Expert
A Central Bureau for Global Corporate Cybersecurity Performance
Lennart Pikaart, Strategic & Key Accounts, Bitsight
Bitsight is an international company with headquarters in the United States, Lisbon, and the Asia-Pacific region. Their clients span diverse sectors: government bodies such as the Centre for Cybersecurity Belgium, as well as manufacturing firms, banks, transport enterprises, and high-tech companies. Lennart Pikaart, Strategic & Key Accounts at Bitsight, explains the company’s unique approach.
Could you briefly explain what Bitsight does?
Lennart: ‘Bitsight is akin to the Office for National Statistics, but for the cybersecurity performance of companies worldwide. We provide organisations with insight into their own security position and that of their suppliers. Beyond that, companies can benchmark themselves against their peers in terms of cybersecurity.’
How precisely do you help organisations?
Lennart: ‘In essence, we address two major challenges with our platform and data. First, we help organisations manage security risks in their supply chain. Second, companies can visualise how a hacker views their organisation from the outside. On occasion, the board enquires: “How do we measure up against our competitors?” We can provide that answer entirely through data.’
What is your approach?
Lennart: ‘Thirteen years ago, we conceived the idea to create something akin to a credit rating, but for cybersecurity. This concept only works if one can assess every organisation worldwide in precisely the same manner. This means we only make observations from the outside. If you require permission to scan systems, half would decline. So we opted to do it from the outside. We often say we provide the “Criminal’s Eye View” of two million organisations worldwide, and we scan, monitor, and update that information daily.’
How do you collect and process that data?
Lennart: ‘We’ve developed a platform that collects data globally through our own scanning platform and numerous external sources. We focus on various companies, such as those in the Dutch High Tech Sector, which operate worldwide. The data must be consistent and of uniform quality. We then package this information into 25 security sub-areas. Rather interestingly, we roll this data up into KPIs, allowing organisations to benchmark themselves against their peers or internally.’
How do these KPIs lead to a security rating?
Lennart: ‘We roll up all this data and KPIs into an overall security rating. This rating is based on the American credit rating system and ranges from 300 to 850. It provides a readily comprehensible figure that reflects the overall cybersecurity performance of an organisation.’
Suppose you visit an organisation with a rating of 600. They’re above average and performing rather well. Do most clients then aspire to that 850 rating, or are they content with a passing grade?
Lennart: ‘That rather depends on the organisation’s security awareness and maturity. The typical first reaction is: “Do show us, then.” Naturally, everyone wishes to improve, but it’s rather important to recognise that not every organisation has the same resources. That’s precisely why it’s so crucial to examine this in the supply chain context. Security isn’t merely about willingness and ambition but about whether you have the means to achieve it. Banks, for instance, have been investing in security for decades and therefore tend to perform rather better. SMEs mightn’t have those capabilities.’
Large corporates are often ISO 27001 certified, but that doesn’t necessarily mean they achieve a rating of 850, correct?
Lennart: ‘That’s quite right. Many people think: “I’ve achieved my ISO 27001 certification, so I’m safe”. But it’s not quite so straightforward. It’s rather like a footballer who joined the first team a year ago and then thought he needn’t train quite so hard. In cybersecurity, things can change rather quickly. Things may well have been in perfect order during the audit, but if people leave afterwards or processes change, gaps can readily emerge. That’s precisely why regulators increasingly emphasise the importance of continuous monitoring. One needs to make agreements with suppliers about security requirements, document these in KPIs, and then actively monitor them.’
So you help organisations gain insight not only into their own security position but also that of their suppliers?
Lennart: ‘Precisely so. By providing a continuous and objective view of security performance across the entire chain, organisations can better manage risks and work with suppliers to implement improvements. With the growing complexity of digital ecosystems and more stringent regulations, it’s essential to have continuous insight into your own security position and that of your chain partners. We continue to develop our platform to provide even greater value to our customers and help them navigate the ever-changing cybersecurity landscape.’
Why has Bitsight decided to embrace the NIS2 Quality Mark?
Lennart: ‘The Quality Innovation Foundation has designed a rather thorough framework through which companies can be audited and certified. Through collaboration, our Bitsight clients can monitor their supply chain even more effectively. We can visualise the 25 security areas we monitor within the NIS2 Quality Mark framework. This helps our clients understand how these two tools are interconnected.’
How do you view the NIS2 Quality Mark from your expertise?
Lennart: ‘I find the NIS2 Quality Mark a rather robust initiative, particularly because it offers a growth model with three levels. Companies needn’t make an enormous leap immediately but can gradually progress towards an achievable level for them. It provides clarity and helps with the translation and understanding of cybersecurity standards in a specific geographic area. My only slight concern is that Europe might become rather overwhelmed with different standards, which could prove confusing. However, the NIS2 Quality Mark directly links to various frameworks, which helps with understanding and implementation.’
How precisely do you integrate these two tools?
‘We integrate the NIS2 Quality Mark into the Bitsight portal. Users can directly see how the 25 security KPIs we monitor fit within that framework. One can see where you excel and where you might grow, and it relates precisely to your level within the NIS2 Quality Mark. For instance, if a supplier claims they’ve achieved level 3, but our data shows something rather different, that contrast becomes immediately apparent. This helps companies understand any discrepancies and take appropriate action.’
What makes the combination of Bitsight and the NIS2 Quality Mark so powerful?
Lennart: ‘Achieving the NIS2 Quality Mark is a jolly good step, but it’s rather important to continue training and improving afterwards. With Bitsight, you can continuously look in the mirror, as it were, and see how you’re faring. You can readily access our platform to see if your expectations align with reality. One can only learn from that.’