A Boston-area start-up called Bitsight is pulling in investor money so quickly, a total of $95 million, that it doesn’t know what to do with it all … yet.
And what does Bitsight do, to justify this level of investment? It examines company websites, evaluates them for the quality of their website security, and assigns them a rating, much like a credit score.
How do they do it? There’s a bit of proprietary secret sauce in how the company evaluates the security of a website, but what’s particularly interesting is that they do it all with publicly available information. And that raises another fascinating aspect of the business: the companies that Bitsight rates are not its clients. Bitsight is not an online security consultant with an automated assessment tool. Indeed, it has evaluated over 60,000 websites to date, and ultimately may evaluate tens or even hundreds of thousands of websites.
Why would anyone want this information? The uses for this data are surprisingly numerous. You can sell it in the form of a benchmark products to the companies you have rated. What IT manager wouldn’t want to know how their company stacks up against its peers? A better opportunity is to help insurance companies properly price data breach insurance policies.
But perhaps the best opportunity is to help big companies evaluate and manage risk with their vendors – a huge issue as a number of headline-grabbing recent data breaches resulted from a company’s network being penetrated via one of its vendors that was connected to it.
While Bitsight may look like a cutting edge analytics company, what’s significant is that so much of its business model is drawn from very basic approaches used by many other data publishers. It is aggregating publicly-available data into a database. It normalizes this information, then applies an algorithm to assess it and produce comparable company ratings. It sells this data product for internal benchmarking, risk management and due diligence applications.
In short, despite its high tech trimmings, Bitsight very much has data publishing DNA. It is also a great example that data products don’t have to be perfect right out of the gate. By relying on public information, Bitsight can’t possibly know everything about the security of a company’s website. But by relying just on public data, it can quickly build a large database of comparable company ratings using a credible methodology and solve market needs that require a certain scale of coverage. If you’re the first data provider serving a serious market need, you can launch with good-enough data and improve it over time. Trying to perfect your data prior to launch can mean missing the opportunity entirely.