What is a True Security Rating? Why Credit-Style Ratings Don’t Tell The Whole Story
As data breaches become increasingly costly, the security posture of an organization becomes more of a concern from a broader risk perspective. A company might look safe from a financial and credit standpoint, as assessed by a credit rating agency, for example. But financial competency and health means nothing if that company is breached. The reputational and incident response costs alone can cause heavy financial damage, and that’s not accounting for client churn and loss of new business.
It’s important to understand what a security rating is and how they drive critical business decisions. Other companies offer security ratings, but how can you be sure they’re accurately providing a measure of an organization’s true risk? Companies may try to reduce security to a single number range between 200-800. But if this number could reflect the overall security posture of an organization, there would be no need for any security professionals or practitioners.
“The problem with simple security ratings is,” Our chief research officer Alex Heid says, “For example, that a large organization like an ISP will always have a very large attack surface, so there will be many malware events on that attack surface. If you try to boil down the security to a credit-style rating, you will always incorrectly score large organizations too low, and tiny mom-and-pop shops with a small attack surface too high.”
A true security rating must provide an accurate depiction of an organization’s security status. To do so, a multidimensional scorecard across all critical security categories is needed. This includes categories such as Endpoint Security, Hacker Chatter, Information Leak, ensuring every aspect of risk and vulnerability is accounted for.
SecurityScorecard ratings look at hundreds of key security issues across 10 critical security categories, over 500% more than any other competitor. Other companies try to simplify security into a single credit-style rating. Security professionals, CISOs, and white hat researchers need a complete scorecard that addresses all areas of security.
Gartner’s new Security Rating Services (SRS) category is defined as:
“Security rating services (SRS) provide continuous, independent quantitative security analysis and scoring for organizational entities. The services gather data from a variety of public and private sources via passive and active (but nonintrusive) means, analyze the data using proprietary analysis and rate the entities using their own standard scoring methodologies. These tools can be used for internal security reporting and management and for third-party risk management.”
Our scorecard provides an unmatched depth and breadth of actionable information stemming from our numerous patents and our proprietary network of sensors. It gives us the critical information needed to score and weight key security categories and issue types to build a comprehensive scorecard.
SecurityScorecard founders are two former CISOs who, as practitioners, know the challenges of securing your own environment and those of your partners and vendors firsthand. That’s why our platform provides multi-level security ratings based on security necessity. We offer an overall high-level organizational security rating, giving you an industry-level perspective of your security posture. Then we offer category-level ratings on 10 distinct security factors, allowing you to understand where your specific vulnerabilities lie and where your security efforts should be focused on. Lastly, we offer issue type severity ratings, offering a granular perspective, rating the severity level of the problem while also providing remediation information for the issue.
It takes more than just malware data to accurately understand the security posture of an organization. SecurityScorecard takes a comprehensive view across key categories that enable security professionals to properly assess and mitigate risk. Our research and innovation dedicated to improving security ratings is passed on to our users and clients.