Cybersecurity ratings provide a means for objectively monitoring the cyber health of an organization and gauging whether their security posture is improving or deteriorating over time. They are a useful asset for a variety of organizational procedures including vendor risk management, M&A due diligence, executive-level reporting, and self-monitoring. That said, these ratings are only valuable if the data used to determine the rating is reliable and comes from a trusted source.
It is for this reason that SecurityScorecard released Trust Portal, a first-of-its-kind resource that invites you to take an inside look at the data that drives our technology. The purpose behind the portal is to provide transparency into our security ratings methodology and deliver insights into how it aligns with industry standards.
Security rating companies use a combination of data points collected organically or purchased from public and private sources, and then apply proprietary algorithms to articulate an organization’s security effectiveness into a quantifiable score. In the Trust Portal, we show the quality, breadth, and measurements of our data and its source.
What is security transparency?
Without proper technical experience, understanding cybersecurity can be difficult. Even for those in the IT field, keeping track of evolving threats and regulations presents a challenge. This is why there has been a push for security transparency in the business world.
Transparency means being open and honest about the strategies and solutions you employ to help maintain security at your organization. By creating a culture of transparency, you can enhance security practices by eliminating the silos associated with threat identification and management. In addition, a transparent business environment helps cultivate strong customer relationships as they will have complete visibility into what you are doing to protect their data.
Exploring the key components of the Trust Portal
In the interest of transparency, our Trust Portal is broken down into different components regarding data collection, scoring models, and confidentiality. Below we provide key insights into our Security Ratings methodology and how it aligns with industry standards.
Data collection
To collect data, SecurityScorecard monitors signals across the internet, relying on a global network of sensors that spans the Americas, Asia, and Europe. We also operate a network of sinkholes and honeypots to capture different malware signals that are used for scoring. Data is enriched by leveraging commercial and open-source intelligence sources as well. In addition, SecurityScorecard supplements its data collection with external feeds from approximately 40 third-party public and commercial data sources.
This data is then analyzed and appropriately weighted by considering factors such as the severity of the issues, the risk level as defined by industry standards, and the overall performance of similar companies.
Cybersecurity signals
SecurityScorecard monitors hundreds of different cybersecurity signals and calculates a score based on a defined subset of issues. Each issue is associated with one of the ten risk factor groups and is assigned a weight reflecting its severity.
Any positive security practice (reflecting a strong security posture) is captured and presented to users for improved awareness but does not contribute to scoring. The security issues measured by SecurityScorecard, along with the assigned factor, severity-based weight, update cadence, and age out window, can be found here.
Accuracy and validation
A unique challenge in providing fair and accurate ratings for organizational cybersecurity is properly accounting for a wide range of organizational sizes. Smaller organizations will inevitably have fewer findings and correspondingly fewer security flaws compared to large enterprises operating over as many as hundreds of millions of IPs. To help address this, SecurityScorecard performs attribution using automated processes operating at internet scale, incorporating machine learning algorithms to optimize accuracy.
The large quantity of organizations scored by SecurityScorecard – currently more than 1.5 million – helps ensure an accurate characterization of the distribution of the number of occurrences of each issue type with organization size, resulting in more accurate scoring.
Independence
SecurityScorecard’s ratings are fully independent and free of any commercial bias. To facilitate a fair and consistent evaluation of cybersecurity risk, SecurityScorecard uses robust statistical methods to evaluate the security posture of a company compared to others of similar size. Aligning ratings for every company based on size ensures that companies are compared fairly and that commercial agreements with SecurityScorecard do not influence ratings.
Confidentiality
SecurityScorecard data is only available to users that have properly registered for access to our platform information. Any user that wishes to view the scorecard for their own company must go through a formal user onboarding process that ensures the user is an employee of the company they claim to represent. In addition, companies that license the service must adhere to contractual obligations that dictate the use of ratings they access with respect to their vendors, to ensure the information is not used to compromise the systems of another third party.H2: Final thoughts
Our goal is to provide transparency into our ratings methodology so that our partners can be sure the insights they receive are actionable and trustworthy. With the Trust Portal, you get a first-hand look at the data that drives our technology, eliminating any confusion around our products and their functions.
For more information, watch as Co-Founder and CEO of SecurityScorecard, Aleksandr Yampolskiy, explains what the Trust Portal means to him, and what it will mean for the security ratings market for years to come.