Like most emerging markets, security ratings has it’s skeptics. Reasonable people have disagreed about the effectiveness and diagnostic value of security ratings. Their questions typically follow these lines of thought:
- I don’t believe you can accurately determine my security risk from the outside.
- How can a third party, without understanding my security strategy, evaluate my risk?
- You are only telling me what I know or can find out myself. What is the value?
- They only provide a “snapshot-in-time” and the threat landscape evolves every day.
- It is misleading for board reporting, not a real benchmark for security quality.
To answer these questions, let’s imagine our world without companies that offer cybersecurity ratings. You can’t look up someone’s score online. You are left to assess the security posture of hundreds to thousands of partners, Software as a Service (SaaS) providers, vendors, and suppliers in your digital ecosystem, likely without any increases in budget or staff.
Without cybersecurity ratings, cybercriminals trolling your online footprint and blackmarket databases that detail your company’s security posture still exist. Those databases are maintained by Advanced Persistent Threat (APT) actors and cybercriminals. These threat actors are continuously assessing and modifying their abilities to acquire sensitive information by viewing your organization from the outside. Security ratings companies collect the same information that cybercriminals collect, we do it at scale and we do it without impacting your team's bandwidth. In this security-ratingsless world, only the bad actors would have this view of your security risks and be able to act on these vulnerabilities before you can see and address them yourself.
To protect themselves, organizations would have to build their own solutions for the continuous monitoring of their security posture. In-house technology solutions are 50-80% more expensive long term and are more resource-intensive than that of a SaaS solution. Do you have the budget and the extra staff with the right skills sets to do this today and at scale in the future?
Now, let’s come back to our current world and have a candid conversation about security ratings, about what they are and what they are not. Everyone in the security business knows that any vendor who promises a perfect unbreachable security product is not being pragmatic.
We know that you and your team have to use the right tools, at the right time to have the best security posture possible.
What exactly is a security rating (and why do you need one)?
Security ratings might seem simple at first glance; identify what threat actors see from the outside or can find from a variety of sources and provide a “score” that should give a relative likelihood of being breached or attacked. If these scores are properly executed, they should provide a useful indicator that can help make your organization more secure and help you better understand the relative risk in your digital ecosystem. However, evaluating security and risk is not simple, and the devil is in the details.
Security ratings evaluate an organization’s cybersecurity risk using data-driven, objective, and continuous monitoring and ML-driven metrics that provide visibility into an organization’s information security posture as seen by threat actors, as well as potential vulnerabilities across your digital ecosystem.
SecurityScorecard provides continuous monitoring of the threat landscape because it changes every day. The FBI reported that in 2020 because of the pandemic, ransomware attacks skyrocketed 400% over the previous year. Our cloud ratings engine provides our customers and partners with the ability to search and proactively locate and mitigate CVEs in their own organization and across their ecosystem to address the daily changes in the threat landscape.
Security ratings platforms scan the internet for possible gaps in an organization’s security posture, often employing technologies similar to the ones that cybercriminals use, but we can do this at scale.
SecurityScorecard’s methodology means we sift 1.5 terabytes of data daily as part of our signal collection. We regularly scan the entire IPv4 address space to find vulnerabilities. We monitor signals using a worldwide network of sensors and operate one of the world’s largest networks of sinkholes and honeypots to capture malware signals. We also work with external feeds from more than 40 data sources. SecurityScorecard then matches signals with IP domains and the organization associated with each.
It’s important to mention that our scorecards are not a one-and-done solution; they change as the threat landscape evolves. Their purpose is to alert your IT staff to the visible vulnerabilities, known CVEs, and suggest remediations to mitigate your risk. Security ratings offer quantitative metrics for evaluating cyber risk by using easy-to-read visualizations based on the data collected by the platform. Organizations with a higher security rating have a lower risk profile. If an organization has a low rating, then mitigating the potential risks increases their score.
This is not to say that you should take a security rating at face value. In fact, that’s exactly the wrong way to use cybersecurity ratings.
How not to use security ratings
Many times, a company’s leadership will look at a security rating and make a snap judgment. “Oh, we have an A or a B — we’re fine” or “this potential vendor has a D. We should not do business with them.” That’s a mistake. Security ratings aren’t static — they’re a living document.
If you’re just looking at the overall score of a business — yours or another organization’s — you’re not getting the full picture.
An organization with an ‘A’ rating may have adequate controls, but they can suffer a breach like any other organization. An ‘A’ is not a bulletproof defense against cybercrime, nor is any other security certification. For example, about 10 years ago, hackers would seek out McAfee-certified sites, organizations that believed they were secure. Those organizations would then be the target of emerging threats that they could not be prepared for yet. That green checkmark simply meant that they’d ticked all the boxes for their certification, not that they were prepared for any new threats. An ‘A’ rating is the same — it’s not meant to lull you into a false sense of security.
Conversely, an ‘F’ doesn’t mean a company is completely insecure. Cybersecurity companies often run honeypots to attract attacks, so if a company has an ‘F’ rating, that doesn’t mean you shouldn’t contract with them, or onboard them as a vendor.
If your own score doesn’t look right to you — if it’s too low, or the information is wrong — you should not write off all security ratings. It’s important to engage with the score to make it more accurate. An accurate score not only reflects well on your organization, but an accurate and relevant score is also a tool that allows you to have productive conversations about security with vendors and partners. It gives cybersecurity insurance providers insight into your security posture when underwriting policies. A solid rating also helps you pinpoint the areas of your security that require shoring up.
How you should use a security rating
Like a credit score or any other kind of score, security ratings are one piece of information about an organization’s security posture. They’re not intended to replace pen tests or any other part of your security stack. Ratings are an augmentation that allow you to see your security posture the way others do.
In fact, it might help to think of a security rating as a starting point. A low score gives you a list of potential security questions for a new vendor or partner. It tells you where to look when you onboard a new vendor, and how to examine your own security and mitigate your own security issues. It is not just a snapshot of your security posture, it is a way to see how your security posture evolves over time and to ensure you are able to manage risks every day.
When your security rating is low, we tell you what you need to do to remediate your score.
But what if my security rating is wrong?
When people complain about security ratings being wrong, we have one important suggestion for them: engage with the score. Refute it, so that we can be more accurate in how your security controls are portrayed.
While some rating companies require you to be a customer to refute your ratings, SecurityScorecard operates on a Yelp model. Our refutation process offers three options:
- Dispute - The company provides evidence that the identified risk/finding was incorrectly associated with their Scorecard and should be removed from the company’s record.
- Correction - The company provides clarifying data about a compensating control that is in place which is not visible to our non-intrusive, outside-in view.
- Appeal - The company resolved the risk and the issue should be removed from the company’s Scorecard.
We encourage organizations to submit refutes with supporting evidence so that we can update their scorecards. Scorecards are updated within 48-72 hours of documentation review and approval. By participating with your score, you can improve the rating’s accuracy. The more the community embraces security ratings, the more accurate and valid the ratings will become.
Why should you care about security ratings?
No one likes to get bad news about their organization — especially about their security posture.
Security ratings are a risk evaluation and remediation solution that will help ensure you have the right information to make better security decisions. Security ratings give your team the ability to see risk sooner, scale your team's visibility across your entire digital ecosystem, lower the cost of managing security risk and provide reporting data for key regulatory and compliance requirements. We can provide scale, speed, and a global view to baseline your security risk. We want to partner with you, your organization, and the organizations in your digital ecosystems to add context and improve accuracy security ratings for everyone.