The Total Economic Impact™ Of Bitsight

Cost Savings And Business Benefits Enabled By Bitsight

A Forrester Total Economic Impact™ Study Commissioned By Bitsight, August 2024

Switch between the study data and your custom data below. Answering the questions on the 'Custom Data' tab will allow you to customize the analysis and estimate the potential impact of using a Total Economic Impact study.

Study Data Custom Data

Study Data

Annual revenue

Total number of employees

Number of IT security employees

Number of third-party vendors

New third-party vendors assessed and onboarded per year

Percentage of time IT security team dedicates to external surface management

Advanced inputs

Advanced Input 1

Your Organization

Your company name

Annual revenue

Total number of employees

Number of IT security employees

Number of third-party vendors

New third-party vendors assessed and onboarded per year

Percentage of time IT security team dedicates to external surface management

Advanced inputs

Advanced Input 1

Cyber risk for the modern enterprise now extends well beyond the corporate network. As businesses increasingly rely on third parties, workloads move to the cloud, and employees work from anywhere on any device, leaders are challenged with managing the complexity of risks across an expanding attack surface. Meanwhile, the frequency, severity, and consequence of attacks are increasing, driving even more cyber regulations and a dramatic increase in the number of stakeholders requiring reporting on cyber performance. Bitsight helps organizations address these challenges by enabling risk and security leaders to identify exposure, prioritize investment, communicate with stakeholders, and mitigate risk across their digital infrastructure.

Bitsight provides a unified experience to manage both first-party and supply chain risk. Bitsight External Attack Surface Management enables organizations to identify assets and manage exposure across their digital footprint. Meanwhile, Bitsight’s Third-Party Risk Management provides data-driven workflows to manage the entire third-party cyber risk lifecycle, from assessments and onboarding to continuous monitoring and incident response. Governance, analytics, and board-level reporting are integrated into the solution to enable leaders to communicate cybersecurity performance to regulators and other stakeholders. With Bitsight, companies can reduce the probability and associated costs of a security breach; save time managing exposure risk across their extended digital footprint; reduce time onboarding and monitoring third parties, and drive cost efficiencies reporting on cyber performance.

Bitsight commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study and examine the potential return on investment (ROI) enterprises may realize by deploying Bitsight.¹ The purpose of this study is to provide readers with a framework to evaluate the potential financial impact of Bitsight on their organizations.

Return on investment (ROI)

297% 297%

Net present value (NPV)

$2.98M$2.98M

To better understand the benefits, costs, and risks associated with this investment, Forrester interviewed five representatives from four organizations with experience using Bitsight. For the purposes of this study, Forrester aggregated the interviewees’ experiences and combined the results into a single composite organization that is an organization with $10 billion in annual revenue and 25,000 employees.

Most interviewees reported that prior to adopting Bitsight, their organizations lacked tools to monitor their third parties or their own first-party exposure. Their processes often relied on manual and outdated methods for assessing their third parties and external attack surface, leaving them vulnerable to emerging threats. In addition, the interviewees’ organizations struggled with the onboarding of vendors and other third parties, leading to delays, security gaps, and potential compliance issues. The absence of proactive first-party monitoring and real-time insights made it challenging to assess their exposure to external cyberthreats. Resource constraints, particularly among security engineers, further hindered their ability to manage the growing volume of both first- and third-party risks.

The interviewees’ organizations used Bitsight’s external attack surface management and third-party risk management solutions to mitigate the risk of both first- and third-party attacks. They also realized significant time savings for their security, reporting, and compliance teams. By leveraging Bitsight’s risk assessment capabilities, interviewees noted their organizations gained easy-to-understand insights into the security posture of their third parties and identified potential vulnerabilities in their security ecosystem. By automatically collecting and analyzing data on the security posture of third-party organizations, Bitsight reduced the amount of time the interviewees’ organizations spent vetting vendors and sending out security questionnaires. Furthermore, the interviewees were able to use Bitsight to quickly generate reports on the security posture of their own organizations as well as the posture of their suppliers, saving their reporting and compliance staff hours of work.

Key Findings

Quantified benefits. Three-year, risk-adjusted present value (PV) quantified benefits for the composite organization include:

Reduced risk of first- and third-party breaches. The composite organization uses Bitsight’s external attack surface management and third-party onboarding and continuous monitoring to reduce the risk of a security breach. With Bitsight, the composite organization identifies previously unknown vulnerabilities or identifies vulnerabilities quicker than it otherwise would, enabling it to proactively address risks with actionable recommendations and insights for improving its security posture. By reducing the likelihood of a breach, both from third parties or external first-party attacks, the composite organization avoids the direct damage, revenue loss, reputational harm, and productivity impact that comes with breaches. The reduced risk of a breach is worth a risk-adjusted $2.3 million to the composite organization over the course of the three-year analysis.

For , reduced risk of first- and third-party breaches might be worth over three years.

Reduced vendor onboarding time by up to 70% and reduced time spent managing and monitoring third parties by 30%. With Bitsight, the composite organization reduces the amount of time its security team devotes to a range of third-party risk management tasks, including vetting third parties, onboarding new vendors, monitoring third parties, and prioritizing threats. During the three-year analysis, these time savings are worth a risk-adjusted $957,000 to the composite organization.

For , vendor onboarding time and time spent managing and monitoring third parties might be worth over three years.

Reduced time spent on external attack surface management by up to 20%. Bitsight not only saves time on managing third-party risks, but it also reduces the time that the composite’s IT security team spends on identifying infrastructure changes, vulnerabilities, and other issues in its external attack surface and responding to first-party threats. Over three years, the external surface management time savings are worth $734,000 to the composite.

For , reduced time spent on external attack surface management might be worth over three years.

Reduced the amount of employee time dedicated to reporting and compliance tasks by up to 40%. Bitsight enables the composite organization to automatically collect and analyze third-party security data, eliminating the need for manual data gathering and aggregation. The composite also leverages Bitsight’s prebuilt dashboards, leading to time savings for employees that create security reports for executive presentations or have to meet regulatory requirements. Over three years, the reporting and compliance time savings are worth $32,000 to the composite.

For , reduced employee time dedicated to reporting and compliance tasks might be worth over three years.

Unquantified benefits. Benefits that provide value for the interviewees’ organizations but are not quantified for this study include:

Improved executive buy-in for security initiatives. According to interviewees, Bitsight simplified security KPIs into user-friendly ratings, enabling executives without security expertise to comprehend the urgency of security initiatives. As executives gained more understanding of the overall security posture, they were more likely to prioritize security investments.

Cybersecurity insurance cost savings. Some interviewees mentioned that using Bitsight helped them demonstrate a commitment to security to their insurance underwriters, helping them avoid increases to their cybersecurity insurance premiums. By emphasizing the presence of Bitsight and its ability to provide insights into third-party risk, the interviewees’ organizations showcased their risk scores and targets.
Improved scalability. The interviewees noted their organizations were able to modulate their Bitsight costs based on their growth targets. The flexibility in cost allowed them to scale their cybersecurity investment alongside their business needs, promoting efficient resource allocation.

Costs. Three-year, risk-adjusted PV costs for the composite organization include:

Bitsight license costs. The composite organization incurs costs to use Bitsight’s third-party risk management and external attack surface management tools. Over the three-year analysis, these fees amount to $638,000.

For , Bitsight license costs over three years might total .

Implementation and ongoing management costs. The composite organization dedicates a small internal team to implementing Bitsight and managing the platform on an ongoing basis. Over three years, the internal labor costs associated with Bitsight are $367,000.

For , implementation and ongoing management costs over three years might total .

The representative interviews and financial analysis found that a composite organization experiences benefits of $3.99 million over three years versus costs of $1.01 million, adding up to a net present value (NPV) of $2.98 million and an ROI of 297%.

might experience benefits of over three years versus costs of and an ROI of .

Reduction in risk of external or third-party breach

45%

“Bitsight gives us the visibility into all the risks that we have out there for all of the use cases. It gives us confidence that we know what we have out there, and it allows us to be accountable.”

Head of information security, consulting

“If you want a flexible solution for identifying, remediating, and managing risk that also reduces your internal resourcing needs and has demonstrable risk reduction benefits, then pick Bitsight.”

Manager of third-party risk, medical devices

Key Statistics

Return on investment (ROI)

297% 297%

Benefits PV

$3.99M$3.99M

Net present value (NPV)

$2.98M$2.98M

Payback

<6 months<6 months

Benefits (Three-Year)

Risk reduction from Bitsight Third-party risk management time savings External surface management time savings Reporting and compliance time savings

TEI Framework And Methodology

From the information provided in the interviews, Forrester constructed a Total Economic Impact™ framework for those organizations considering an investment in Bitsight.

The objective of the framework is to identify the cost, benefit, flexibility, and risk factors that affect the investment decision. Forrester took a multistep approach to evaluate the impact that Bitsight can have on an organization.

Due Diligence

Interviewed Bitsight stakeholders and Forrester analysts to gather data relative to Bitsight.
Interviews

Interviewed five representatives at four organizations using Bitsight to obtain data about costs, benefits, and risks.
Composite Organization

Designed a composite organization based on characteristics of the interviewees’ organizations.
Financial Model Framework

Constructed a financial model representative of the interviews using the TEI methodology and risk-adjusted the financial model based on issues and concerns of the interviewees.
Case Study

Employed four fundamental elements of TEI in modeling the investment impact: benefits, costs, flexibility, and risks. Given the increasing sophistication of ROI analyses related to IT investments, Forrester’s TEI methodology provides a complete picture of the total economic impact of purchase decisions. Please see Appendix A for additional information on the TEI methodology.

Disclosures

Readers should be aware of the following:

This study is commissioned by Bitsight and delivered by Forrester Consulting. It is not meant to be used as a competitive analysis.

Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the study to determine the appropriateness of an investment in Bitsight. For the interactive functionality using Configure Data/Custom Data, the intent is for the questions to solicit inputs specific to a prospect’s business. Forrester believes that this analysis is representative of what companies may achieve with Bitsight based on the inputs provided and any assumptions made. Forrester does not endorse Bitsight or its offerings. Although great care has been taken to ensure the accuracy and completeness of this model, Bitsight and Forrester Research are unable to accept any legal responsibility for any actions taken on the basis of the information contained herein. The interactive tool is provided ‘AS IS,’ and Forrester and Bitsight make no warranties of any kind.

Bitsight reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study and its findings and does not accept changes to the study that contradict Forrester’s findings or obscure the meaning of the study.

Bitsight provided the customer names for the interviews but did not participate in the interviews.

Consulting Team:

Matt Dunham

Adi Sarosa

Drivers leading to the Bitsight investment

Interviews

Role	Industry	Number Of Employees	Annual Revenue
Head of information security	Consulting	7,000	$1 billion
Manager of information security Director of information security	Industrial services	35,000	$30 billion
Manager of third-party risk	Medical devices	>50,000	$20 billion
Security advisor	Energy	25,000	$25 billion

Key Challenges

Before adopting Bitsight, the interviewees’ organizations lacked comprehensive tools to proactively onboard and monitor their third parties and their external attack surface. The interviewees noted how their organizations struggled with common challenges, including:

A lack of visibility into their first-party and third-party threat landscape. Interviewees struggled with a lack of visibility into their security posture, especially when it came to third parties. The lack of visibility made it challenging to identify and address potential vulnerabilities from both first-party and third-party attack vectors. The head of information security at a consulting organization stated: “Before Bitsight came along, we didn’t have a third-party tool that looked at us. We ran our own vulnerability management and had our own processes and that was all nice and cute, but we had no visibility. We maybe had some alerting here and some scanners running, but that was never the full picture.”
Cumbersome vendor onboarding and monitoring process. Interviewees shared that prior to Bitsight, vendor onboarding and monitoring was a tedious and manual process. Security teams spent hours sifting through supplier documentation and security questionnaires, wasting time that could be spent on proactive threat hunting. The process became even more complicated as the number of vendors the interviewees’ organizations relied on grew, creating a constant game of catch-up for security professionals. The director of information security at an industrial services firm described their legacy vendor monitoring process: “Between the questionnaires, spreadsheets, and documentation, everything was manual. … We would send out the questionnaire to the vendor and we would spend time chasing down the vendor. … There was no way for us to know what risk any vendor was actually bringing into our environment and there was no way to continuously track it.”
Difficulty articulating the value and prioritization of cybersecurity initiatives to executives. Interviewees noted that they lacked a way to clearly communicate their risk profile to executives prior to their adoption of Bitsight. Without a clear understanding of their organizations’ vulnerability landscape or the potential financial and reputational damage a security incident could cause, leadership was reluctant to allocate security and IT teams with the necessary resources. A security advisor at an energy organization reported: “Life before Bitsight involved a very anecdotal approach to security. On the first-party side, we didn’t have a tool that allowed executives to have an educated perspective into cybersecurity. We had no way of translating what cybersecurity was supposed to look like to someone who wasn’t an expert. … It was much more difficult to get executive buy-in when we were throwing around technical jargon.”
A changing compliance landscape. The interviewees noted that they had to comply with an array of industry standards and mandates, many of which had strict requirements for third-party monitoring. Interviewees also reported devoting hours to collecting and analyzing mountains of data internally and from third-party vendors to prove that they met risk management requirements. The security advisor at the energy organization detailed the regulatory challenges, stating, “We are an ISO 27001 shop and, according to that framework, there is an obligation that we have to monitor our third parties in an ongoing fashion.” This interviewee went on to say that prior to Bitsight, they had to manually determine the likelihood of a third-party breach, which took their employees hundreds of hours.

Solution Requirements

The interviewees’ organizations searched for a solution that could:

Provide a comprehensive tool for managing exposure risk across their digital infrastructure.
Allow the organizations to monitor their overall risk exposure.
Streamline vendor onboarding and continuous monitoring.
Enable employees to save time on manual reporting and compliance-related tasks.
Clearly communicate the value of cybersecurity projects to nontechnical audiences.

“Before Bitsight, monitoring our suppliers was an extremely tedious process. We couldn’t do this for every vendor because it was too much effort, so we reduced it to the most important ones.”

Head of information security, consulting

“I can say for sure that seeing the external attack surface management tool in action instills confidence in my team and puts our mind right at ease.”

Head of information security, consulting

“If a vendor’s risk profile changed because they got hacked or their financials were going down the drain, we had no way of knowing that was happening [prior to Bitsight].”

Manager of information security, industrial services

Composite Organization

Based on the interviews, Forrester constructed a TEI framework, a composite company, and an ROI analysis that illustrates the areas financially affected. The composite organization is representative of the five interviewees, and it is used to present the aggregate financial analysis in the next section. The composite organization has the following characteristics:

Description of composite. The composite organization is headquartered in the US with global operations. It has $10 billion in annual revenue and 25,000 employees. Prior to deploying Bitsight, the composite organization relied on outdated risk assurance reports to evaluate the cyber risk of its third parties. Additionally, the composite organization dedicated internal resources to onboard new vendors, assess its susceptibility to first-party and third-party threats, and create risk assessment reports for internal executives and regulators.

Deployment characteristics. The composite organization deploys Bitsight’s third-party risk management and external attack surface management capabilities. With Bitsight, it monitors 150 critical third parties in Year 1, 200 in Year 2, and 250 in Year 3.

Key Assumptions

$10 billion in annual revenue
25,000 employees
Uses Bitsight’s Third-Party Risk Management and External Attack Surface Management tools

Quantified benefit data as applied to the composite

Total Benefits

Ref.	Benefit	Year 1	Year 2	Year 3	Total	Present Value
Atr	Risk reduction from Bitsight	$910,577 $910,577	$910,577 $910,577	$910,577 $910,577	$2,731,730 $2,731,730	$2,264,470 $2,264,470
Btr	Third-party risk management time savings	$225,777 $225,777	$378,336 $378,336	$583,959 $583,959	$1,188,072 $1,188,072	$956,664 $956,664
Ctr	External surface management time savings	$187,935 $187,935	$298,817 $298,817	$420,974 $420,974	$907,726 $907,726	$734,090 $734,090
Dtr	Reporting and compliance time savings	$10,530 $10,530	$12,776 $12,776	$15,163 $15,163	$38,470 $38,470	$31,524 $31,524
	Total benefits (risk-adjusted)	$1,334,819 $1,334,819	$1,600,506 $1,600,506	$1,930,674 $1,930,674	$4,865,998 $4,865,998	$3,986,748 $3,986,748

Risk Reduction From Bitsight

Evidence and data. Interviewees reported that using Bitsight’s vendor risk management, continuous monitoring, security ratings, and external attack surface management tools improved their organizations’ security posture, reducing the risk of external attacks targeting their organizations or attacks through a third party. On the third-party side, interviewees noted Bitsight scanned and assessed the security posture of vendors, collecting data from a wide range of sources including their organizations’ own internal network scanning, external data feeds, public records, and data breaches. Bitsight also gave the interviewees’ organizations visibility into first-party risk, including potentially compromised systems, information on assets and infrastructure, and shadow IT, further reducing the risk of a breach. Equipped with this data on first- and third-party security performance, the interviewees were able to address vulnerabilities proactively, minimizing their risk exposure.

Interviewees noted that previously, they were not able to monitor nearly as many of their vendors as they were able to with Bitsight, leaving their organizations vulnerable to third-party security incidents. The head of information security at a consulting organization stated: “Currently we actively monitor 238 vendors. … Previously, we could only monitor 20% of those vendors.”
The manager of third-party risk at a medical devices organization described the impact of being able to proactively identify and remediate third-party security vulnerabilities: “Over the course of a year, we’re probably remediating 40 to 50 suppliers [with Bitsight]. If even 10% of those 40 suppliers had an impacting event that’s $8 million of direct impact to our supply chain. I can’t even quantify the reputational impact.”
Interviewees noted that the security ratings provided by Bitsight helped their teams understand the security posture of their vendors, as well as how it changed in recent months. The manager of information security at an industrial services firm shared, “We know at any given time what a vendor’s risk rating is and if there are any changes to that risk rating, and that is very valuable insight that we did not have before.”
The head of information security at a consulting firm described how Bitsight’s external attack surface management tool reduced their first-party risk: “Bitsight impacts both the decreased probability of an incident as well as how significant the potential event would be. Connected to that is reputation, which is very important for us. As soon as we have an incident, even if it is minor, some clients will steer away. … Bitsight gives us the ability to fix something right away before it’s exploited.”
The manager of information security at an industrial services firm went on to break down the overall risk reduction their organization had seen from Bitsight: “Bitsight’s continuous monitoring tool scans our external surfaces to identify potential areas of risk that may be used as an attack vector. The tool is very detailed in what it provides in the areas of potentially compromised systems, email controls, SSL [secure sockets layer] configurations, open ports, web apps, patching, and software. The tool itself allows us to identify and prioritize areas of risk, assign them to an individual for correction, and track that progress to closure. … Ultimately, this allows us to identify, manage, and reduce the risk of a breach.”
The interviewees reported that overall, Bitsight gave them stronger visibility into their organizations’ first-party cybersecurity posture. The head of information security at a consulting firm described the improvement in the data gathered by Bitsight compared to their legacy state: “Bitsight gave us more technical detail, more accurate detail, and faster status changes when something happened. I want to know if something happens before a client asks me about it and I have to react and explain it. It became pretty clear that with Bitsight, we were able to see threat data faster.”

Modeling and assumptions. For the financial analysis, Forrester assumes the following about the composite organization:

Without Bitsight, the composite organization had an 89% chance of experiencing one or more breaches in a year.²

Without Bitsight, might have a 0% chance of experiencing one or more breaches in a year.

The mean cumulative cost of total breaches per year totals $5.8 million for the composite organization.³

The mean cumulative cost of total breaches per year might be $0 for .

Nearly half (49%) of breaches originate from either external attacks targeting the organization or attacks on third parties.⁴
Overall, the composite organization reduces its risk of external and third-party breaches by 45% with Bitsight. This includes a 75% reduction in the likelihood of a breach from a third-party vulnerability.

Overall, might reduce is risk of external and third-party breaches by 45% with Bitsight.

Risks. The risk reduction benefit can vary depending on:

Third-party threat detection and remediation capabilities in the legacy environment.
The first-party security tools that an organization uses alongside Bitsight.
Incidence rate and cumulative financial impact of first- and third-party breaches in the legacy environment.
The types of attacks and breaches in the previous environment.
The size and industry of the organization.

Results. To account for these risks, Forrester adjusted this benefit downward by 20%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $2.3 million.

For , this benefit might have a three-year, risk-adjusted total PV of .

75%

Reduction in risk of a third-party breach

“The risk of a breach has definitely decreased. Bitsight’s attack surface management allows for a faster detection of shadow IT assets that pop up no matter how resilient your processes are. It also speeds up the detection of risky configuration changes in existing assets.”

Head of information security, consulting

“Bitsight is part of the solution to get us insight into what’s going on in real time. You know in a timely manner if something is going on with a vendor.”

Manager of information security, industrial services

Risk Reduction From Bitsight

Ref.	Metric	Source	Year 1	Year 2	Year 3
A1	Likelihood of experiencing at least one breach per year	Forrester research	89%89%	89%89%	89%89%
A2	Mean cumulative cost of breaches for enterprises	Forrester research	$5,800,000$5,800,000	$5,800,000$5,800,000	$5,800,000$5,800,000
A3	Percentage of breaches originating from external and third-party attacks	Forrester research	49%49%	49%49%	49%49%
A4	Annual risk exposure from external and third-party attacks	A1A2A3	$2,529,380$2,529,380	$2,529,380$2,529,380	$2,529,380$2,529,380
A5	Reduced risk of external and third-party breaches after adopting Bitsight	Interviews	45%45%	45%45%	45%45%
At	Risk reduction from Bitsight	A4*A5	$1,138,221 $1,138,221	$1,138,221 $1,138,221	$1,138,221 $1,138,221
	Risk adjustment	↓20%
Atr	Risk reduction from Bitsight (risk-adjusted)		$910,577 $910,577	$910,577 $910,577	$910,577 $910,577
Three-year total: $2,731,730 $2,731,730			Three-year present value: $2,264,470 $2,264,470

Third-Party Risk Management Time Savings

Evidence and data. After adopting Bitsight, the interviewees streamlined a variety of third-party risk management processes, leading to significant time savings.

Interviewees noted that with Bitsight, there was no need to manually send out extensive security questionnaires to vendors and prod the third parties to respond, as the platform automatically collected and analyzed their vendors’ security data. The head of information security at a consulting firm stated: “Monitoring our suppliers was an extremely tedious process. In some cases, you had to do pen tests, you had to send them the boring questionnaires, it was a lot of manual processes, and it took between half a day or a day to do a proper check. We could not do it for every vendor because it was just too much effort. Using Bitsight, it now takes less than 10 minutes per company. You just type in their information, get the results, and based on the report, decide if they are good or if they are problematic.”
The manager of third-party risk at a medical devices organization agreed that Bitsight reduced the amount of time their security team devoted to third-party risk management: “If I didn’t have Bitsight, I would need three full-time employees to support me doing day-to-day risk rating, monitoring, and remediation activities. For deep-dive risk assessments, we’d need another five-plus risk analysts.”

Modeling and assumptions. For the financial model, Forrester assumes the following about the composite organization:

The composite organization has a 50-person IT security team, which devotes 15% of their time to monitoring and managing third-party vulnerabilities in Year 1. As they onboard more vendors, the time required to monitor vulnerabilities increases to 20% in Year 2 and 25% in Year 3. The IT security team grows to 53 employees in Year 2 and 56 in Year 3.

has an IT security team of 0, which devotes 0% of their time to monitoring and managing third-party vulnerabilities in Year 1. The time required increases to 0% in Year 2 and 0% in Year 3. The IT security team grows to 0 employees in Year 2 and 0 in Year 3.

With Bitsight, the composite reduces the amount of time its team spends on managing third-party vulnerabilities by 20% in Year 1, 25% in Year 2, and 30% in Year 3.

With Bitsight, might reduce the amount of time its team spends on managing third-party vulnerabilities by 20% in Year 1, 25% in Year 2, and 30% in Year 3.

The composite organization onboards 50 new third-party vendors annually. In the prior environment, it took 12 hours of FTE labor to onboard each new vendor.

onboards 0 new third-party vendors annually.

With Bitsight, the composite organization reduces the amount of time devoted to vendor onboarding by 70%.

With Bitsight, might reduce the amount of time devoted to vendor onboarding by 70%.

The fully burdened hourly rate for an IT security team FTE is $71.

Risks. Third-party risk management time savings can vary based on:

The size of IT security team and the percentage of time dedicated to third-party risk management.
The IT security team’s efficiency in the legacy environment.
The fully burdened hourly rate of IT security staff.

Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $957,000.

For , this benefit might have a three-year, risk-adjusted total PV of .

20% to 30%

Reduction in employee time dedicated to third-party vendor monitoring

“There is a whole gamut of risk items that we can now do on a daily basis as opposed to worrying about tracking down a vendor that has not responded to our questionnaire.”

Manager of information security, industrial services

Third-Party Risk Management Time Savings

Ref.	Metric	Source	Year 1	Year 2	Year 3
B1	Size of IT security team	CompositeComposite	5050	5353	5656
B2	Percentage of time dedicated to monitoring and managing third-party vulnerabilities	CompositeScaled for	15%15%	20%20%	25%25%
B3	Reduced time spent on monitoring and managing third-party tools with Bitsight	Interviews	20%20%	25%25%	30%30%
B4	Subtotal: Hours saved on third-party risk management tasks	B1B2B3*2,080 hours	3,1203,120	5,5125,512	8,7368,736
B5	Number of third-party vendors onboarded annually	CompositeComposite	5050	5050	5050
B6	Time required to onboard a new vendor prior to Bitsight (hours)	Interviews	1212	1212	1212
B7	Reduced time spent onboarding new vendors	Interviews	70%70%	70%70%	70%70%
B8	Subtotal: Hours saved on onboarding third-party vendors	B5B6B7	420420	420420	420420
B9	Fully burdened hourly rate for an IT security FTE	TEI standard	$71 $71	$71 $71	$71 $71
Bt	Third-party risk management time savings	(B4+B8)*B9	$250,863 $250,863	$420,373 $420,373	$648,843 $648,843
	Risk adjustment	↓10%
Btr	Third-party risk management time savings (risk-adjusted)		$225,777 $225,777	$378,336 $378,336	$583,959 $583,959
Three-year total: $1,188,072 $1,188,072		Three-year present value: $956,664 $956,664

External Surface Management Time Savings

Evidence and data. Bitsight enabled the interviewees’ organizations to reduce the amount of employee time dedicated to managing their external attack surface. The interviewees shared that Bitsight empowered them to automate the scanning and identification of vulnerabilities, reducing the amount of employee effort that was required for threat detection. The head of information security at a consulting firm stated: “Once Bitsight came along, we were able to streamline the process of monitoring ourselves. It definitely saved a lot of time because now we get an alert, and we can quickly identify the system. We see a recommendation on how to remediate it, and it takes 5 minutes to send the message to the affected team.”

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

The composite’s 50-person IT security team devotes 30% of their time to external attack surface management tasks.

’s IT security team of devotes 0% of their time to external attack surface management tasks.

With Bitsight, the composite reduces the amount of time its IT security team spends manually scanning for attack surface vulnerabilities, leading to a productivity gain of 10% in Year 1, 15% in Year 2, and 20% in Year 3.

With Bitsight, might reduce the amount of time its IT security team spends manually scanning for attack surface vulnerabilities, leading to a productivity gain of 10% in Year 1, 15% in Year 2, and 20% in Year 3.

The fully burdened hourly rate for an IT security team FTE is $71.

Risks. First-party risk management time savings can vary based on:

The size of IT security team and the percentage of time dedicated to external attack surface management.
The IT security team’s efficiency in the legacy environment.
The security tools used alongside Bitsight.
The fully burdened hourly wage of IT security staff.

Results. To account for these risks, Forrester adjusted this benefit downward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $734,000.

For , this benefit might have a three-year, risk-adjusted total PV of .

10% to 20%

Time savings on external surface management tasks

External Surface Management Time Savings

Ref.	Metric	Source	Year 1	Year 2	Year 3
C1	Size of IT security team	B1	5050	5353	5656
C2	Percentage of IT security team dedicated to external surface management	CompositeComposite	30%30%	30%30%	30%30%
C3	Reduced time spent on monitoring external surface management	Interviews	10%10%	15%15%	20%20%
C4	Fully burdened hourly rate for an IT security FTE	TEI standard	$71$71	$71$71	$71$71
Ct	External surface management time savings	C1C2C3C42,080 hours	$221,100 $221,100	$351,549 $351,549	$495,264 $495,264
	Risk adjustment	↓15%
Ctr	External surface management time savings (risk-adjusted)		$187,935 $187,935	$298,817 $298,817	$420,974 $420,974
Three-year total: $907,726 $907,726		Three-year present value: $734,090 $734,090

Reporting And Compliance Time Savings

Evidence and data. The interviewees reported that Bitsight streamlined their organizations’ reporting process, enabling employees to easily track and report on developments in their security environments. Interviewees had to create these reports both for their own executives and for regulators.

The interviewees shared that they were subject to various regulations that required them to report on the security posture of their third-party vendors. With Bitsight’s automated reporting capabilities, they could quickly generate comprehensive reports with just a few clicks, consolidating all the necessary security metrics and insights. A security advisor at an energy firm described the new compliance process: “Prior to leveraging Bitsight, we had to manually monitor vendors for the likelihood of an incident. Now, the likelihood of an incident is determined by the Bitsight rating, which has saved us hundreds of hours.”
The manager of third-party risk at a medical devices firm agreed that Bitsight greatly streamlined compliance reporting and noted that it enabled them to avoid hiring another employee: “I would not be able to address all of the regulatory requirements without Bitsight. We would have to hire another resource to handle the regulatory items that are emerging from third-party risk management.”
With Bitsight, the interviewees’ organizations could also quickly create concise and visually appealing security dashboards that they shared internally, including with executives. The manager of information security at an industrial services firm stated: “With Bitsight, we can create 20 to 30 different templated reports that range all the way from a high-level executive summary down to a detailed report on each vulnerability that Bitsight is seeing from the vendor. It’s much more robust than what we had in place previously. … We’re saving at least an hour per report.”

Modeling and assumptions. For the financial analysis, Forrester assumes the following about the composite organization:

Prior to adopting Bitsight, the composite devotes 50 to 54 hours of employee labor per month to creating compliance and executive-level reports.

Prior to adopting Bitsight, might devote 0 to 0 hours of employee labor per month to creating compliance and executive-level reports.

With Bitsight, it reduces the amount of employee time on reporting by 30% in Year 1, 35% in Year 2, and 40% in Year 3.
The fully burdened hourly rate for a reporting and compliance staff FTE is $65.

Risks. The reporting and compliance time savings will vary depending on:

Regulation-specific reporting requirements.
The efficiency of reporting process in the legacy environment.
The fully burdened wage of employees on the reporting and compliance teams.

Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $32,000.

For , this benefit might have a three-year, risk-adjusted total PV of .

30% to 40%

Reporting efficiency gain

“We use Bitsight to report on security incidents and ratings. We’re saving dozens of hours per month with Bitsight-centered reporting.”

Security advisor, energy

Reporting And Compliance Time Savings

Ref.	Metric	Source	Year 1	Year 2	Year 3
D1	Number of internal employee hours required to create risk and compliance reports in prior environment (monthly)	CompositeScaled for	5050	5252	5454
D2	Reduction in time spent on risk and compliance reporting with Bitsight	Interviews	30%30%	35%35%	40%40%
D3	Hours saved on risk and compliance reporting with Bitsight (annually)	D1D212 months	180180	218218	259259
D4	Fully burdened hourly rate for a reporting and compliance staff FTE	TEI standard	$65$65	$65$65	$65$65
Dt	Reporting and compliance time savings	D3*D4	$11,700 $11,700	$14,196 $14,196	$16,848 $16,848
	Risk adjustment	↓10%
Dtr	Reporting and compliance time savings (risk-adjusted)		$10,530 $10,530	$12,776 $12,776	$15,163 $15,163
Three-year total: $38,470 $38,470		Three-year present value: $31,524 $31,524

Unquantified Benefits

Interviewees mentioned the following additional benefits that their organizations experienced but were not able to quantify:

Improved executive buy-in for security initiatives. The interviewees reported that Bitsight simplifies complex security metrics into intuitive, credit score style ratings, allowing nonexperts on the executive team to understand the importance of complex security initiatives. While executives might not immediately grasp the urgency of a particular threat, Bitsight’s metrics helped them understand how a drop in their security score correlates with the risk of a breach, enabling them to make more informed decisions and prioritize investments in security initiatives. A security advisor at an energy firm described the change: “Without the interpretability of the Bitsight rating, it becomes much more difficult to get executive buy-in. We would be throwing around technical jargon, as opposed to saying, ‘This is an F rating, we need to get it up to a C, otherwise we’re five times likelier to suffer an incident.’”
Decreased cybersecurity insurance costs. Some interviewees noted that using Bitsight helped them demonstrate a proactive security approach to their insurance underwriters, which led to them avoiding hikes to their premiums. The manager of information security at an industrial services firm stated: “In our presentation to our underwriters, we made a big deal of the fact that we had Bitsight and that we had this view into third-party risk. We showed them our risk score as well as the risk score we’re aiming for. One underwriter kept the premium flat compared to last year, while another underwriter dropped it by $45,000. I can’t pin that all to Bitsight, but I’m sure it had some impact.”
Improved scalability. Interviewees shared that Bitsight enabled them to monitor more vendors without drastically increasing their risk management costs, allowing their organizations to scale efficiently. The manager of third-party risk at a medical devices company described the benefit: “My job is to let our company grow as fast as it wants to while maintaining the same level of risk. This means I have to be able to monitor more risk if the company is growing quickly, and I have to be able to downsize my risk management if the company is shrinking. With Bitsight, I have the ability to do both of these things; I can either give money back or expand without greatly increasing my baseline program costs. It absolutely enables growth.”

“Part of the value of Bitsight is that the language and terminology is all easily communicable. We can use their scores and language to communication with internal and external stakeholders, and it’s acceptable by all.”

Head of information security, consulting

Quantified cost data as applied to the composite

Total Costs

Ref.	Cost	Initial	Year 1	Year 2	Year 3	Total	Present Value
Etr	Total Bitsight fees	$0 $0	$234,150 $234,150	$258,300 $258,300	$281,400 $281,400	$773,850 $773,850	$637,755 $637,755
Ftr	Implementation and ongoing management costs	$121,605 $121,605	$98,846 $98,846	$98,846 $98,846	$98,846 $98,846	$418,143 $418,143	$367,420 $367,420
	Total costs (risk-adjusted)	$121,605 $121,605	$332,996 $332,996	$357,146 $357,146	$380,246 $380,246	$1,191,993 $1,191,993	$1,005,175 $1,005,175

Total Bitsight Fees

Evidence and data. Interviewees shared that Bitsight charged their organizations fees for third-party risk management and continuous monitoring, which were based on the number of vendors monitored, and a flat cost for external attack surface management. Pricing may vary. Contact Bitsight for additional details.

Modeling and assumptions. For the financial analysis, Forrester assumes the following about the composite organization:

The composite incurs costs of $147,000 for third-party risk monitoring in Year 1. The annual third-party risk monitoring costs increase to $170,000 and $192,000 in Years 2 and 3, respectively.

might incur costs of $0 for third-party risk monitoring in Year 1, increasing to $0 and $0 in Years 2 and 3, respectively.

The composite incurs fees of $76,000 for external attack surface management.

might incur fees of $0 for external attack surface management.

Risks. Bitsight fees vary depending on:

The number of critical vendors monitored with Bitsight.
The number of Bitsight features deployed.

Results. To account for these risks, Forrester adjusted this cost upward by 5%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $638,000.

For , this cost might have a three-year, risk-adjusted total PV of .

Total Bitsight Fees

Ref.	Metric	Source	Initial	Year 1	Year 2	Year 3
E1	Third-party risk monitoring costs	CompositeScaled for		$147,000$147,000	$170,000$170,000	$192,000$192,000
E2	External surface management costs	CompositeScaled for		$76,000$76,000	$76,000$76,000	$76,000$76,000
Et	Total Bitsight fees	E1+E2		$223,000 $223,000	$246,000 $246,000	$268,000 $268,000
	Risk adjustment	↑5%
Etr	Total Bitsight fees (risk-adjusted)		$0 $0	$234,150 $234,150	$258,300 $258,300	$281,400 $281,400
Three-year total: $773,850 $773,850			Three-year present value: $637,755 $637,755

Implementation And Ongoing Management Costs

Evidence and data. Interviewees reported that a small amount of internal employee labor was required to evaluate, test, and deploy Bitsight during the implementation phase. Internal effort was also required to train new users and manage the platform on an ongoing basis.

Modeling and assumptions. For the financial analysis, Forrester assumes the following about the composite organization:

The composite organization deploys a team of three engineers to evaluate and implement Bitsight. The implementation process takes three months.

might deploy a team of 0 engineers to evaluate and implement Bitsight.

The average fully burdened annual salary for an engineer is $147,400.
During the implementation process, eight engineers are trained on using Bitsight. Initial training takes 8 hours per employee.

During the implementation process, 0 engineers are trained on using Bitsight.

Every year thereafter, the composite trains 10 new engineers on using Bitsight. Because there is more familiarity of Bitsight within the team, these engineers only require 2 hours of training.

Every year thereafter, might train 0 new engineers on using Bitsight.

Ongoing management of Bitsight requires a team of three engineers, each devoting 20% of their time to the platform.

Ongoing management of Bitsight might require a team of 0 engineers, each devoting 20% of their time to the platform.

Risks. Total implementation and ongoing management costs will vary depending on:

The organization’s legacy environment.
The fully burdened hourly rate for engineers.

Results. To account for these risks, Forrester adjusted this cost upward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $367,000.

For , this cost might have a three-year, risk-adjusted total PV of .

Implementation And Ongoing Management Costs

Ref.	Metric	Source	Initial	Year 1	Year 2	Year 3
F1	Number of engineers required to evaluate and implement Bitsight	CompositeScaled for	33
F2	Months required to evaluate and adopt Bitsight	Interviews	33
F3	Fully burdened annual salary for a security engineer	TEI standard	$147,400$147,400
F4	Subtotal: Initial cost to evaluate and adopt Bitsight	F1(F2/12)F3	$110,550$110,550
F5	Number of security engineers who require training	CompositeScaled for	88	1010	1010	1010
F6	Hours required for initial and ongoing training	Interviews	88	22	22	22
F7	Fully burdened hourly rate for a security engineer	F3/2,080 hours per year	$71$71	$71$71	$71$71	$71$71
F8	Subtotal: Training costs	F5F6F7	$4,544$4,544	$1,420$1,420	$1,420$1,420	$1,420$1,420
F9	Number of FTEs for ongoing management	CompositeScaled for		33	33	33
F10	Percentage of time dedicated to ongoing management of Bitsight	Interviews		20%20%	20%20%	20%20%
F11	Subtotal: Ongoing management costs	F3F9F10		$88,440$88,440	$88,440$88,440	$88,440$88,440
Ft	Implementation and ongoing management costs	F4+F8+F11	$110,550 $110,550	$89,860 $89,860	$89,860 $89,860	$89,860 $89,860
	Risk adjustment	↑10%
Ftr	Implementation and ongoing management costs (risk-adjusted)		$121,605 $121,605	$98,846 $98,846	$98,846 $98,846	$98,846 $98,846
Three-year total: $418,143 $418,143			Three-year present value: $367,420 $367,420

Consolidated Three-Year, Risk-Adjusted Metrics

Cash Flow Chart (Risk-Adjusted)

Total costs Total benefits Cumulative net benefits Initial Year 1 Year 2 Year 3

The financial results calculated in the Benefits and Costs sections can be used to determine the ROI, NPV, and payback period for the composite organization’s investment. Forrester assumes a yearly discount rate of 10% for this analysis.

These risk-adjusted ROI, NPV, and payback period values are determined by applying risk-adjustment factors to the unadjusted results in each Benefit and Cost section.

Cash Flow Analysis (Risk-Adjusted Estimates)

	Initial	Year 1	Year 2	Year 3	Total	Present Value
Total costs	($121,605)($121,605)	($332,996)($332,996)	($357,146)($357,146)	($380,246)($380,246)	($1,191,993)($1,191,993)	($1,005,175)($1,005,175)
Total benefits	$0 $0	$1,334,819 $1,334,819	$1,600,506 $1,600,506	$1,930,674 $1,930,674	$4,865,998 $4,865,998	$3,986,748 $3,986,748
Net benefits	($121,605)($121,605)	$1,001,823 $1,001,823	$1,243,360 $1,243,360	$1,550,428 $1,550,428	$3,674,005 $3,674,005	$2,981,573 $2,981,573
ROI						297%297%
Payback						<6 months<6 months

Appendix A: Total Economic Impact

Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists vendors in communicating the value proposition of their products and services to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of IT initiatives to both senior management and other key business stakeholders.

Total Economic Impact Approach

Benefits represent the value delivered to the business by the product. The TEI methodology places equal weight on the measure of benefits and the measure of costs, allowing for a full examination of the effect of the technology on the entire organization.
Costs consider all expenses necessary to deliver the proposed value, or benefits, of the product. The cost category within TEI captures incremental costs over the existing environment for ongoing costs associated with the solution.
Flexibility represents the strategic value that can be obtained for some future additional investment building on top of the initial investment already made. Having the ability to capture that benefit has a PV that can be estimated.
Risks measure the uncertainty of benefit and cost estimates given: 1) the likelihood that estimates will meet original projections and 2) the likelihood that estimates will be tracked over time. TEI risk factors are based on “triangular distribution.”

PRESENT VALUE (PV)

The present or current value of (discounted) cost and benefit estimates given at an interest rate (the discount rate). The PV of costs and benefits feed into the total NPV of cash flows.
NET PRESENT VALUE (NPV)

The present or current value of (discounted) future net cash flows given an interest rate (the discount rate). A positive project NPV normally indicates that the investment should be made unless other projects have higher NPVs.
RETURN ON INVESTMENT (ROI)

A project’s expected return in percentage terms. ROI is calculated by dividing net benefits (benefits less costs) by costs.
DISCOUNT RATE

The interest rate used in cash flow analysis to take into account the time value of money. Organizations typically use discount rates between 8% and 16%.
PAYBACK PERIOD

The breakeven point for an investment. This is the point in time at which net benefits (benefits minus costs) equal initial investment or cost.

The initial investment column contains costs incurred at “time 0” or at the beginning of Year 1 that are not discounted. All other cash flows are discounted using the discount rate at the end of the year. PV calculations are calculated for each total cost and benefit estimate. NPV calculations in the summary tables are the sum of the initial investment and the discounted cash flows in each year. Sums and present value calculations of the Total Benefits, Total Costs, and Cash Flow tables may not exactly add up, as some rounding may occur.

Appendix B: Supplemental Material

Cybersecurity Risk Ratings Remain A Valuable Piece Of The Third-Party Risk Puzzle, Forrester Research Inc., April 7, 2023.

The Cybersecurity Risk Ratings Platforms Landscape, Q1 2024, Forrester Research, Inc., February 22, 2024

¹ Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists vendors in communicating the value proposition of their products and services to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of IT initiatives to both senior management and other key business stakeholders.

² Source: Forrester’s Security Survey, 2023; Base: 432 security decision-makers from organizations with a revenue of at least $1 billion with network, data center, app security, or security ops responsibilities and that have experienced a breach in the past 12 months

³ Source: Forrester’s Security Survey, 2023; Base: 72 security decision-makers from organizations with a revenue of at least $1 billion with network, data center, app security, or security ops responsibilities and that have experienced a breach in the past 12 months

⁴ Source: Forrester’s Security Survey, 2023; Base: 385 security decision-makers from organizations with a revenue of at least $1 billion with network, data center, app security, or security ops responsibilities and that have experienced a breach in the past 12 months

ABOUT FORRESTER CONSULTING

Forrester provides independent and objective research-based consulting to help leaders deliver key transformation outcomes. Fueled by our customer-obsessed research, Forrester’s seasoned consultants partner with leaders to execute on their priorities using a unique engagement model that tailors to diverse needs and ensures lasting impact. For more information, visit forrester.com/consulting.

© Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies.

Cookie Settings

This website uses cookies to deliver functionality and enhance your experience. GDPR requires that we obtain your consent before activating these cookies. Please accept the use of cookies or review your cookie settings now.

A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions (data inputs, website navigation), so you don’t have to re-enter data when you come back to the site or browse from one page to another.

Behavioral information collected by our web analytics vendor is used to analyze data pertaining to visitor trends, plan website enhancements, and measure overall website effectiveness. We may also use cookies or web beacons to help us offer you products, programs, or services that may be of interest to you and to deliver relevant advertising. We may use third-party advertising companies to help tailor website content to users or to serve ads on our behalf. These companies may also employ cookies and web beacons to measure advertising effectiveness.

Please accept cookies and the collection of behavioral information to receive full functionality and enhance your experience. If you decline cookies, some features of the website may not function normally.

Please see our Privacy Policy for more information.

Customize These Results

Customize These Results

Executive Summary

Key Findings

Table Of Contents

Key Statistics

297% 297%

$3.99M$3.99M

$2.98M$2.98M

<6 months<6 months

Benefits (Three-Year)

TEI Framework And Methodology

Due Diligence

Interviews

Composite Organization

Financial Model Framework

Case Study

Disclosures

The Bitsight Customer Journey

Drivers leading to the Bitsight investment

Interviews

Key Challenges

Solution Requirements

Composite Organization

Key Assumptions

Analysis Of Benefits

Quantified benefit data as applied to the composite

Total Benefits

Risk Reduction From Bitsight

Risk Reduction From Bitsight

Third-Party Risk Management Time Savings

Third-Party Risk Management Time Savings

External Surface Management Time Savings

External Surface Management Time Savings

Reporting And Compliance Time Savings

Reporting And Compliance Time Savings

Unquantified Benefits

Analysis Of Costs

Quantified cost data as applied to the composite

Total Costs

Total Bitsight Fees

Total Bitsight Fees

Implementation And Ongoing Management Costs

Implementation And Ongoing Management Costs

Financial Summary

Consolidated Three-Year, Risk-Adjusted Metrics

Cash Flow Chart (Risk-Adjusted)

Cash Flow Analysis (Risk-Adjusted Estimates)

Appendixes

Appendix A: Total Economic Impact

Total Economic Impact Approach

PRESENT VALUE (PV)

NET PRESENT VALUE (NPV)

RETURN ON INVESTMENT (ROI)

DISCOUNT RATE

PAYBACK PERIOD

Appendix B: Supplemental Material

ABOUT FORRESTER CONSULTING