TOM FIELD: So, you just conducted some new research which I consider to be an eye-opener on botnets and their influence within breached organizations. What jumps out for you?
STEPHEN BOYER: It's actually pretty impressive in terms of the research and findings. What we've always been asked is, well, how do the things that you see correlate with breach outcomes? In other words, what can you measure that's going to be indicative of a publicly disclosed breach. So this is really unprecedented where we looked at thousands of organizations and saw that organizations that have machines infected with botnets were over two times more likely to have a publicly disclosed breach.
Common Gaps
FIELD: What do you find to be the common security gaps within the organizations that were lower rated?
BOYER: Without doing a forensics analysis, it's hard for us to know for sure. Historically what we've seen is that organizations have weak patch management, poor change control and usually some issues in training, right? And so it's a combination of those. We don't know for sure all the controls that they have failed or the gaps in there. But over time and looking at enough industries, we've seen that usually these are very simple controls. There's usually kind of your basic blocking and tackling, but it's hard for these organizations to do them well and at scale.
Best Practices
FIELD: What do you find to be qualities of higher-rated organizations?
BOYER: Historically, financial services has always been the top - not as vulnerable. They definitely have weaknesses like everybody else. We see that they respond quickly. So typically the name of the game now has been 'how do you detect and recover quickly as opposed to protect and stop all issues?' The conversations I've been having lately and also here at RSA have been we recognize that there are going to be gaps; we recognize that we could be attacked and have breaches. But we really want to detect and recover it quickly. We see that in financial services. Their capabilities there are really the highest of any industry.
FIELD: How does BitSight help organizations to establish their benchmark and then build upon that positively?
BOYER: At BitSight, we're rating thousands of companies. We're tracking them against their industry, so we're able to compare organizations against their peers, whether it's who they may be competing with, their competitors, or the industry track that they're tracking. And so because we can track against thousands of companies, we're able to say, 'now, here's where you fit.' Additionally, because we're able to do that, we can provide that information to the company so they can understand where are their gaps, where should they focus and prioritize? And alternatively, what we help our customers focus on is third-party risk management, which is: Now you can understand yourself, and now let's look at the supply chain, let's look at your partners and understand where they may be having gaps, or that may be additional risk to you if you've seen some really high-profile breaches that have really happened through the supply chain.
Validating Research
FIELD: Stephen, yours is a fairly young organization. You spend a good deal of time explaining to people what you do. How does this research really validate your market position?
BOYER: So, one, the approach, right? Because now you can learn really interesting things that have strong statistical basis for risk management completely from the outside, and we've known this for a while, which is, well, how can you learn this without maybe a questionnaire or without a full audit? And there's no doubt you're not seeing everything. Even with a full audit, you're not going to see everything. But what we're seeing is if you get enough measurement over a long period of time, you're starting to learn about the culture and the execution of an organization. And so for us, it's looking at years of data, high-quality data. But now that you've got these strong, predictable signals, you can decide how you want to prioritize that - how do you want to report it up, how do you want to underwrite insurance, how do you want to communicate with the supply chain? And it's key to change the discussion from, you know, maybe subjective questions to hard data that you can have really data-driven discussions with.