Bitsight Third-Party Risk Management vs. SAI360

If you are considering BitSight Security Ratings as a portion or bulk of a larger vendor management project you will be well served in letting the risk scores be an indication of how closely you need to examine a vendor. However, you should not base your assessment solely on the risk score provided. The risk score is based on publicly available data and can be inaccurate.

Incentivized

The usage of ROAM, as well as the integration of external programmes through API and import functions, has almost reduced duplication of work. One thing to keep in mind is that your use cases must be very clear. There are a lot of SAI solutions, and their titles don't always correspond to what they actually perform.

Incentivized

• Security hygiene tracking over time
• Understandable risk score based on observations
• Predictability model of potential cyber security issues based on security habits.

Incentivized

• Customized unified design platform
• Modules that fit your organization
• Low technology involvement with information department.
• Built on foundational platforms some bidirectional in the ERM framework with TPRM contracts
• Single sign-on web-based applications

Incentivized

• Since data is based on public registration IP and domain data can be stale depending on ISP/Domain registration update delays.
• Correcting a false detection is a month-long endeavor and requires the company with the impacted score to clean up BitSight's data.
• Customer service for incorrect data is convoluted and requires a deep understanding of domain registration to correct the data. The responsibility for correcting data is placed solely on the customer's shoulders.

Incentivized

• Integration with SAP for continuous control monitoring.
• Control mapping to standards: ISO; COSO; COBIT; HIPAA; SP800_53 (NIST); FedRAMP; PCI_DSS; BITS; GAAP; AICPA; BSI; CCM; COPPA; CSA
• Surveys.

Incentivized

BWIse is very flexible, and an affordable GRC tool.

Incentivized

Overall it is a very versatile system that does help to keep our processes automated and secure. We are able to streamline our day to day activities.

Incentivized

BWise support is knowledgeable and responsive. Bug fixes and development are also timely and ongoing.

Incentivized

The main issues were managing the internal conflicts and competing objectives, rather than the capability and implementation of BWise itself.

Incentivized

BitSight Security Ratings ranks evenly with SecurityScorecard and both below OneTrust for our use case. We needed a platform that would let us define risk for our organization and weight scores differently based on data sensitivity. BitSight and SecurityScorecard are aggregate data that can provide insight into the security habits of a potential vendor and should be considered as an addition to most vendor management projects. However, they both provide metrics based on hygiene and not on data-defined risk. In concert with a platform to evaluate risk based on data and to inform the overall evaluation of a vendor, BitSight Security Ratings can be made to shine. Just understand that you may have to validate some data.

Incentivized

Wasn't personally involved in the vendor selection process. I am aware that one of the main drivers for selecting BWise was cost (I believe BWise total project cost was several times lower than MetricStream's).

Incentivized

• Wasted resource hours cleaning up data to correct erroneous risk score.
• Extra time spent addressing calls from clients about erroneous risk score data.
• Extra time validating risk score provided by BitSight Security Ratings for potential vendors to ensure valid data.

Incentivized

• Pre-built training courses for certification that have a higher ROI than building your own courses.
• Helped customers training their personnel to achieve multiple management system certifications.

Incentivized