Dec 20, 2016
Vendor was proactive with communications and providing additional information and training on the product. They were also responsive to additional requests and follow-ups.
Dec 16, 2016
The structure of report and areas covered broadly such as Application Security, User Behavior, Patching Cadence, Unsolicited Communication etc. is good. However, many vendors do not agree with the ratings provided. Example, Botnet Infections section would indicate the Grade (A or B etc.) followed by vendor's average duration to address and the Average Duration in the Industry. Furthermore, it would indicate if there were any Botnet Infections "this week". Vendor would typically argue that they never had any infection reported or identified for the current or past week. The basis for which such data is provided is not made clear. On a scale of reviewing 1000+ vendors, there has not been one vendor that agreed on the ratings. Almost all have questioned the authenticity and accuracy of such data. Instead of using the rating for any decision making or categorize the vendors based on risk or security rating, the output produced is mostly questionable. While Bitsight mention in areas on how the report should be interpreted or read by the vendors, it fails to make its report usable for meaningful conversation with the vendors and/or 3rd party service provider. Clients want to leverage such reports to reduce time but use of BitSight has cause increase in time spent assessing vendor's true security posture with many contradictions. Something needs to be done on how the data is projected and/or provide additional details along awareness lines on how, where & why the BitSight report should be used. Areas questioning the authenticity and accuracy of data used to derive the security rating should be addressed and taken seriously by BitSight.
Nov 29, 2016
Has worked quite well for our company. It has helped bring to light vendors whose security practices could use improvement and given us a consistent metric by which to measure vendors.