant AIG, grocery chain Safeway, the University of San Francisco, and, interestingly, credit score firm TransUnion.
“There’s been high demand for this type of service,” says Boyer, a former MIT Lincoln Laboratory cybersecurity researcher. This is his second cybersecurity startup—he and his BitSight co-founder, Nagarjuna Venna, previously founded and quickly sold Saperix, a risk analysis firm, about five years ago.
It’s still early days for BitSight and other security ratings companies, which include SecurityScorecard and RiskRecon. But as the sector matures and more organizations use third-party security ratings to make crucial business decisions, scrutiny of the emerging industry will likely grow.
BitSight is already trying to get out ahead of any possible government regulations, Boyer says. “We’re setting ourselves up for that kind of scrutiny,” he says. “I’m down in DC quite a bit on the Hill.”
Those meetings are primarily for briefing regulators about how BitSight gathers and shares security data, he says.
The company has also made efforts to increase transparency and be more accountable to customers, Boyer says. Any companies rated by BitSight, whether they’re customers or not, can request a formal review of their security report. If they aren’t satisfied with the findings, they can appeal it.