Posted on Apr 26, 2021
Like most emerging markets, security ratings has it’s skeptics. Reasonable people have disagreed about the effectiveness and diagnostic value of security ratings. Their questions typically follow these lines of thought:
To answer these questions, let’s imagine our world without companies that offer cybersecurity ratings. You can’t look up someone’s score online. You are left to assess the security posture of hundreds to thousands of partners, Software as a Service (SaaS) providers, vendors, and suppliers in your digital ecosystem, likely without any increases in budget or staff.
Without cybersecurity ratings, cybercriminals trolling your online footprint and blackmarket databases that detail your company’s security posture still exist. Those databases are maintained by Advanced Persistent Threat (APT) actors and cybercriminals. These threat actors are continuously assessing and modifying their abilities to acquire sensitive information by viewing your organization from the outside. Security ratings companies collect the same information that cybercriminals collect, we do it at scale and we do it without impacting your team's bandwidth. In this security-ratingsless world, only the bad actors would have this view of your security risks and be able to act on these vulnerabilities before you can see and address them yourself.
To protect themselves, organizations would have to build their own solutions for the continuous monitoring of their security posture. In-house technology solutions are 50-80% more expensive long term and are more resource-intensive than that of a SaaS solution. Do you have the budget and the extra staff with the right skills sets to do this today and at scale in the future?
Now, let’s come back to our current world and have a candid conversation about security ratings, about what they are and what they are not. Everyone in the security business knows that any vendor who promises a perfect unbreachable security product is not being pragmatic.
We know that you and your team have to use the right tools, at the right time to have the best security posture possible.
Security ratings might seem simple at first glance; identify what threat actors see from the outside or can find from a variety of sources and provide a “score” that should give a relative likelihood of being breached or attacked. If these scores are properly executed, they should provide a useful indicator that can help make your organization more secure and help you better understand the relative risk in your digital ecosystem. However, evaluating security and risk is not simple, and the devil is in the details.
Security ratings evaluate an organization’s cybersecurity risk using data-driven, objective, and continuous monitoring and ML-driven metrics that provide visibility into an organization’s information security posture as seen by threat actors, as well as potential vulnerabilities across your digital ecosystem.
SecurityScorecard provides continuous monitoring of the threat landscape because it changes every day. The FBI reported that in 2020 because of the pandemic, ransomware attacks skyrocketed 400% over the previous year. Our cloud ratings engine provides our customers and partners with the ability to search and proactively locate and mitigate CVEs in their own organization and across their ecosystem to address the daily changes in the threat landscape.
Security ratings platforms scan the internet for possible gaps in an organization’s security posture, often employing technologies similar to the ones that cybercriminals use, but we can do this at scale.
SecurityScorecard’s methodology means we sift 1.5 terabytes of data daily as part of our signal collection. We regularly scan the entire IPv4 address space to find vulnerabilities. We monitor signals using a worldwide network of sensors and operate one of the world’s largest networks of sinkholes and honeypots to capture malware signals. We also work with external feeds from more than 40 data sources. SecurityScorecard then matches signals with IP domains and the organization associated with each.
It’s important to mention that our scorecards are not a one-and-done solution; they change as the threat landscape evolves. Their purpose is to alert your IT staff to the visible vulnerabilities, known CVEs, and suggest remediations to mitigate your risk. Security ratings offer quantitative metrics for evaluating cyber risk by using easy-to-read visualizations based on the data collected by the platform. Organizations with a higher security rating have a lower risk profile. If an organization has a low rating, then mitigating the potential risks increases their score.
This is not to say that you should take a security rating at face value. In fact, that’s exactly the wrong way to use cybersecurity ratings.
Many times, a company’s leadership will look at a security rating and make a snap judgment. “Oh, we have an A or a B — we’re fine” or “this potential vendor has a D. We should not do business with them.” That’s a mistake. Security ratings aren’t static — they’re a living document.
If you’re just looking at the overall score of a business — yours or another organization’s — you’re not getting the full picture.
An organization with an ‘A’ rating may have adequate controls, but they can suffer a breach like any other organization. An ‘A’ is not a bulletproof defense against cybercrime, nor is any other security certification. For example, about 10 years ago, hackers would seek out McAfee-certified sites, organizations that believed they were secure. Those organizations would then be the target of emerging threats that they could not be prepared for yet. That green checkmark simply meant that they’d ticked all the boxes for their certification, not that they were prepared for any new threats. An ‘A’ rating is the same — it’s not meant to lull you into a false sense of security.
Conversely, an ‘F’ doesn’t mean a company is completely insecure. Cybersecurity companies often run honeypots to attract attacks, so if a company has an ‘F’ rating, that doesn’t mean you shouldn’t contract with them, or onboard them as a vendor.
If your own score doesn’t look right to you — if it’s too low, or the information is wrong — you should not write off all security ratings. It’s important to engage with the score to make it more accurate. An accurate score not only reflects well on your organization, but an accurate and relevant score is also a tool that allows you to have productive conversations about security with vendors and partners. It gives cybersecurity insurance providers insight into your security posture when underwriting policies. A solid rating also helps you pinpoint the areas of your security that require shoring up.
Like a credit score or any other kind of score, security ratings are one piece of information about an organization’s security posture. They’re not intended to replace pen tests or any other part of your security stack. Ratings are an augmentation that allow you to see your security posture the way others do.
In fact, it might help to think of a security rating as a starting point. A low score gives you a list of potential security questions for a new vendor or partner. It tells you where to look when you onboard a new vendor, and how to examine your own security and mitigate your own security issues. It is not just a snapshot of your security posture, it is a way to see how your security posture evolves over time and to ensure you are able to manage risks every day.
When your security rating is low, we tell you what you need to do to remediate your score.
When people complain about security ratings being wrong, we have one important suggestion for them: engage with the score. Refute it, so that we can be more accurate in how your security controls are portrayed.
While some rating companies require you to be a customer to refute your ratings, SecurityScorecard operates on a Yelp model. Our refutation process offers three options:
We encourage organizations to submit refutes with supporting evidence so that we can update their scorecards. Scorecards are updated within 48-72 hours of documentation review and approval. By participating with your score, you can improve the rating’s accuracy. The more the community embraces security ratings, the more accurate and valid the ratings will become.
No one likes to get bad news about their organization — especially about their security posture.
Security ratings are a risk evaluation and remediation solution that will help ensure you have the right information to make better security decisions. Security ratings give your team the ability to see risk sooner, scale your team's visibility across your entire digital ecosystem, lower the cost of managing security risk and provide reporting data for key regulatory and compliance requirements. We can provide scale, speed, and a global view to baseline your security risk. We want to partner with you, your organization, and the organizations in your digital ecosystems to add context and improve accuracy security ratings for everyone.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.