Posted on May 14, 2020
Last year SecurityScorecard introduced the security industry’s first Trust Portal. The goal was to practice what we preach by providing transparency and visibility into our rating methodology and performance of our award-winning security ratings platform. This year we’ve taken it a step further and have updated our Trust Portal to offer more real-time access to our platform’s back end data. The Trust Portal “refresh” now includes full disclosure on our cybersecurity risk scoring methodology, provided by our head of data science, Dr. Bob Sohval, PhD and reports on our swift ability to react to inaccurate findings.
The updates to our industry-first Portal includes the deepest level of transparency and truly showcases what’s under SecurityScorecard’s “hood” and now includes:
In order to achieve the highest possible accuracy, independent cybersecurity consultant firm Online Business Systems conducted a validation assessment on the accuracy of SecurityScorecard’s platform data. The results show testing of the digital footprints of 13 randomly selected companies with 1480 IP addresses demonstrated an overall accuracy of 94% for IP attribution. Additionally, the digital footprints of 13 companies with 377 DNS records demonstrated an overall accuracy of 100% for domain attribution. The report explaining these results can be found on the portal.
Part of providing a fair and accurate security ratings scale is to allow any organization to refute a finding associated with their score. While all refutes need substantive proof that either IP or Domains are incorrectly associated to a company, the issues have been resolved or supporting data to back up an internal control unseeable by an outside-in, non intrusive digital footprint scan, not all refute processes are created equal.
SecurityScorecard maintains a response time for resolving customer-submitted refutes well within the 48-hour service level agreement (SLA) timeframe. Typically refutes are resolved within hours, not days. Other security ratings providers take weeks or in some cases even months to resolve submitted refutes. A HUGE shoutout to our amazing Customer Reliability Engineer (CRE) team for making this happen! The Portal also now shares our statistics showing the number of refutes submitted each day with a 7-day trailing average on our response time resolving those refutes.
We are also taking our customers and prospects another level deeper by providing statistics divided by our refute rate for both domains and IPs. No other company provides this level of transparency which is a step in the right direction towards building greater trust with our prospects and customers.
Next we updated our “score improvement for engaged vendors” metrics. Companies that use SecurityScorecard to engage their supply chain see a quantifiable improvement in their ecosystem security posture.
We found that rated companies invited to the platform with low-security grades (C, D, or F) exhibit on average a 7-point improvement within 3 months (up from 4 points), while the average score of non-engaged companies remained unchanged over the same period.
This statistic illustrates that by identifying and correcting the known findings we bring to light, an organization can increase their security score, which ultimately makes them safer.
We also added a new section dedicated to frequently asked questions about SecurityScorecard’s scoring, data sources, and taxonomy. This section includes the answers to questions like:
“Why is there a stale issue on my scorecard that is no longer relevant?” and “One of your competitors detected malware on my network, but this finding doesn’t appear on my scorecard. Why not?”
For any rating scale to be widely adopted, be it security ratings, product ratings, or financial ratings, end-users need to have confidence in both the data accuracy and the methodology used to generate their scores. These updates offer significant transparency and confidence into our abilities to provide accurate scores. Visit our newly updated Portal now.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.