This article explores how security ratings are calculated, how they are used, and ultimately, if organizations should leverage them.
In the past, evaluating an organization’s security posture has relied solely on point-in-time self-assessments such as internal reviews and questionnaires. However, these methods are highly subjective and do not provide a current depiction of an organization’s security posture.
That’s where security ratings come into play.
Security ratings provide a data-driven, continuous, and objective depiction of an organization’s security performance – without requiring extensive technical skills. They validate claims that third parties and internal teams have made about their security controls and identify avenues of improvement.
How are Security Ratings Calculated?
Security ratings leverage external, publicly available data to assign a single, aggregated rating. Each security rating service uses a framework to determine these scores. Some use already established frameworks such as NIST and MITRE ATT&CK, while others have developed their own unique model. The scores are based on several risk factors grouped into categories, such as network security, DNS health, and IP reputation. They are then weighted to yield a final letter or number score.
Black Kite, a leading security rating service provider, leverages 270 security controls and breaks them into 19 different weighted risk categories.
SecurityScorecard, one of the most popular security rating services, groups its metrics into 10 different categories, 8 of which are shown above in the screenshot.
How are Security Ratings Used?
1. Evaluate & Improve Internal Security Processes
Our research found that self-evaluation is the most common use case of security ratings. Security ratings are an unbiased way for organizations to evaluate the effectiveness of current security investments and compare their performance to competitors and industry leaders. By articulating where an organization is performing low, security ratings provide a roadmap that organizations can use to strengthen their security posture. This helps address time constraints, budget restrictions, and the skilled worker shortage by helping organizations focus efforts and investments on the most critical areas of improvement.
The Media Sonar research team surveyed 473 security professionals and determined that the most common use case of security ratings is for self-evaluation (51%) followed by third-party risk management (26%).
2. Third-Party Risk Management
The original use, and, according to our research, one of the most common applications of security ratings, is to assess the security posture of third parties. While it’s clear that third-party vendors add efficiencies, advanced capabilities, and a competitive edge – they create additional risks and underscore the reality that an organization’s attack surface extends beyond its network perimeter. In fact, 98% of organizations have third-party relationships with at least one vendor that has experienced a data breach in the last two years.
By leveraging security ratings, organizations can gain visibility into their third-party ecosystem to assess which vendors deserve their trust. While no third party comes without risk, security ratings allow organizations to select low-risk vendors, proactively address vulnerabilities before entering business partnerships, and prioritize what vendors need the most attention. Security ratings can also be shared with vendors to help them gain awareness of their vulnerabilities and apply remediation strategies.
The Media Sonar research team surveyed 282 security professionals and found that 67% use security ratings for third-party risk management.
3. Cybersecurity Insurance Underwriting
With the increase in cyber attacks, more and more organizations are turning to cyber insurance to help manage the financial repercussions if they fall victim to an attack. A key component in the insurance industry is understanding and predicting a claim’s likelihood. Cyber insurance underwriters leverage security rating services to help them objectively assess and compare potential clients and predict a claim’s likelihood. Organizations that have a lower risk rating will receive better insurance rates. In contrast, those under a specific score will receive higher rates or might not even be considered by cyber insurance providers because they pose too much of a security risk.
4. Better Communicate with the Board & Key Stakeholders
In today’s world, most boards know that a poor security posture can negatively impact their business. Instead of communicating the importance of security, the conversations must shift to articulate the effectiveness of current security investments and how introducing new security solutions will align with the organization’s business goals. Having an objective and outside-in view is a way for security teams and managed service providers to have more effective risk-based discussions. This allows them to better communicate the effectiveness of current cybersecurity processes and identify future requirements with non-technical stakeholders and decision-makers.
Security ratings provide a data-driven, continuous, and objective depiction of an organization’s security performance – without requiring extensive technical skills.
Should Organizations Leverage Security Ratings?
Regardless if an organization decides to leverage security ratings in its assessments, it is essential to appreciate that they are becoming commonly used by many other entities. Whether it is a cyber insurance provider determining the rate they will give you or a third party deciding whether or not to work with you – a security rating can be your organization’s most significant asset or most debilitating weakness. Staying up to date on how your organization scores and identifying steps you can take to improve your rating will open more doors to new opportunities and partnerships while reassuring existing customers that you take security seriously.