Security Performance Management
Continuous Monitoring
Cyber Insurance
National Cybersecurity

Articles in this section

See more

How to Effectively Use Rating Improvement

Avatar
Ingrid
Follow
  • January 6, 2022: Company eligibility (My Company & subscribed My Subsidiary).
  • April 19, 2021: Name changed from “Bitsight Forecasting” to “Rating Improvement” for the SPM application; Added navigation instructions.

Use this guide to learn how to effectively use Rating Improvement to generate a forecast for your My Company or subscribed My Subsidiary. This guide includes prioritizing risk vectors, generating Forecast Scenarios that result in more impactful action plans, and monitoring progress towards improving ratings.

Navigation Options

SPM App: Action Plans ➔ Rating Improvement

Sections

Before starting and using Rating Improvement:

Despite our dedication to building a reliable and accurate forecast, Rating Improvement is not absolute. We cannot guarantee the projected rating will happen or claim forecasting can be used to predict data breaches and other cybersecurity events. It’s solely a projection of what may happen to your Bitsight Security Rating, with an acceptable level of reliability.

(1) Prioritize Risk Vectors for Your Forecast Scenario

Review the Guide to Navigating and Prioritizing Bitsight Risk Categories & Risk Vectors to thoroughly understand and analyze your organization’s security rating report. This will allow you to select and prioritize a set of risk vectors for your first Forecast Scenario iteration. The resulting list is meant as a starting point to quickly choose the most impactful risk vectors, without having to dive into the details of each risk vector.

Peer Analytics, an analytics tool that can help prioritize risk vectors for remediation, is available as an add-on package.

Tips:

  • Aim for the 80-20 rule. Select 4 (20%) of the most impactful risk vectors in your organization. To be more thorough, increase the list size based on your available resources.
  • Compromised Systems that are graded below an A is a good starting point.
  • If your risk vectors are evenly graded; include Botnet Infections, Malware Servers, and +3 more to your list.
  • If Open Ports is not an A, add it to the list.
  • If File Sharing is not an A, add it to the list.
  • Prioritize all the other risk vectors according to their weights.

Example:

Refer to the following example as a guideline for selecting your initial risk vectors: Saperix, Inc. has a Security Rating of 460 and several problematic risk vectors. Applying the recommended best practices will result in the following list of risk vectors in the Forecast Scenario:

  • Botnet Infections
  • Potentially Exploited
  • Open Ports
  • File Sharing

(2) Generating a Forecast Scenario

(a) Analyzing the “No Action Forecast”

Carefully look into the No Action Forecast to understand what to expect if no deliberate action is taken to improve the security posture of your organization.

No Action Forecast (Gray Range)

Learn more about how to read the forecast chart.

(b) Simulate and Analyze Your Forecast Scenario

The Improvement Forecast shows the expected changes within 12 months.

Select the Simulate button to analyze the possible outcomes. Inspect the evolution of your rating at different points in time by hovering your cursor on the chart. Compare these values with your goals and use the difference as inputs to refining your Forecast Scenario.

Tips:

When defining your Forecast Scenario, enable your impactful risk vectors and refer to the following recommendations:

  • Don't spend too much time setting the values in your first iteration.
  • Set all Estimated Resolution Dates until the end of the current month.
  • For Compromised Systems:
    • Set the Average Duration to the minimum.
    • Keep the Total Number of Events to the default.
  • For Diligence:
    • Set BAD findings to zero.
    • Keep the WARN findings to the default.
  • For File Sharing:

Example:

Saperix, Inc. wants to improve their rating, as indicated by the User Defined Forecast. They will need to apply more of their resources to improve their Security Rating.

(c) Refine Your Forecast Scenario

Start with Botnet Infections and then refine through the remaining risk vectors:

  1. Understand the details behind each risk vector.
  2. Make plausible assumptions on how many and when your organization can solve issues, based on your available resources.
  3. Transform those assumptions into a Forecast Scenario and then select the Simulate button.
  4. Re-evaluate the results and compare them to your goals.
  5. Repeat these steps until your goal is achievable or until you reach a conclusion that can't be further improved.

Example:

66 Botnet Infections with an Average Duration of 18.4 days were observed during the last 12 months.

  • The Average Duration for Saperix, Inc is 1.8 days. This is considered high for their industry. They can aim to be in line with the industry average in the following 12 months.
  • If 14 out of 66 total number of events were due to Gamarue in one single IP and Saperix, Inc. commits to preventing these events from happening and ultimately protects all devices by the end of the following month, this results in 14 fewer events expected in the next 12 months.

Saperix, Inc. may realize they can economically achieve a rating between 500 and 530. They are provided with their Forecast Scenario, which is a plan that is used to drive the necessary actions that lead to an improvement in their security posture.

(3) Monitoring Your Progress

Select the Start Monitoring button at the top-right of the forecast to activate it. This will freeze your plan from further changes so you can begin monitoring the progress of your Forecast Scenario.

Once your forecast is active, you will no longer be able to edit the Forecast Scenario.

Refer to Understanding the Forecast and use your Forecast Scenario to see how each goal evolves based on the defined goal and your current state of remediation.

You can also see the status of your Forecast Scenario and the rating evolution from the My Forecasts page. If your list of forecasts is long, use the filters to search by status (inactive, active, or finished) or by shared status (My Forecasts/owned or Shared with me).

Notes

To summarize:

  • Quickly choose your initial set of high-impact risk vectors.
  • Create your first iteration of a Forecast Scenario.
  • Factor in a more in-depth analysis of the company report and organizational assumptions.
  • Iterate until your scenario allows a significant improvement, within a reasonable investment of your resources.
  • Deliver your improvement plan to your organization.
  • Start monitoring your progress.

One of the benefits of Rating Improvement is the unlimited number of Forecast Scenarios that can be created. Many sets of assumptions can be created and transformed into various Forecast Scenarios that can be shared and discussed with different roles or teams in your organization. Once a scenario is active, select the Share button at the top-right of the forecast to enable sharing and then select Save to confirm.

Related articles