Sign up for my newsletter to see more interviews with the biggest names in cybersecurity.
This is by far the best interview I’ve conducted thus far. This week I was lucky enough to interview Stephen Boyer, the Cofounder and CTO of BitSight Technologies, who gave me incredibly detailed answers to my questions about his company and the industry. Bitsight is a fascinating company that quantifies companies’ security risks. My guest last week, Ted Schlein, has said repeatedly that threat quantification is a significant need. Boards are now asking the CEOs the question “how secure are we” and the CEO needs a way to communicate that in an understandable way. BitSight raised a $24mm Series A from Menlo Ventures, Flybridge Capital Partners, and others in 2011. Boyer previously founded Saperix which was sold to FireMon in 2011. Take a look at the awesome interview below and thanks for reading!
BitSight rates companies on their level of security across different vectors. How do you assure potential customers that these ratings are credible?
BitSight customers put our ratings to the test every day. Our consistent execution with respect to quality and dependability has earned the trust of some of the world’s largest, most prestigious, and demanding organizations.
In addition to the demands and scrutiny of each of our customers, we have undergone a process review and ratings attestation by one of the world’s top ranked audit firms who needed to perform the audit before it could our recommend and include our service as part of an offering to its clients.
I see cyber security as a black swan business–even if a company is 99% secure, that small vulnerability could be exploited and take down the whole business. Do you think it’s dangerous to assign a number or a grade to a company’s security status? Could this lead to overconfidence amongst boards of directors and CEOs?
I agree that an attacker only needs to exploit a single vulnerability to penetrate and potentially damage an organization. BitSight does not claim to see all security outcomes, and a high rating does not guarantee perfect security outcomes (i.e. no control failures or breaches). That would be reckless and no approach could even begin to make that claim. In fact, we aren’t “protecting” systems but rather measuring outcomes. We are in the risk management business. There are no perfectly secure systems. There will always be some chance of a failure; however, the data have proven and continue to prove that high performing organizations take deliberate actions and execute better from a protection, detection, and response perspective than lower performing organizations. Different organizations doing different things are getting different results. These outcomes are measurable by BitSight and factor into the ratings.
Just like with credit scores, there is a spectrum or spread of performance that can be used to model, price and better manage risks. A high credit score is not a guarantee that you will not default on your debt but rather the results of a model that is comprised of a historical track record compared against others that demonstrate that default is less likely. Our research has continued to support this analogy in security ratings. Here is one of our latest pieces of research that provides backing for these assertions. We see that high performing organizations work to protect against failures but have realized that they can’t prevent all failures. Given the organizational acceptance that eventually some control will fail, high performing organizations have also invested in capabilities to respond and recover quickly beforecatastrophic failure.
It is important to remember that BitSight provides key metrics for performance, but its ratings and service do not constitute a complete risk management program. CEO’s and Boards need data to drive better risk management practices. The absence of data has created an environment of what we refer to as “optimism bias.” Many executives have been overconfident in their security performance in many cases because they lacked the data to tell them otherwise. We are advancing the state of risk management by providing risk managers and executives accessible metrics that drive better data-driven questions and conversations about managing security risk that were never before possible.
You have a treasure trove of information on how secure companies are across different potential attack vectors. In which areas are companies least secure and in which areas are they most secure?
We have published and have been cited on this subject at length. In particular, see our BitSight Insight reports.
You raised a $24mm Series A in 2013 from Menlo, Flybridge and a few others. How did you choose your investors and was it hard to get them to buy into such a large series A?
In every case we were introduced to investors by a trusted reference. We had all had either worked directly with the investor previously or had contacts or associates who had.
Our investors believed in the incredible team that we had assembled and the large and transformative market opportunity that we were creating. We also had extremely supportive and influential customers who could vouch for the value of our service and vision.
You make money from selling company ratings to cyber insurance agencies, performing cyber due diligence for M&A transactions, monitoring 3rd party risk and by allowing companies to benchmark their security against competitors. Which of these lines of business do you see as most compelling both now and in the future?
The three core use cases for BitSight are third party risk management, benchmarking, and cyber insurance. M&A, portfolio management, competitive assessments, and regulatory oversight all fit within those use cases as well. All three use cases are supported by a single ratings platform. Although the ratings have distinct use cases and can stand alone, together they support a much more standards-based systemic risk management approach.
For example, each Board of Directors needs to know how its own organization is performing with respect to its peers and its industry to drive better governance and protect shareholder value. With security ratings, the board now has an industry standard metric by which it can hold management accountable for its security investment decisions and execution.
Additionally, as the Board considers cyber risk transfer strategies it may consider obtaining cyber insurance coverage. The Board can use security ratings to demonstrate to its insurance carrier that its organization has executed inline with its industry benchmark. On the other side of the risk transfer equation, the insurance carriers and underwriters can use security ratings to understand the level of risk that they are underwriting by examining empirical and historical data and building intelligent underwriting models.
Many recent high-profile breaches have taught us that the insurance carrier isn’t just underwriting the risk of the insured but also the risks in the insured’s supply chain. Given this extended ecosystem risk that flows to the carrier on claim, the insured, as encouraged by its carrier, can use security ratings as a better way to manage its third party risks. Armed with better data and insight, the insured company can have more directed and prioritized data-driven conversations with its vendors to manage and mitigate risks introduced by poorer performing vendors. The Board can now track the performance of the company’s vendor portfolio and we have now come full circle.
The benchmarking service is the easiest for organizations to acquire and implement because most organizations are already accustomed to doing benchmarking activities today.
Fewer organizations have sophisticated third party risk management programs today but this is changing. The regulatory mandate to better scrutinize vendors and continuously monitor the supply chain is prompting organizations across industry sectors to implement better third-party risk management practices.
Cyber insurance is the fastest growing area of all insurance growing at about 54% a year. The adoption of BitSight’s security ratings by the world’s largest cyber insurance underwriters, (ex. ACE & Liberty), will continue driving the need for benchmarking and third party risk management. Insurance will ultimately shape in large part how firms invest and execute on security because it will impact their premiums and in some cases their ability to operate. The example of Progressive Insurance is illustrative in this context. Progressive has a device that their insureds can install in their vehicles to measure driving habits (read empirically derived outcomes). From those measurements Progressive can adjust the price of their customer’s policies based on observed behaviors (ex. how fast you drive). Progressive can write better risk adjusted policies because they have better data and the drivers are incented to drive responsibly. BitSight Security Ratings are enabling this type of measurement-based risk management capability for the growing cyber insurance sector and will incentivize businesses to “drive” their cyber security efforts responsibly.
- Illumio encrypts the data around every computing instance of a company and gives companies visibility on the status of each of those instances. The company employs a “whitelist” rather than blacklist methodology to allowing passage through a firewall. The investor list is pretty amazing–Accel, Andreesen, General Catalyst, Formation8.
- Here’s another company with an A-List of investors–Google Ventures, Benchmark, True Ventures, Redpoint Ventures. Duo Security provides cloud-based two-factor authentication to large enterprises like Facebook and Etsy.
- Forbes also wrote up an awesome profile of Tanium–a rights management company.
- State-sponsored cyber espionage probably won’t stop any time soon, but it seems like the U.S. and China are on the same page when it comes to stopping cyber crimes like child pornography and money laundering.
- In a KPMG survey of 133 institutional money managers, 86% of managers wanted boards of the companies they invest in to spend more time considering cyber security and less than half thought that the boards of the companies they invest in have the skills required to manage cyber risk.