A Complete Guide to Security Ratings

What is a security rating?

Security ratings are a data-driven, dynamic measurement of an organization's cyber security performance that can be used to understand and influence internal and third-party cyber risk. Sometimes referred to as cybersecurity ratings, these quantitative metrics give security teams a simple indicator of security performance across their own organization, as well as the security posture of the third-party organizations they rely on.

According to Gartner, security ratings provide “independent scoring and rating for enterprises… They gather data from public and private sources via non-intrusive means, analyze the data, and rate security using proprietary scoring methodologies.”

In their most basic form, security ratings may be a point-in-time measurement of an organization’s risk exposure. However, the most effective and trustworthy cybersecurity ratings methodologies measure an organization’s ongoing security execution and perform dynamic calculations based on frequent data collection, observation, and analysis.

Why are security ratings important?

A security rating is an objective, trusted way to assess the overall security performance of an organization and make impactful decisions about future cybersecurity needs and priorities.

For example, now that business-impacting security incidents are regular occurrence, security teams face significant pressure to:

• Bring a more proactive approach to their security practices that will reduce the likelihood of negative business outcomes
• Demonstrate an understanding of risk posture and effective mitigation strategies to both internal stakeholders like executives and board members and external stakeholders like investors, regulators, and insurers

Security ratings, when calculated and applied effectively, give security teams a trustworthy framework to ensure that their efforts and investments will have the greatest possible impact on risk. They also provide a standardized, easily understandable way to communicate the security team’s level of performance – and the organization’s overall risk posture – to key internal and external stakeholders.

Get a free security rating for your organization!

How are security ratings calculated?

Security ratings are generally calculated by collecting externally observable information about the rated organization, including both configuration details and evidence of possible security events.

1. Observable configuration details, for example, that may be an indicator of an organization’s security hygiene include:

• The presence of complete and properly formed security headers for web applications
• Up-to-date server software, including services, libraries, and plug-ins
• The cadence at which the organization patches detectable vulnerabilities
• Open ports and other indicators of system hardening and firewall practices
• Proper configuration and management of TLS/SSL encryption
• Adherence to email security best practices

2. Observations about general security configuration and practices may be considered alongside any indicators of an active security event within the organization’s environment, such as:

• Communication with known command and control servers
• Participation in distributed denial of service (DDoS) attacks
• Instances of malware distribution, network scanning, and email-based attacks

3. Since not every observable configuration detail or security event represents an equivalent level of risk, it is important for the ratings provider to:

• Map observations into defined risk vectors
• Organize risk vectors into thematic categories
• Apply weights to specific risk vector categories
• Use an algorithm to calculate a normalized rating for the company

Security ratings must also be responsive to changes over time. This requires frequent refreshes to the observable data for all rated organizations, as well as clear processes for managing and acting on feedback from rated organizations.

How are security ratings used?

Security ratings give security teams a framework to understand and manage cyber risk both internally and externally across their extended ecosystem. Cybersecurity ratings are typically presented as a numerical value within a pre-defined range, with a higher rating indicating better overall security posture.

Armed with a clear benchmark of their risk posture and level of execution, security teams can measure and continually manage internal security performance by:

• Improving Visibility: This includes understanding security performance across all subsidiaries, business units, and geographic locations.
• Monitoring Security Controls: Security ratings can be used to measure the  effectiveness of security controls and continuously monitor overall security execution.
• Analyzing Cybersecurity Data and Trends: Security teams with a trusted security rating can inspire confidence with stakeholders by communicating meaningful metrics that track ongoing cybersecurity performance.

Security ratings can also enable greater transparency and trust across organizational boundaries, including:

• Third-Party Supply Chain Risk Management: Organizations can use security ratings to understand the risks posed by any third-party or supply chain business relationships. This simplifies vendor risk management even as changes occur over time.
• Cyber Insurance: Whether an entity is a cyber insurance applicant or a policyholder, security ratings enable teams to improve underwriting coverage and pricing, monitor portfolio performance, aid in loss control, and strengthen the value brokers bring to their clients.
• Mergers & Acquisitions: When organizations are considering new investment or M&A targets, security ratings add a quantitative element to cybersecurity due diligence and enable performance to be monitored during the integration process.
• Government: Cyber risk can be discovered, monitored, and managed across expansive government supply chains or throughout critical infrastructure with the help of security ratings.

How can security ratings reduce internal risk?

Security teams are on the frontlines, building and evolving resilient cybersecurity programs. While point-in-time assessments and outputs from security tools can help guide these efforts, they often result in a reactive approach to security. A high-quality security rating methodology can provide insight into both how an organization is performing today and how performance is changing – and should change – over time.

For example, many security teams use security ratings to continuously monitor and manage their internal security execution in areas like vulnerability and risk management. The security rating gives them a clear and consistent measurement and specific pathways to improve their risk posture. When used to their full potential, security ratings can help security teams streamline program decisions, monitor security control effectiveness, benchmark performance against peers, communicate program performance, and set uniform performance targets.

How do security ratings reduce third-party risk exposure?

With vendor ecosystems and digital footprints growing, it’s more important than ever to understand cyber risk exposure beyond the boundary of your internal IT infrastructure. Cyber risk assessment questionnaires can play a useful role, but they become outdated quickly and don’t always reflect real-world exposure presented by third parties. It’s easy for processes like onboarding a new vendor, assessing existing third-parties, and communicating security performance standards to get lost in unclear data and labor-intensive reporting processes.

Security ratings provide an important complement to these traditional risk management methods by providing continuous, objective, and actionable data. Security ratings can be used to power more sophisticated vendor risk management workflows that can validate questionnaire responses with real-world observations and continuously monitor for changes in third-party risk posture. This type of objective, evidence-based approach removes friction from third-party security interactions, improving efficiency for all involved while achieving better outcomes.