Board-level Security Ratings Meets Threat Intelligence (BitSight Acquires AnubisNetworks)

With the recent avalanche of security breaches including Target, Home Depot, and JP Morgan Chase, cybersecurity companies have become financial darlings from Wall Street to Sand Hill Rd. Investors on both coasts are looking for the next major IPO or acquisition to cash in on the dangerous threat landscape.

Along those lines, there was an interesting cybersecurity acquisition announced this morning. Massachusetts-based BitSight, a cybersecurity rating service provider, acquired AnubisNetworks, a threat intelligence firm based in Portugal. 

Now, it’s likely that the technical analysts in lower Manhattan and the Chardonnay-drinking VCs in Palo Alto will overlook this low-dollar merger, but there is more here than money alone. The combination of BitSight and Anubis has the potential to unite alien populations – business and technology groups. 

BitSight provides a number of cybersecurity ratings services for benchmarking and third-party risk management. Want to know how your organization compares with others in the industry in terms of cybersecurity? Want to get a feel for your business partner’s infosec practices and get serious about cyber supply chain security? BitSight provides answers to these questions in a format that’s been missing in the past – data. Business folks love this stuff because BitSight rating services deliver metrics they can understand rather than technical jargon they can’t. Armed with actual data, business executives can actually connect with CISOs, prioritize actions, and what increasing cybersecurity budgets buy. 

OK, so the business guys get what they want – a map of the cybersecurity risk landscape. Great start, but CISOs want to translate these metrics into a more specific technical defense-in-depth plan. This is precisely where AnubisNetworks comes in. Anubis takes global threat intelligence and puts it into an organization-specific context about system compromises, darknet chatter, email security trends, and data leakage. Security professionals can then translate this threat intelligence into remediation priorities. 

The deal also has future upside for BitSight/Anubis. Why? As a threat intelligence specialist, Anubis is based on a globally located, extensible data collection and analytics platform. This will enable BitSight/Anubis to add and correlate other data feeds for comprehensive cybersecurity coverage and more tailored services.

According to ESG research, 29% of enterprises rate commercial threat intelligence as “highly effective” in helping them mitigate cybersecurity risk (note: I am an ESG employee). Furthermore, 57% of “advanced” organizations rate commercial threat intelligence as “highly effective” in helping them mitigate cybersecurity risk (note: ESG used a scoring system and segmentation model to divide the total survey population into three groups based upon their cybersecurity skills, resources, and use of best practices:  Advanced organizations, progressing organizations, and basic organizations). 

In analyzing this trend further, organizations who find commercial threat intelligence “highly effective” for risk mitigation tend to share the intelligence across the organization, build collaboration, and communications processes for threat sharing, and integrate threat intelligence into automated and manual remediation activities. 

Great stuff, but still missing some type of business affinity to bring corporate boards and “C-level” executives into cybersecurity strategy. The BitSight/Anubis deal recognizes this missing link and is intent upon bridging the historically prolific business/technology communications gap.