

#SecurityDNA: Meet our CISO
Steve Cobb brings more than 25 years of leadership consulting surrounding IT infrastructure, cybersecurity, incident response, and cyber threat intelligence.
How are your cybersecurity ratings created?
SecurityScorecard ratings are created by: discovering the attack surface of an organization from the outside; picking up signals non-intrusively about that organization that indicate what’s happening inside the organization; and applying a statistical model that is based on nine years of historical data showing how organizations perform compared to others.
Do I need to pay to access, improve, or challenge my SecurityScorecard rating?
Never. Any organization can access its scorecard for free and annotate it with internal information (such as SOC 2 documentation and compliance certifications) to ensure its voice is heard. In turn, we share recommendations with organizations on how they can improve their scores and become more resilient. This can all be done free of charge.
Will I get breached even if I have an “A” rating?
Validation testing uncovered that companies with an A rating are 7.7X less likely to experience a breach than those with an F rating. But if a determined group of hackers or a nation-state decides to target an organization — even one with an “A” rating — it can get breached. Using the SecurityScorecard platform, customers can identify and plan for clear areas of improvement and thus reduce their cyber risk. Additionally, SecurityScorecard offers cyber resilience services such as Digital Forensics and Incident Response which can help you quickly triage a breach, stop further damage, investigate the source, and develop actionable reporting.
What is the frequency of your scans?
SecurityScorecard non-intrusively scans the entire IPv4 web space, more than 3.9 billion routable IP addresses, every 10 days across more than 1,400 ports.
Do cybersecurity ratings only include outside-in data?
SecurityScorecard finds external-facing assets from the outside-in that can often indicate to an organization what’s happening on the inside, for instance: how diligently a browser’s operating system is patched, or the reaction time to malware. However, we also ingest inside-out info from organizations in order to provide more context into their internal security practices; organizations can list their security policies and provide documentation to support compliance with SOC 2, payment card industry (PCI) standards, HIPAA, and more. Organizations are also encouraged to submit questionnaires, claim profiles, and more.
Do ratings take into account internal compensating controls?
While the visible Internet attack surface is the main target for cyberattacks—and generally a reflection of an organization’s cybersecurity posture—there’s a chance that there are internal vulnerabilities that we don’t see and aren’t represented in the overall score. However, SecurityScorecard calibrates our algorithms to account for this, and it’s why we allow any organization to provide additional context by contributing evidence of their internal security controls through internal security tools (such as XDR/EDR) integrations.
If I think my score is inaccurate, what can I do?
SecurityScorecard offers a straightforward refute process that enables collaboration; is equally open to customers and non-customers; and encourages users to manage, validate, and make corrections as needed. If you believe your rating is inaccurate, our team is quick to respond with the industry’s fastest and most accurate refute process, while still maintaining credibility of the score.
How long does it take to update my score?
After you submit a resolution or removal request, our customer support team will review the request and any supporting evidence within 48 hours. If your requests are approved by our support team, your new score will be reflected on your Scorecard as a Projected Score within a few minutes. If more action is needed, you will receive an explanatory email.
Will my score be accurate if I own a small or medium-sized business (SMB)?
Our cybersecurity ratings are designed to find signals on any company, big or small; whether your organization has one IP address or one million. While there are enough signals provided by SMBs, there may be an overly positive perception of their security postures because their Internet attack surface is small. To increase accuracy, organizations should provide contributory evidence (such as: network designations, security policies, compliance validation, and more).
Can I get an accurate score if I’m a cloud or telecommunications provider?
ISP/telecom providers have vast numbers of IP addresses. As a result, it can be difficult to attribute assets between their own corporate domains and the ones controlled by customers. Overall, this segment requires a more nuanced way of attribution. The security ratings industry is working on this challenge, and as the category advances we should see a more sophisticated approach to addressing this domain attribution issue.
How can I use ratings with my board of directors?
Use this template to communicate benchmarking, reduce supply chain risk, and prove the effectiveness of security investments. Download the template and make it your own.
How can I use ratings to lower my cyber insurance?
Identify and plan for clear areas of improvement and reduce your cyber risk, which can result in validation with a higher security rating and, ultimately, a lower cyber insurance quote.
How can I use ratings to monitor my third parties?
Obtain visibility into your cyber risk exposure by using security ratings to continuously monitor and measure the security posture of the third parties in your entire vendor ecosystem.
Steve Cobb brings more than 25 years of leadership consulting surrounding IT infrastructure, cybersecurity, incident response, and cyber threat intelligence.
None of our users go it alone, and if you believe your score is inaccurate, we work with you to make it right. We offer a simple and fast corrections process that is equally open to customers and non-customers. We encourage users to validate and make adjustments as needed.
SecurityScorecard creates a Digital Footprint of all your organization’s Internet-facing assets. Discover critical security issues and assets you weren’t aware of, and improve your security posture.
Public scorecards help vendor risk managers, information security professionals, procurement teams, and cyber insurers better understand security hygiene. Many organizations showcase their scorecard to build trust within their business ecosystem.
Add a “Seal of Trust” to your website so your partners can easily see a snapshot of your security health. Each Badge features direct public access to a summary of why a company has a good score, along with real-time public visibility into how that security score has been maintained.
Our customers have access to the greatest volume and quality of intelligence available. SecurityScorecard leverages data mined with the market’s leading capabilities, and relies on a global network of sensors to monitor signals across the internet. We enrich our data using commercial and open-source intelligence sources, and track over 79 security issues.
Customers choose SecurityScorecard because the depth of our data is unmatched. And our ability to validate that data increases with every new customer and follower. In order to make our security ratings as meaningful as possible, we conducted a study using machine learning-tuned issue-type weights, and found that organizations with an A rating are 7.7x less likely to sustain a breach than those with an F rating.
With millions of companies scored, the depth and scope of our collected data is unmatched, and our ability to validate our data increases with every new customer and follower.
These numbers are updated in real time, and illustrate the expansive reach of our scoring and monitoring.
At SecurityScorecard, we work closely with our partners and customers, whose insights influence our roadmap. Whether it’s sharing input on new offerings and services or helping us troubleshoot issues, every piece of feedback is an opportunity for us to do better.
In 2022, Gartner named SecurityScorecard a 2022 Gartner Peer Insights Customers’ Choice for IT Vendor Risk Management (VRM) Tools.