How does a customer improve their security rating company score?

Executive summary

  • Why cyber risk security rating companies are important
  • How security rating products work
  • The short-term and long-term steps that can be taken to improve an organization’s score from a security rating company.
  • Whether an organization should buy a product or service from a security rating company or not.

Why cyber risk security rating companies are important

Gartner calls this category of product “IT Vendor Risk Management” solutions, and that’s the first important point. Products offered by security rating companies are, first and foremost, third-party tools.

They are used by other interested organizations to assess the risks of doing business with your organization. Interested organizations can include your insurance underwriter or a potential customer. Additionally, security rating companies may also be used to assess your supply chain by those same parties.

Given that it can increase the cost of your insurance, reduce the scope of your insurance, or even stop a customer from working with you, you must pay attention to how the rating companies work.

How security rating products work

In theory, the concept is sound. They gather publicly available information about an organization’s estate, assess the security posture, and then provide a score or grade based on what they observe.

However, there are limitations to this approach.

1. The scoring or grading algorithms used are proprietary 

There is no standard method used across the category. It’s not always clear how the score is calculated, and the algorithms change regularly—it’s a moving target. Customers tell us they have to spend time understanding how their score is going to be impacted by changes when they happen.

2. Scores are circumstantial 

The score is based on a point-in-time snapshot. Although vendors may show how a score has changed over time, the reality is that a score is based on the here and now.

3. Asset attribution is difficult

It’s very difficult to decide whether an organization actually owns an asset or not. Often, security ratings get it wrong. They score the posture of an asset that doesn’t belong to the organization, and it’s difficult to correct this when it happens. 

4. Reports are designed for non-technical audiences 

As a result, issues that appear can appear to be more serious than they actually are and can be misinterpreted.

5. A high score does not equal a gold standard 

Though there will be value in some issues that are uncovered, interpreting a high score as a gold standard is the wrong approach to managing risk in the estate. 

6. Scores take time to update 

When an issue is corrected, the score will take several weeks—or even months—to reflect the improvement in your estate.

How do I improve my security rating company score?

In the short-term

  • You should begin to build visibility of your entire public-facing estate in an automated and continuous manner. Every time a new asset is deployed, it should be added to your inventory automatically. 
  • Decide which parts of your estate are business-critical and which are not. It’s impossible to fix every configuration problem, so you must be pragmatic. What assets are most important and should have resources committed to them?
  • Check for DNS issues including dangling records and fix them when identified. 
  • Make sure that your asset configuration and application security policies align with the recommended best practices and that they are configured correctly. 
  • Monitor your IP addresses for ports and protocols that shouldn’t be visible to the public. 
  • Have a regular patching cadence. Your score will also be impacted by vulnerabilities in your assets, so make sure you have a patching policy in place and that end-of-life and end-of-service applications and products are managed correctly.

Then work on long-term best practice

Deploying applications that are secure by default must be the goal for organizations that take their security seriously. Security configuration checks must be embedded into the development and deployment pipeline so that issues are eliminated before they reach production environments. 

  • Integrate a security configuration policy check in your development and deployment process when deploying to staging.
  • If the configuration isn’t correct, then provide advice to the developer that will help them fix it.
  • Maintain a process to check if any configuration has changed.

Should I buy a product or service from a security rating company?

Some argue that security rating companies work in an unethical way. Oftentimes, they will try to sway you into buying their product by telling you that the score they’ve provided for you is also the score your prospects see when considering your organization. And if potential customers are using their tool to score you, then you should too! 

You should take a step back and ignore the scaremongering tactics. Instead, you should assess security rating companies based on what they actually do.

  • How fresh is the data that they provide, and how quickly does their score update after you have fixed a problem that they identify? 
  • Does the data they are providing actually belong to your organization?
  • Do they provide accurate insight?
  • When they tell you about a problem, do they help you understand why it’s a problem and if you should prioritize it?
  • Can they help you to focus on improving security in the business-critical areas of your organization while still maintaining visibility of the configuration in less important areas?
  • Do they provide advice on how you can fix a problem?
  • Are they interested in helping you work to industry standards and to follow best practices, and in working with you because your organization takes security seriously?
  • Do they have a DevOps view of the problem and are they interested in integrating their product into your ways of working?
  • Is there a customer success function that will actively work with you to meet your security goals?
  • Do they truly understand security standards and how they should be configured and what is important? 

Watch our full webinar below, ‘Reduce risk and stop losing business by fixing cybersecurity configuration risks’ to learn more!


Billy McDiarmid

5 Jun. 2023




Recent Posts


The best tools to protect yourself from SubdoMailing

Francesca Rünger-Field

In late February 2024, ‘SubdoMailing’ became a trending search term overnight. Research by Guardio Labs uncovered a massive-scale phishing campaign that had been going on since at least 2022. At the time of reporting, the campaign had sent 5 million emails a day from more than 8,000 compromised domains and 13,000 subdomains with several…

Read more
Product Release

Red Sift’s Spring 2024 Quarterly Product Release

Francesca Rünger-Field

This early into 2024, the cybersecurity space is already buzzing with activity. Emerging standards, such as Google and Yahoo’s bulk sender requirements, mark a new era of compliance for businesses reliant on email communication. At the same time, the prevalence of sophisticated cyber threats, such as the SubdoMailing campaign, emphasizes the continual hurdles posed…

Read more

Navigating the “SubdoMailing” attack: How Red Sift proactively identified and remediated a…

Rebecca Warren

In the world of cybersecurity, a new threat has emerged. Known as “SubdoMailing,” this new attack cunningly bypasses some of the safeguards that DMARC sets up to protect email integrity.  In this blog we will focus on how the strategic investments we have made at Red Sift allowed us to discover and protect against…

Read more

Where are we now? One month of Google and Yahoo’s new requirements…

Rebecca Warren

As of March 1, 2024, we are one month into Google and Yahoo’s new requirements for bulk senders. Before these requirements went live, we used Red Sift’s BIMI Radar to understand global readiness, and the picture wasn’t pretty.  At the end of January 2024, one-third of global enterprises were bound to fail the new…

Read more