Understanding Your Security Ratings

Learn More About Your Score

Your Security Ratings - Explained

You just received an invitation from a business partner to review your scorecard, or you’re considering using SecurityScorecard for the first time to:

  • Add efficiencies and additional capabilities to your Vendor Risk Management program
  • Quickly inform your M&A program
  • Help with procurement
  • Leverage trusted and transparent data for your cybersecurity insurance underwriting process

Now what? What are some key issues to consider?

You’re about to make an important decision. Forrester now reports that “Security Ratings are a valued strategic and operational component of a robust security program.” They add that “security ratings boost threat intelligence, security posture, business resiliency, and the prioritization of new security investments.”

SecurityScorecard enables users to discover and continuously monitor security ratings, effortlessly add additional vendors or partner organizations, and concisely report on the cyberhealth of their ecosystem. We also provide access to breach insights, compliance, collaboration, digital asset management, company comparison tools, and more to help enterprises better manage security and meet regulatory objectives. We strive to be transparent. Every company on our platform can look at a carefully measured, statistically relevant view of the cybersecurity risk associated with their IP footprint.

SecurityScorecard’s A-F rating system is easy to understand and correlates directly to risk indicators that have been identified across the public web, dark web, and our global sensor network. 

Watch this quick video to find out more:

How do we do this?

Unlike other providers, a majority of the data utilized by our platform comes from our own threat reconnaissance capabilities. We collect data in the following ways:

  • We non-intrusively scan the entire IPv4 space.
  • We operate a battery of sinkholes to track malware infections on client systems on a daily basis.
  • We perform a variety of additional non-intrusive collection activities to identify weaknesses in an entity’s cybersecurity posture, such as open ports exposing services that should not be exposed, weak ciphers, out-of-date software with critical vulnerabilities, etc. 

Here are some typical questions:

What is a security rating?

Security ratings provide businesses and government agencies with a third party, independent view into the the security behaviors and practices of their own organization as well as that of their business partners. SecurityScorecard rates companies on an easy to understand A-F system for both the overall security rating as well across 10 risk factors. A security rating is a measure of security based on information collected from across the internet via SecurityScorecard’s internal collection activities combined with commercial and open source providers. SecurityScorecard’s data science team runs complex algorithms against this data to compute a score that corresponds to risk.

How can I access my security rating?

SecurityScorecard provides companies with free access to their scorecards. Companies can access their scorecard either through the invited vendor process or by requesting an account. Our internal team will validate and approve all requests prior to account activation.

What does my security rating mean?

Simply put, a company with a D or F rating is 5.4 times more likely to suffer a consequential breach versus A or B-rated company. Certain risk factors, such as application security and patching cadence, are even more indicative of the likelihood of breach; In some cases by as much as 10x if the score is an F versus an A. At the same time, a D or F rating does not necessarily mean that an organization will be breached tomorrow. We do know, however, that in aggregate, companies with higher security ratings pose less of a risk. For more information, here’s a link to our scoring white paper.

Can I dispute my security rating?

The SecurityScorecard platform is based on transparency and collaboration. Our dispute resolution process is designed to be as frictionless as possible and our goal is to resolve any outstanding items within 3 business days. Companies can either dispute issues within the platform or by emailing us at [email]@securityscorecard.com. We do not charge for resolution services.

Who can view my Security Rating?

Our vision is to create a new language for security that enables security practitioners to work together and ultimately improve the security posture of their entire ecosystem. The SecurityScorecard platform enables companies and their vendors to collaborate on security by providing visibility into the security posture of companies that they do business with. We surface security ratings in our platform as well as through technology alliances with GRC, IT risk management, procurement, cyber insurance underwriters, and other technology & business partners.

Our VRM program is quite mature. Why do we need a security ratings service?

Even customers with very mature VRM programs leverage our platform extensively. The simple reason is that even well-established VRM programs cannot achieve enough coverage of the security risk surface in the supply chain using only traditional labor-based, point-in-time security assessment and tracking tools. For more information on the business value of Security Ratings, download this report.

How can I be assured findings don’t end up in the wrong hands?

SecurityScorecard’s data is collected from our own proprietary data collections processes as well as from open source and commercial threat intelligence feeds. The signals that we collect are public on the internet, meaning all of our information is collected via non-intrusive methods using broadly accepted security research methodologies. We follow appropriate disclosure and notification protocols. Since the information that we collect is obtainable from commercial and open source providers and is public on the internet, companies should assume that findings in the SecurityScorecard platform are obtainable by nation-state, cyber criminal, and other black hat individuals and organizations by their own mechanisms and resources. We take measures to ensure that only validated security & risk management and other practitioners have access to our platform.

What security controls does you application have in place?

  • We encrypt data in transit and at rest
  • We manage all of our infrastructure passwords through a system vault that ensures easy fast rotation along with password strength
  • We centralize our AAA services through LDAP and use multi-factor for all platform infrastructure
  • We segregate and isolate our network (firewalls and private networks) and limit access (inner circle is 5 SRE(s), middle circle is teach leads, outer circle is engineering as a whole)
  • We log all systems and service actions for audit
  • We do periodic penetration tests using 3rd party providers
  • We conduct regular control audits
  • We use the SecurityScorecard platform continuously monitor our cyberhealth

How does your solution maintain compliance with applicable laws and ethical standards?

SecurityScorecard’s methodologies are based on security research practices that are widely utilized in the industry. All of the information we obtain is by non-intrusive methods and we follow all appropriate standards and best-practices in our own collection efforts as well as require our data partners to do the same. For more information, download our Legality white paper.

How do you handle vulnerabilities and notifications?

We offer free access to the platform so that any company can, effectively, become notified of vulnerabilities in their own infrastructure found by SecurityScorecard and work to resolve their publicly observable security issues. Our platform’s automation capabilities are non-intrusive and can discover but does not exploit vulnerabilities. Where possible, in instances where our security researchers find a high risk, exploitable vulnerability (ie open access to a critical infrastructure asset like a dam or power grid control system) that could create a public safety issue we will notify the operator directly of that vulnerability.

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!