Security ratings provider BitSight raises $23M

BitSight uses data to give companies a Security Rating, based on how likely they are to be breached

The massive Target security breach from a few years ago exposed two fundamental truths: many companies, even the biggest ones out there, are not as secure as their customers, or they themselves, like to believe.

This, of course, is pretty dangerous, since not knowing exactly how at risk they are leaves them mores susceptible, and vulnerable, to potential breaches. And that is where cybersecurity ratings company BitSight comes in. Like a credit score, the company looks at publicly available data to assess the risk of companies, giving each company a Security Rating based on how secure they are. 

Cybersecurity is becoming a hot space right now, and BitSight is a company tackling it from a different angle. That approach has attracted the attention of VCs, who just infused the company with a $23 million Series B round of funding, it was announced on Thursday.

Comcast Ventures joined as a new investor in the round, along with current investors Menlo Ventures, Globespan Venture Partners, Commonwealth  Capital Ventures, Shaun McConnon and Flybridge Capital Partners, all participating. Managing Director David Zilberman led the investment for Comcast Ventures.

The company had previously raised $26 million, including a $24 million round in 2013. With this latest funding, BitSight has raised a total of $49 million. 

BitSight's Security Ratings have multiple potential uses, including the companies, who use them to continuously monitor the risk posed by vendors in their supply chain, and to benchmark themselves against other companies in their industry.

"We deliver ratings services on how companies perform from a security perspective, like Bradstreet does around viability, and FICO for consumer credit. The reason we do this is that we are used by vendor risk managers, who look at large supply chains, because they are regulated to do so in the wake of Target and other high profile third party breaches," Tom Turner, EVP of Sales and Marketing, told me in a interview.

Companies are getting overburdened with various types of questionnaires from vendors, which are all different, there is no uniform, so it helps to have a standard in the industry, he said.

"It is also helpful for them to understand their own performance against a set of other companies. Having to answer those questions to board and investors and other parties, it is also helpful when they think of being on the applicant end of cyber insurance. And for mergers and acquisitions value, whether organization are either acquirer or acquiree, that knowledge of performance is valuable."

The information that the company provides falls into three categories.

First, the most important, are externally visible evidence of compromise. That mans machines inside the organization, which are communicating out to malicious organizations or bot nets. This information comes from threat intelligence sources, where BitSight will license data from third parties and partner with others, as well as have its own data sources which enable its to look at that externally visible evidence.

The second doesn't have to do with compromised information as much as hygiene, or "diligence about how they apply controls and policies." That means are there ports open on their Internet facing servers, if their SSL has been configured the correct way, and if the domains from which they send e-mails are locked down in an approp fashion.

Third is a record of breaches. Not just those that are high profile, but smaller scale breaches. This information from Freedom of Information requests to states of Attorney Generals. It also factors in how users are behaving, if they are consuming things like torrents and streaming media through unapproved protocols.

So far BitSight has rated over 25,000 companies, some of which Turner admits were skeptical when the the company first started out, as to whether its score was an objective number but which since been used in multiple cases to actually stop companies from being breached in the first place.

"There was a cyber insurance company whose underwriting department was using the product. They were looking at the rating of a potential applicant, saw the info, which concerned them, so they notified the company who then solved the issue," Turner said. "The applicant didn’t get breached, and the insurance company didn't have to pay out a claim. We give a unique perspective and info that isn't always available, since companies are always looking at what they have inside."

BitSight has multiple uses in mind for the money it has just raised. Part of it will go toward extending sales and marketing into Europe and APAC.

"We are like most security companies, who begin their reach in North America. Partly that has to do with location, but also the sophistication of the market here. If you look at ghe use cases that we solve, we are different from traditional security products, since we address a business and an executive audience," said Turner.

"Risk and key suppliers, comparing performance to a peer group, risk transfer and cyber insurance. There are important discussions in Asia and Europe. We've made a lot of progress in North America but its important to us as we extend our offerings. We expect to become the standard for Security Ratings."

The funding will also go toward product development, including giving companies a larger amount of dats, stretching back three or four years, as well as data about fourth party relationships, beyond just how key suppliers are performing.

And, finally it will go toward expanding the team. The company has 122 employees and have plans to hire at least 35 new employees, building out its two offices in Cambridge and in Lisbon.

BitSight sees itself as a pioneer, one that is essentially creating a new market. And it plans to use that advantage to stay ahead of any potential competition and become the standard for the industry.

"We are creating this space. There has never anybody who has done this before. Where we want to take this market is to to become a standardized part of how you evaluate a party from a business perspective," Turner told me. "Credit worthiness, price performance, expected security performance will be integral.

Founded in 2011, BitSight now has over 150 customers, including Liberty Insurance, Safeway and KKR. It is on its way to a record year, as it has tripled its revenue from 2014 in only the first two quarters of 2015 so far.

"This is a significant event for us in the company. The participation by new and existing investors is a validation of our performance through round A and our intent to scale globally to become a standardized part of business."

(Image source: bitsighttech.com)