• Cybersecurity
  • hardenize
  • network security
  • public facing assets

How does a customer improve their security rating company score?

Executive summary

  • Why cyber risk security rating companies are important
  • How security rating products work
  • The short-term and long-term steps that can be taken to improve an organization’s score from a security rating company.
  • Whether an organization should buy a product or service from a security rating company or not.

Why cyber risk security rating companies are important

Gartner calls this category of product “IT Vendor Risk Management” solutions, and that’s the first important point. Products offered by security rating companies are, first and foremost, third-party tools.

They are used by other interested organizations to assess the risks of doing business with your organization. Interested organizations can include your insurance underwriter or a potential customer. Additionally, security rating companies may also be used to assess your supply chain by those same parties.

Given that it can increase the cost of your insurance, reduce the scope of your insurance, or even stop a customer from working with you, you must pay attention to how the rating companies work.

How security rating products work

In theory, the concept is sound. They gather publicly available information about an organization’s estate, assess the security posture, and then provide a score or grade based on what they observe.

However, there are limitations to this approach.

1. The scoring or grading algorithms used are proprietary 

There is no standard method used across the category. It’s not always clear how the score is calculated, and the algorithms change regularly—it’s a moving target. Customers tell us they have to spend time understanding how their score is going to be impacted by changes when they happen.

2. Scores are circumstantial 

The score is based on a point-in-time snapshot. Although vendors may show how a score has changed over time, the reality is that a score is based on the here and now.

3. Asset attribution is difficult

It’s very difficult to decide whether an organization actually owns an asset or not. Often, security ratings get it wrong. They score the posture of an asset that doesn’t belong to the organization, and it’s difficult to correct this when it happens. 

4. Reports are designed for non-technical audiences 

As a result, issues that appear can appear to be more serious than they actually are and can be misinterpreted.

5. A high score does not equal a gold standard 

Though there will be value in some issues that are uncovered, interpreting a high score as a gold standard is the wrong approach to managing risk in the estate. 

6. Scores take time to update 

When an issue is corrected, the score will take several weeks—or even months—to reflect the improvement in your estate.

How do I improve my security rating company score?

In the short-term

  • You should begin to build visibility of your entire public-facing estate in an automated and continuous manner. Every time a new asset is deployed, it should be added to your inventory automatically. 
  • Decide which parts of your estate are business-critical and which are not. It’s impossible to fix every configuration problem, so you must be pragmatic. What assets are most important and should have resources committed to them?
  • Check for DNS issues including dangling records and fix them when identified. 
  • Make sure that your asset configuration and application security policies align with the recommended best practices and that they are configured correctly. 
  • Monitor your IP addresses for ports and protocols that shouldn’t be visible to the public. 
  • Have a regular patching cadence. Your score will also be impacted by vulnerabilities in your assets, so make sure you have a patching policy in place and that end-of-life and end-of-service applications and products are managed correctly.

Then work on long-term best practice

Deploying applications that are secure by default must be the goal for organizations that take their security seriously. Security configuration checks must be embedded into the development and deployment pipeline so that issues are eliminated before they reach production environments. 

  • Integrate a security configuration policy check in your development and deployment process when deploying to staging.
  • If the configuration isn’t correct, then provide advice to the developer that will help them fix it.
  • Maintain a process to check if any configuration has changed.

Should I buy a product or service from a security rating company?

Some argue that security rating companies work in an unethical way. Oftentimes, they will try to sway you into buying their product by telling you that the score they’ve provided for you is also the score your prospects see when considering your organization. And if potential customers are using their tool to score you, then you should too! 

You should take a step back and ignore the scaremongering tactics. Instead, you should assess security rating companies based on what they actually do.

  • How fresh is the data that they provide, and how quickly does their score update after you have fixed a problem that they identify? 
  • Does the data they are providing actually belong to your organization?
  • Do they provide accurate insight?
  • When they tell you about a problem, do they help you understand why it’s a problem and if you should prioritize it?
  • Can they help you to focus on improving security in the business-critical areas of your organization while still maintaining visibility of the configuration in less important areas?
  • Do they provide advice on how you can fix a problem?
  • Are they interested in helping you work to industry standards and to follow best practices, and in working with you because your organization takes security seriously?
  • Do they have a DevOps view of the problem and are they interested in integrating their product into your ways of working?
  • Is there a customer success function that will actively work with you to meet your security goals?
  • Do they truly understand security standards and how they should be configured and what is important? 

Watch our full webinar below, ‘Reduce risk and stop losing business by fixing cybersecurity configuration risks’ to learn more!

PUBLISHED BY

Billy McDiarmid

5 Jun. 2023

SHARE ARTICLE:

Categories

ASM

Related articles

“What’s Next for DMARC”: Red Sift & Inbox Monster Webinar RecapNavigating the Information Security Landscape: ISO 27001 vs. SOC 2G2 Summer 2024 Report: Red Sift OnDMARC’s Winning Streak ContinuesGoogle will no longer trust Entrust certificates from October 2024Understanding the polyfill.io domain attack

Recent Posts

VIEW ALL
News
25 Jun. 2024

Introducing DNS Guardian: Stop impersonation and spam caused by domain takeovers 

Rahul Powar

tl;dr: We’re thrilled to announce DNS Guardian — a new feature in Red Sift OnDMARC that can swiftly identify and stop domain takeovers that lead to malicious mail. Back in February, we shared updates with the community about SubdoMailing – an attack discovered by Guardio Labs. The attack was a form of subdomain takeover,…

Read more
Email
25 Jul. 2024

“What’s Next for DMARC”: Red Sift & Inbox Monster Webinar Recap

Red Sift

The recent webinar hosted by Inbox Monster, “What’s Next for DMARC: Data & Predictions for a New Era in Email Authentication,” featured insights from Red Sift and examined the significant changes brought by Yahoo and Google’s bulk sender requirements earlier this year.  It also offered a forward-looking perspective on the future of email authentication.…

Read more
Security
11 Jul. 2024

Navigating the Information Security Landscape: ISO 27001 vs. SOC 2

Red Sift

As cyber threats evolve, so do the standards and frameworks designed to combat them. Two of the most recognized standards in information security are ISO 27001 and SOC 2. What sets them apart, and which one is right for your organization? Let’s delve into the key differences. Purpose and Scope: Global Framework vs. Client-Centric…

Read more
News
2 Jul. 2024

G2 Summer 2024 Report: Red Sift OnDMARC’s Winning Streak Continues

Francesca Rünger-Field

We’re delighted to announce that Red Sift OnDMARC has again been named a Leader in G2’s DMARC category for Summer 2024. This recognition is based on our high Customer Satisfaction scores and strong market presence. Red Sift appeared in 11 reports – 5 new ones since Spring 2024! – earning 5 badges: A few…

Read more
News
2 Jul. 2024

Google will no longer trust Entrust certificates from October 2024

Red Sift

Tl;dr: Google has announced that as of October 31, 2024, Chrome will no longer trust certificates signed by Entrust root certificates. While there is no immediate impact on existing certificates or those issued before 31st October 2024, organizations should start reviewing their estate now. On Thursday 27th June 2024, Google announced that it had…

Read more
Red Sift Logo

PLATFORM

The Red Sift Pulse Platform

Internet-scale cybersecurity intelligence meets trusted AI.
OnDMARC

Protect against phishing and BEC attacks.
Brand Trust

Stop brand abuse, fraud and lookalike attacks.
ASM

Continuously discover and manage external-facing and cloud assets.
Certificates

Real-time discovery and seamless monitoring for certificates.

INNOVATION

CUSTOMERS

Resources

Company