Any thoughts on BitSight Security Ratings/Scores?

[Jeff McCabe <j-mccabe () TAMU EDU>]

Colleagues,

Some on our campus have expressed concern over the current practices of BitSight Tech 
(https://service.bitsighttech.com/my-company/) in their reporting/comparisons/ratings of an institution's information 
or network security.  They look at publically available information off the network and supposedly report adware, 
botnets, etc. and generate a score for your institution's level of security (basic, intermediate, advanced) with a 
comparison to your industry group.  One of the concerns expressed here is that there is no validation and this could 
falsely besmirch the reputation of a public university.  For example, at a public university, the public can go to 
certain places and use their personal devices (which might be infected).  These public areas might be isolated so as 
not to be of concern to the rest of campus network but would appear to BitSight as a higher risk situation than they 
actually are.  Their approach might seem to have more value for a relatively homogeneous and highly controlled business 
environment as opposed to a public university.  Have any of you taken a look at this (your "score")?  Do you have any 
concerns?

(Their comparison of athletic conferences - 
http://www.zdnet.com/us-universities-at-greater-risk-for-security-breaches-than-retail-and-healthcare-bitsight-7000032843/
 )

Best regards,
Jeff