Gütersloh, 08/28/2017

IT Security You Can Measure

Companies have been obtaining information about the financial standing of their business partners through independent rating agencies like Moody's or Standard & Poor's for many years. In the future, it will become just as common to inform yourself about a business partner’s IT security before signing a contract, because increasingly large volumes of data are being exchanged and processed between companies due to changing, digital businesses. So besides a good credit rating, the diligence that companies bring to protecting themselves against cyber-risks will become more and more important. Bertelsmann's Corporate IT is exploring new approaches to this in its collaboration with the American startup Bitsight Technologies.

“About a year ago, we set out with the vision of making our divisions’ cyber-risks measurable and comparable,” says Carsten Bittner, Senior Vice President and Chief Information Security Officer at Bertelsmann. “Among other things we sought a professional exchange with insurance companies that insure cyber-risks and therefore have to assess them.”

20 Different Influencing Factors

The question of how IT security can be made comparable and independently-measurable, i.e. through external partners, is also being addressed by various startup companies. They collect publicly available information from internet traffic and evaluate how consistently IT security measures have been implemented, for example in the email environment. They also identify whether and which system viruses are present. These methods are based on the latest “big data” analysis methods. “As many as 20 different measured influencing factors are differently weighted depending on their importance for IT security, normalized using a mathematical algorithm, and condensed into a cyber-security rating that is comparable to a credit rating,” says Elke Focken, Senior Director Performance Measurement at Bertelsmann Corporate IT. “Because these cyber-security ratings are based on publicly available information, they are implemented without the participation of the company being evaluated and are then offered on the market.”

Bertelsmann first entered into its partnership with the startup Bitsight Technologies, which offers such Standard Cyber Security Ratings, a year ago. Bitsight is based in Cambridge, Massachusetts, near Harvard University and the Massachusetts Institute of Technology (MIT). “The Bitsight service gives us a tool to objectively measure and visualize the effectiveness and continuous improvement of our security measures for the first time,” says Bittner. “Cyber-security ratings are also increasingly establishing themselves as independent benchmarking sources that existing and potential customers, as well as competitors and cyber-insurers, are already availing themselves of.” “In order to keep our businesses competitive with regard to IT security as well, we have to increasingly deal with the management of these ratings,” adds Elke Focken.

Identifying Security Holes

In addition to cyber ​-security ratings, a Bitsight web portal also provides information on the respective influencing factors and advice about improving your own security status. This allows for quickly detecting and closing Security holes. Bitsight also sends “infection alerts,” real-time notifications about viruses identified in a company’s internet-enabled systems.

All Bertelsmann divisions already have access to their individual ratings and the detailed information underlying them. Following a successful first year, an extensive partnership agreement with Bitsight Technologies was concluded in June of this year. “It allows our divisions to work independently with Bitsight services to optimize their IT security,” explains Focken. “And we’ve added the option of seeing the ratings of current or potential suppliers, as well as of competitors and possible M&A targets.”

Bertelsmann Cyber Security Program

"We are delighted to continue our collaboration with Bertelsmann, which now spans over one year" said Stephen Boyer, CTO and Co-founder of Bitsight Technologies. "Our partnership is of particular importance to us as Bertelsmann is a leading German company. Bertelsmann has been working to reduce their cyber risk, and as a result, we are able to learn and improve our services by collaborating with their experts."

“Bitsight Technologies is a perfect match for the Bertelsmann Cyber-Security program we have set up,” emphasizes Bertelsmann CISO Carsten Bittner. “It complements our basis, the Information Security Management System (ISMS), as well as our activities in the field of cyber-defense technologies, with another important component – the objective measurement of security performance. We expect that cyber-security ratings will become further established in the future, and that customers will demand a certain level of security from their suppliers, as measured by the rating. The insurance companies we’ve discussed cyber-risk assessment with are also increasingly integrating the ratings into their pricing. So by deciding to tackle cybersecurity ratings at an early stage, we are very well positioned at this point, and are now in a position to provide targeted support for all divisions and to improve IT security.”