How does a customer improve their security rating company score?

Executive summary

  • Why cyber risk security rating companies are important
  • How security rating products work
  • The short-term and long-term steps that can be taken to improve an organization’s score from a security rating company.
  • Whether an organization should buy a product or service from a security rating company or not.

Why cyber risk security rating companies are important

Gartner calls this category of product “IT Vendor Risk Management” solutions, and that’s the first important point. Products offered by security rating companies are, first and foremost, third-party tools.

They are used by other interested organizations to assess the risks of doing business with your organization. Interested organizations can include your insurance underwriter or a potential customer. Additionally, security rating companies may also be used to assess your supply chain by those same parties.

Given that it can increase the cost of your insurance, reduce the scope of your insurance, or even stop a customer from working with you, you must pay attention to how the rating companies work.

How security rating products work

In theory, the concept is sound. They gather publicly available information about an organization’s estate, assess the security posture, and then provide a score or grade based on what they observe.

However, there are limitations to this approach.

1. The scoring or grading algorithms used are proprietary 

There is no standard method used across the category. It’s not always clear how the score is calculated, and the algorithms change regularly—it’s a moving target. Customers tell us they have to spend time understanding how their score is going to be impacted by changes when they happen.

2. Scores are circumstantial 

The score is based on a point-in-time snapshot. Although vendors may show how a score has changed over time, the reality is that a score is based on the here and now.

3. Asset attribution is difficult

It’s very difficult to decide whether an organization actually owns an asset or not. Often, security ratings get it wrong. They score the posture of an asset that doesn’t belong to the organization, and it’s difficult to correct this when it happens. 

4. Reports are designed for non-technical audiences 

As a result, issues that appear can appear to be more serious than they actually are and can be misinterpreted.

5. A high score does not equal a gold standard 

Though there will be value in some issues that are uncovered, interpreting a high score as a gold standard is the wrong approach to managing risk in the estate. 

6. Scores take time to update 

When an issue is corrected, the score will take several weeks—or even months—to reflect the improvement in your estate.

How do I improve my security rating company score?

In the short-term

  • You should begin to build visibility of your entire public-facing estate in an automated and continuous manner. Every time a new asset is deployed, it should be added to your inventory automatically. 
  • Decide which parts of your estate are business-critical and which are not. It’s impossible to fix every configuration problem, so you must be pragmatic. What assets are most important and should have resources committed to them?
  • Check for DNS issues including dangling records and fix them when identified. 
  • Make sure that your asset configuration and application security policies align with the recommended best practices and that they are configured correctly. 
  • Monitor your IP addresses for ports and protocols that shouldn’t be visible to the public. 
  • Have a regular patching cadence. Your score will also be impacted by vulnerabilities in your assets, so make sure you have a patching policy in place and that end-of-life and end-of-service applications and products are managed correctly.

Then work on long-term best practice

Deploying applications that are secure by default must be the goal for organizations that take their security seriously. Security configuration checks must be embedded into the development and deployment pipeline so that issues are eliminated before they reach production environments. 

  • Integrate a security configuration policy check in your development and deployment process when deploying to staging.
  • If the configuration isn’t correct, then provide advice to the developer that will help them fix it.
  • Maintain a process to check if any configuration has changed.

Should I buy a product or service from a security rating company?

Some argue that security rating companies work in an unethical way. Oftentimes, they will try to sway you into buying their product by telling you that the score they’ve provided for you is also the score your prospects see when considering your organization. And if potential customers are using their tool to score you, then you should too! 

You should take a step back and ignore the scaremongering tactics. Instead, you should assess security rating companies based on what they actually do.

  • How fresh is the data that they provide, and how quickly does their score update after you have fixed a problem that they identify? 
  • Does the data they are providing actually belong to your organization?
  • Do they provide accurate insight?
  • When they tell you about a problem, do they help you understand why it’s a problem and if you should prioritize it?
  • Can they help you to focus on improving security in the business-critical areas of your organization while still maintaining visibility of the configuration in less important areas?
  • Do they provide advice on how you can fix a problem?
  • Are they interested in helping you work to industry standards and to follow best practices, and in working with you because your organization takes security seriously?
  • Do they have a DevOps view of the problem and are they interested in integrating their product into your ways of working?
  • Is there a customer success function that will actively work with you to meet your security goals?
  • Do they truly understand security standards and how they should be configured and what is important? 

Watch our full webinar below, ‘Reduce risk and stop losing business by fixing cybersecurity configuration risks’ to learn more!

PUBLISHED BY

Billy McDiarmid

5 Jun. 2023

SHARE ARTICLE:

Categories

ASM

Recent Posts

VIEW ALL
News

Winter wins: Red Sift OnDMARC wraps up 2024 as a G2 DMARC…

Francesca Rünger-Field

The season of giving has brought us another reason to celebrate! Red Sift OnDMARC continues its winning streak in G2’s Winter 2025 report, earning Leader status in the DMARC category for another consecutive season. This recognition reflects our strong market presence and the unwavering satisfaction of our customers. Cheers to wrapping up 2024 on…

Read more
AI

Text classification in the age of LLMs

Phong Nguyen

As natural language processing (NLP) advances, text classification remains a foundational task with applications in spam detection, sentiment analysis, topic categorization, and more. Traditionally, this task depended on rule-based systems and classical machine learning algorithms. However, the emergence of deep learning, transformer architectures, and Large Language Models (LLMs) has transformed text classification, allowing for…

Read more
Security

How to drive cybersecurity as a top business priority

Jack Lilley

Everyone has a role to play in protecting the enterprise. Whether you’re shaping strategy or implementing solutions, aligning efforts to mitigate critical risks ensures a stronger, more resilient enterprise. If you missed Red Sift’s recent webinar on “From Data to Buy-In: Driving Cybersecurity as a Top Business Priority” we’ve got you covered. The session…

Read more
DMARC

BreakSPF: How to mitigate the attack

Red Sift

BreakSPF is a newly identified attack framework that exploits misconfigurations in the Sender Policy Framework (SPF) a widely used email authentication protocol. A common misconfiguration involves overly permissive IP ranges, where SPF records allow large blocks of IP addresses to send emails on behalf of a domain. These ranges often include shared infrastructures like…

Read more