How does a customer improve their security rating company score?

Executive summary

  • Why cyber risk security rating companies are important
  • How security rating products work
  • The short-term and long-term steps that can be taken to improve an organization’s score from a security rating company.
  • Whether an organization should buy a product or service from a security rating company or not.

Why cyber risk security rating companies are important

Gartner calls this category of product “IT Vendor Risk Management” solutions, and that’s the first important point. Products offered by security rating companies are, first and foremost, third-party tools.

They are used by other interested organizations to assess the risks of doing business with your organization. Interested organizations can include your insurance underwriter or a potential customer. Additionally, security rating companies may also be used to assess your supply chain by those same parties.

Given that it can increase the cost of your insurance, reduce the scope of your insurance, or even stop a customer from working with you, you must pay attention to how the rating companies work.

How security rating products work

In theory, the concept is sound. They gather publicly available information about an organization’s estate, assess the security posture, and then provide a score or grade based on what they observe.

However, there are limitations to this approach.

1. The scoring or grading algorithms used are proprietary 

There is no standard method used across the category. It’s not always clear how the score is calculated, and the algorithms change regularly—it’s a moving target. Customers tell us they have to spend time understanding how their score is going to be impacted by changes when they happen.

2. Scores are circumstantial 

The score is based on a point-in-time snapshot. Although vendors may show how a score has changed over time, the reality is that a score is based on the here and now.

3. Asset attribution is difficult

It’s very difficult to decide whether an organization actually owns an asset or not. Often, security ratings get it wrong. They score the posture of an asset that doesn’t belong to the organization, and it’s difficult to correct this when it happens. 

4. Reports are designed for non-technical audiences 

As a result, issues that appear can appear to be more serious than they actually are and can be misinterpreted.

5. A high score does not equal a gold standard 

Though there will be value in some issues that are uncovered, interpreting a high score as a gold standard is the wrong approach to managing risk in the estate. 

6. Scores take time to update 

When an issue is corrected, the score will take several weeks—or even months—to reflect the improvement in your estate.

How do I improve my security rating company score?

In the short-term

  • You should begin to build visibility of your entire public-facing estate in an automated and continuous manner. Every time a new asset is deployed, it should be added to your inventory automatically. 
  • Decide which parts of your estate are business-critical and which are not. It’s impossible to fix every configuration problem, so you must be pragmatic. What assets are most important and should have resources committed to them?
  • Check for DNS issues including dangling records and fix them when identified. 
  • Make sure that your asset configuration and application security policies align with the recommended best practices and that they are configured correctly. 
  • Monitor your IP addresses for ports and protocols that shouldn’t be visible to the public. 
  • Have a regular patching cadence. Your score will also be impacted by vulnerabilities in your assets, so make sure you have a patching policy in place and that end-of-life and end-of-service applications and products are managed correctly.

Then work on long-term best practice

Deploying applications that are secure by default must be the goal for organizations that take their security seriously. Security configuration checks must be embedded into the development and deployment pipeline so that issues are eliminated before they reach production environments. 

  • Integrate a security configuration policy check in your development and deployment process when deploying to staging.
  • If the configuration isn’t correct, then provide advice to the developer that will help them fix it.
  • Maintain a process to check if any configuration has changed.

Should I buy a product or service from a security rating company?

Some argue that security rating companies work in an unethical way. Oftentimes, they will try to sway you into buying their product by telling you that the score they’ve provided for you is also the score your prospects see when considering your organization. And if potential customers are using their tool to score you, then you should too! 

You should take a step back and ignore the scaremongering tactics. Instead, you should assess security rating companies based on what they actually do.

  • How fresh is the data that they provide, and how quickly does their score update after you have fixed a problem that they identify? 
  • Does the data they are providing actually belong to your organization?
  • Do they provide accurate insight?
  • When they tell you about a problem, do they help you understand why it’s a problem and if you should prioritize it?
  • Can they help you to focus on improving security in the business-critical areas of your organization while still maintaining visibility of the configuration in less important areas?
  • Do they provide advice on how you can fix a problem?
  • Are they interested in helping you work to industry standards and to follow best practices, and in working with you because your organization takes security seriously?
  • Do they have a DevOps view of the problem and are they interested in integrating their product into your ways of working?
  • Is there a customer success function that will actively work with you to meet your security goals?
  • Do they truly understand security standards and how they should be configured and what is important? 

Watch our full webinar below, ‘Reduce risk and stop losing business by fixing cybersecurity configuration risks’ to learn more!

PUBLISHED BY

Billy McDiarmid

5 Jun. 2023

SHARE ARTICLE:

Categories

ASM

Recent Posts

VIEW ALL
ASM

Zoom stops zooming: Why active monitoring is essential

Billy McDiarmid

​On April 16, 2025, Zoom experienced a significant global outage that disrupted video conferencing services and access to its website for thousands of users, as well as their corporate email for all their employees. It was quickly identified as a domain name registration status problem. Despite being a critical name for Zoom, somehow, the…

Read more
DMARC

Why DMARC matters: Protect your organization from evolving phishing threats

Jack Lilley

Phishing campaigns continue to change. Attackers are adapting faster than traditional security tools, using more subtle methods to bypass filters and reach inboxes. The latest KnowBe 4 Phishing Threat Trends Report (2025) shows a steady increase in attacks that slip through email security platforms and a growing use of techniques that avoid detection, increasing…

Read more
News

Red Sift OnDMARC joins the Jisc Chest platform to strengthen email security…

Francesca Rünger-Field

With the National Cyber Security Centre’s (NCSC) Mail Check tool having retired its free DMARC reporting service in March 2025, education and research institutions across the UK are now facing a critical visibility gap when it comes to email-based threats. To help address this, Red Sift is now working with Jisc—the UK’s not-for-profit provider…

Read more
News

Microsoft announces new email requirements for bulk senders

Red Sift

Executive Summary: New email authentication rules from Microsoft will impact bulk senders starting May 2025. To protect users from spoofing and phishing, Microsoft will require SPF, DKIM, and DMARC authentication—bringing its policies in line with Google and Yahoo. Red Sift offers tools to help organizations comply and maintain deliverability. This article: Microsoft has officially…

Read more