Stephen Boyer, CTO, BitSight: Risk quantification and ransomware

Data Breach
Fin is an experienced editor with a focus on the frontlines of global business news and cutting-edge technological trends. He has published engaging interviews with leading industry figures from the likes of CBS, Rakuten, Spotify, and more. When not tapping away behind a laptop, he can be found researching and exploring the cryptocurrency and NFT markets. You can follow his Twitter @FinStrathern or connect with him at https://www.linkedin.com/in/finstrathern/.

If 2021 stood out for one thing in the cybersecurity industry, it would have to be the rise in security breaches. From lone ransomware incidents on small, digitising businesses to US government data breaches through SolarWinds software, the pandemic instilled a before unseen vitality into cyber criminals and bad actors.

BitSight, currently celebrating its 10th year as a company, works with more than 2,100 customers to provide risk management solutions to half a million organisations.

Following a quarter of a billion dollar investment by credit rating company Moody’s, Cloud Computing News sat down with BitSight co-founder and chief technology officer Stephen Boyer to dive deeper into the ongoing shake-ups in the cybersecurity industry.

Cloud Computing News: What differentiates BitSight from other cybersecurity rating companies?

Stephen Boyer: We really pioneered the market when we launched back in 2011 following our early patent filings the year before, and we’re about twice as big in terms of employees and revenue to anyone else in the space. I think where we are unique in terms of our offering, as you’ll see from Moody’s recent investment, is our breadth of reach.

And what I mean by that is just the different use cases we offer: from third party risk to security performance management, from insurance to critical national infrastructure, and from financial to investing. With a big customer presence across all of those areas we have the resources to work across all of them. Competitors oftentimes focus on say third party risk management, which is an important area, but because we work across all areas at our scale it gives us a really unique perspective and capability.

We also are now starting to offer cyber risk quantification, which is to take all those security ratings and performance measurements, and then put that in terms of dollars, euros, or pounds. We then look at that in terms of a risk measurement, as opposed to just a performance measurement, which is what we have done historically.

CCN: Speaking of Moody’s $250 million investment, it has been a busy year for BitSight. What have been some of this year’s major developments for the company?

SB: One major development for us has certainly been the expansion and development of the market as we’re continuing to grow into double digits as a business. We’re also expanding and integrating deeper into the use cases that I already mentioned.

Looking back to the SolarWinds breach from the start of the year, what we have since provided for our customers has been super well received. We gave very critical visibility in terms of who might be impacted. What are the business relationships? How could our customers detect and follow up around this? There were also the Microsoft Hafnium attacks and the Kaseya ransomware attack which were two major events that we’ve responded to really well and put out a lot of research on whilst supporting our customers.

CCN: A recent Moody’s report described the importance of cyber risk quantification (CRQ) and suggested that CRQ is “credit positive.” What does this mean and what should security and risk professionals do about it?

SB: In credit sector language, credit positive usually means a tailwind for the issuers, meaning it’s a positive thing for the people who want debt within a sector. So as people become more sophisticated and as they’re able to improve their maturity and quantify that risk, it’s going to make it easier for them to get that. It’s called credit positive because it’s actually beneficial for a sector of the issuers to go and give out credit as opposed to those who are trying to buy that credit, right. It’s seen as a sign of the market maturing and part of the reason for this is that cyber risk has been pretty opaque to investors.

Imagine you’re investing in a bond but you don’t really know how the company’s cybersecurity controls are or what the risks are. Being able to quantify that and show the data to you makes the situation more transparent and prices more accurate.

CCN: As 2021 draws to a close, what trends has BitSight noticed in the cybersecurity industry this year?

SB: With digital transformation having accelerated massively, dependency on a third party digital ecosystem has increased and we’ve seen risks become more apparent. Consider what we talked about with SolarWinds or Hafnium – these major breaches have really shone a light on the high level of risk involved in digitisation.

Just this morning I was speaking to a client who said they need a better view into the risk of their whole supply chain and the ability to monitor it continuously. That’s been a big shift because historically companies have done assessments when they first start working with a partner or once a year.

One of the biggest trends of 2021 has been the step forward in the maturity of the thinking of the market regarding third party risk management. Just to do business during the pandemic companies had to depend on a host of different service providers, SAS providers, and cloud providers to the point that it exposed them in a way they had never experienced before.

The other major trend has been the rise of risk quantification. Companies can know they have a risk and that they need to manage this risk but they can’t just spend indefinitely – it has to be quantified and boundaries set in some way.

Bringing that structure and rationality to cybersecurity has been in huge demand. It’s driving the industry from a very controls-based approach to a much more risk-based approach that can be financially quantified for the whole company to better understand.

CCN: Ransomware has become a massive issue for organisations around the globe this past year. What are you seeing and what steps should organisations take to address this problem?

Most of all its impacted insurance pretty dramatically, causing premiums to go up but coverage to go down, meaning companies are paying more for less to cover the losses insurers are taking.

We wrote a report on the rise of ransomware back in 2016 and since then its only continued to increase, hitting a huge crescendo this year with the onset of remote work, digital transformation, and digital currencies making it monetisable.  

What’s clear is that these attackers are targeting known vulnerabilities. It’s super rare for anything to exploit something novel like in the case of SolarWinds. Oftentimes it’s even the same exploits against the same vulnerabilities or the same mistakes that individuals will make.

What’s more, you are seven to eight times more likely to suffer a ransomware incident if your patching isn’t at a high level. So, our advice would be to keep your systems up to date and tested for backup and recovery. If you can recover your systems, why pay a ransom, right? Executing the basics and doing that really well can limit the ability of ransomware to do its damage.

CCN: What key challenges will BitSight and the cybersecurity industry as a whole face in 2022?

Whilst it may not be that exciting, expect more of the same. You’re going to see a lot of the same attacks and a lot of imitation attacks. When something works, as with the major supply chain attacks this year, people will imitate it.

What will be different is that companies are waking up to realise that they need to get a better handle on their security as the way investment and quantification works is changing. It’s no longer just an IT problem. A company’s security is starting to have a growing impact over key parameters such as insurance rates, stock price, and board votes.

So, whilst a lot of the attacks will remain the same, the scrutiny and focus of the stakeholders on security is absolutely set to increase.

CCN: How would you describe the relationship between cybersecurity and digital transformation?

Firstly, digital transformation has been synonymous with maintaining relevance as a business this past year has it not? If you weren’t digital you were in a really tough spot so its become something of a business necessity.

Where that intersects with cybersecurity is by opening up a different attack surface. Whilst this is for a lot of good reasons from a business perspective, often times the spend in digital transformation outpaces the spend in maturity of controls and processes to protect that.

If a company isn’t spending at a commensurate level by investing to protect the benefits of its digital transformation then it is putting itself at risk.

Looking to revamp your digital transformation strategy? Learn more about the in-person Digital Transformation Week North America taking place in Santa Clara, CA on 11-12 May 2022 and discover key strategies for making your digital efforts a success.

Tags: , , , , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published.