In this episode, Angela Gelnaw (Senior Product Marketing Manager, BitSight) discusses how security ratings enable organizations to quantify their cyber risk, measure the impact of risk mitigation efforts, benchmark their security performance against industry peers, and report cybersecurity progress and results to Boards of Directors more clearly and effectively.
Alex: Welcome to the BitSight Risk Review. During each episode, we'll be discussing current events and technology in the security and risk space. Thanks for tuning in, and let's get started.
Hi, everyone. Welcome back to the BitSight Risk Review. I'm your host, Alex Campanelli. Today I'm talking to Angela Gelnaw, Senior Product Marketing Manager at BitSight, about how security ratings can help organizations measure and benchmark their security performance. Angela, thanks for joining me.
Angela: Hi, Alex. Thanks for having me.
Alex: So let's get started. Why is it important that organizations' security and risk teams monitor their cybersecurity performance and compare it against that of their industry peers? Why does it matter?
Angela: Well, if you think about all of the other tips and metrics that companies track, revenue goals, operational goals, for a really long time, there hasn't been really a way to track cybersecurity and that's primarily, I think, not because companies haven't wanted to track performance of cybersecurity but there hasn't really been a metric that's allowed them to do that. So I think in order for a company to really understand how they're doing in some respect and how to increase performance or better performance over time, you need some type of metric to track to really do that. And so cybersecurity, the security ratings is one really good way to do that. In order to really get context and to understand how well you are performing and what those realistic kind of performance goal should be, benchmarking and tracking those different metrics over time is really, I'd say, one of the only ways you can really do that.
Alex: Right. Companies today need tools that provide a quantified and comparative view of continuous cybersecurity performance over time, like you were mentioning. Why are point-in-time security assessments like questionnaires, audits or penetration tests insufficient?
Angela: Yeah, that's a great question. And I think that something that sometimes the market gets a little bit confused on is that, you know, I think that all of those things are still very important. The problem is that they're not good enough in and of themselves anymore. Then the reason for that is just because the market has gotten, from a security perspective, very dynamic and very complex. So having questionnaires and having audits and having pen-tests really are good ways of understanding at least initially, maybe where some risk is, but cybersecurity ratings provide a continuous look at those things, and they're also very objective where these other things are very subjective. So when you have a continuous way to monitor organizations, it helps you understand, maybe, who are those companies that you should be sending questionnaires to or who you should have audited, and then hopefully, your list of companies that you do those things with maybe shrinks.
The other aspect of it is that it gives you kind of that, you know, trust and verify way of looking at it so that you can help talk to companies about what they're doing and why they're doing it. Having that objective metric to come in and say, "Look, we trust you, that's why we work with you. But look, we have this external metric that is saying something else, so why don't we have a conversation about where that gap is." So I think it provides kind of a…it facilitates the conversation about security in a way I think these other types of methods just can't because they just lack the continuous nature and they lack objectivity.
Alex: Right, that's a great point. So following up on that, how do security ratings solve that problem?
Angela: Cybersecurity ratings, I would say the biggest piece, I think, that most customers see value in, is the objectivity. When you look at all the other types of tools out there to do this type of assessment, they really are subjective. You know, you don't ever want to get to a point where you're outwardly questioning the people that you're working with, who you should be trusting. And the objectivity really gives you that kind of confidence in being able to say that, you know, we are really doing what we say we're doing or our partners really are doing what they say they're doing. Where there's a gap, it's an easier way to have that conversation and the security ratings provide validation, obviously, also for internal teams to be able to say, "We bought this tool or we bought that tool, and since we've implemented it, our security rating has gone up." So there's some form of being able to prove the efficacy of the tools that you do have in place, or lack thereof.
I think the last thing then is obviously, the continuous nature. I mean, I think, even just in the last five years or so, the threat environment has gotten significantly worse for a lot of different reasons, I think, just the way the economy works and the way the nature of business is done today is just more digital than it has ever been before. People are just more connected. There's a lot of different reasons that the environment itself has been more dynamic and complex. And when that happens, the number of people that you're working with on these digital platforms whether it's customers or partners, or even employees, has just expanded significantly. And so when that happens, you really do need some way to continuously monitor that at scale in somewhat of an automated way, because they're just…they're frankly just as an… No organization has enough resources to monitor that number of entities.
Alex: Absolutely. So we talked about internal teams using security ratings and of course, if an organization's security posture is being measured, it will be reported to someone. Who typically reports on cybersecurity performance and who do they report to?
Angela: Yeah, that's a great question and it depends a little bit. It's like most things, I guess, within organizations, but the reporting structure, I'll say, typically is the CISO or the CIO reporting up to the board in some respect. From, I would say, kind of like the, if you can say, the usual way is that the CISO will probably report into the audit committee of the board a couple times a year, maybe four times a year, or at least give them, you know, a report a couple times a year. And then there'll be a meeting once a year with the full board where the CISO or the CIO will report to that full board rather than just a committee. And so the level of information that you give at those two different audiences is probably slightly different. The level of information you give to either one is significantly higher level than probably any CISO will look at on his own. But each time, I think, you go up a level, the way that you talk about security has to be really more business-oriented than it is kind of as you get more into the leads on an everyday basis.
So a lot of people talk about trying to track like open ports and how many have been closed or how many systems have been patched. And I think that while that's a very important metric to track internally from a CISO's perspective, the board doesn't probably have enough context for that, and that's why, you know, security ratings really view a good understanding for that level of the audience to say, like, it's a standard metric that we can compare across peers and across industry and across geography to say, are we getting better or worse? And it's a really easy way to do that.
Alex: So how are you seeing organizations really use security ratings to set goals and strategy around cybersecurity performance?
Angela: Well, I'm glad you asked that, actually. I think that we actually have some customers that are doing some really interesting things with security ratings and they're using them in ways that really look at the security group as a business.
For example, we have some customers that look at each of their individual subsidiaries' ratings and benchmark those kind of against each other. Similarly, we see some customers that look at different business units either by, like, business group or by geography to see, you know, which offices are kind of "doing better" from a performance perspective for, again, against for security. And then they can kind of track those different groups against each other over time to be able to see where are we falling behind, who's doing better.
And then in some, like, more advanced circumstances, when you start to see that maybe your European office has really great security and they're always ahead of the game when it comes to all of your different subsidiaries, you can reach out to them and figure out, what are they doing? What risk vectors specifically are they doing better than us on? Maybe they have zero botnet infections or something. But you can start to really learn best practices from those organization. Then hopefully implement them among the other organizations that, you know, that have lower ratings. And then overall, hopefully that helps you build resiliency across the whole company.
Alex: Definitely. So ultimately, how do you see security ratings impacting the way that organizations think about measuring their internal security posture moving forward?
Angela: I think somewhat related to what I just kind of mentioned, I think that companies are really going to start using security ratings to think about security kind of a business unit. We've seen this change happen in a lot of other parts of an enterprise, over the past several years, and I think finally having a single performance metric for security is gonna allow organizations to really do this. So you know, I think that comes with a lot of opportunities and a lot of challenges and it's kind of exciting, but that means that there are new kind of skills that CISOs and CIOs will have to take on when it comes to really understanding security from a business perspective and what that means. And so if you can start to understand what the security is and the efficacy of the controls that you have in place, you can also start to understand like where are there gaps and how can you improve in those areas and what does that mean for the allocation of your budget or the allocation of some of your resources.
We've also started seeing kind of a change in the organizational structure or organizations where there's kind of decoupling of IT and security. And security, you know, it's becoming kind of its own group, often reporting into maybe the CFO or the COO or even the general counsel. Being head by what a lot of people now are calling the Chief Security Officer who is in charge of not just information security but also physical security training and awareness, oftentimes, product security. And so I think that as you see organizational structure change from a business perspective that has more weight behind really being able to manage security from a business perspective as well. And I think security ratings really give you that single performance metric that is standard and objective way to measure the security of your organization to help you really track it over time.
Alex: Great. Well, Angela, I think that's all the time that we have slotted. Thank you for a great discussion. It was very informative.
Angela: Thank you, Alex. It was great talking to you today.
Alex: Thanks, everyone, for listening to today's episode, and we'll see you next time on the BitSight Risk Review.
Thanks for tuning in to the BitSight Risk Review. Head over to bitsighttech.com for more episodes and other great security ratings content. Feel free to connect with us on Twitter, @BitSight, or on Facebook and LinkedIn.