Security ratings or cybersecurity ratings are a data-driven, objective, and dynamic measurement of an organization's security posture. They are created by a trusted, independent security rating platform making them valuable as an objective indicator of an organization's cybersecurity performance.
Just as credit ratings and FICO scores aim to provide a quantitative measure of credit risk, security ratings aim to provide a quantitative measure of cyber risk.
The higher the security rating, the better the organization's security posture.
Thousands of organizations like yours use security ratings as a tool to understand and mitigate a variety of critical, interconnected internal and external security risks.
What are The Common Use Cases For Security Ratings?
Security ratings are used to assess the cybersecurity of external organizations like vendors, investment targets, or insurance applications, as well as assessing internal risk and to improve communication around cybersecurity performance.
Third-Party Risk Management (TPRM)
The original use of security ratings was to help third-party risk management teams to manage cybersecurity risk, including:
- Understanding third-party risk and fourth-party risk (vendor risk) posed by supply chain, third-party vendor, and business partner relationships.
- Cyber insurance underwriting, pricing and risk management by allowing insurers to gain visibility into the security program of those they insure to better assess and price their insurance policies.
- Investment in or acquisition of a company by providing organizations with an independent assessment of an investment or M&A target's information security controls.
- Enabling governments to better understand and manage theirs and their vendors' cybersecurity performance, a key component of FISMA compliance.
Security ratings have been widely adopted because they supplement and can sometimes replace time-consuming vendor risk assessment techniques like questionnaires, on-site visits, and penetration tests. Most importantly, they are always up-to-date.
By giving cybersecurity teams the ability to instantly identify security issues, they can understand which vendors to focus on first. This greatly reduces the operational burden on TPRM teams during vendor selection, due diligence, onboarding, and monitoring. Additionally, they can be shared with vendors to improve remediation efforts.
Cybersecurity Performance Management
Security is becoming a critical competitive issue, alongside classic differentiators like price and performance. Businesses increasingly need to demonstrate robust cybersecurity practices when winning and retaining business.
Security ratings are increasingly used for internal security performance management, including:
- Continual assessment of internal cybersecurity posture, providing CISOs with a simple, understandable rating that can be presented to key stakeholders including C-Suite and board members.
- Benchmarking and comparison to industry peers, competitors, sectors, and vendors. This can assist with decision-making and provide context about what security controls or mitigations your organization needs to invest in.
- Providing assurance to customers, insurers, regulators and other stakeholders that your organization cares about preventing security issues like data breaches, malware, and ransomware.
Before security ratings, security performance indicators were hard to quantify. Generally relying on specific technical metrics like the number of ports closed and software patches applied.
Today, security and risk leaders have an objective, independent, and broadly adopted key performance indicator that is easy to understand for non-technical stakeholders. This allows them to continuously assess their security posture, set goals, track progress, and report meaningful information to other executives and the Board.
By diving into the individual risk vectors that make up a security rating, you can determine (in near real-time) which areas are exposing your organization to the greatest amount of risk.
Additionally, security ratings are useful for benchmarking. By comparing your organization's security rating to its past performance, as well as your competitors, you can accurately gauge whether or not your team's efforts are paying off.
Cyber Risk Appetite Definition
A cyber risk appetite defines the degree of risk an organization is willing to accept in order to meet its business objectives. Security ratings offer a quantitative measure of each third-party vendor’s security posture ranging from zero to a maximum cybersecurity value of 950.
Security ratings are measured from an analysis of billions of data points, including commonly exploited attack vectors, to form an accurate representation of a vendor’s state of security and likelihood of suffering a breach.
With a security rating system, an organization’s risk appetite for third-party vendor relationships could be expressed as a minimum acceptable security rating, where prospective vendors that fail to exceed this value are disregarded as contenders for partnership opportunities.
Security ratings simplify risk appetite calculation while also enhancing the security of vendor onboarding processes.
Learn how UpGuard helped a logistics company secure its vendor onboard process.
Read the case study >
How are Security Ratings Calculated?
Security ratings don't rely on traditional risk assessment techniques like penetration testing, security questionnaires, or on-site visits. Instead, security ratings are derived from objective, externally verifiable information and are calculated by a trusted, independent organization.
UpGuard is one of the most popular and trusted security ratings platforms. We generated our ratings through proprietary algorithms that take in and analyze trusted commercial and open-source data sets to non-intrusively collect data that can quantitatively evaluate cybersecurity risk.
With UpGuard, an organization's security rating can range from 0 to 950 and is comprised of a weighted average of the risk rating of all externally facing assets, such as web applications, IP addresses, and marketing sites.
The lower the rating, the more severe the risks they are exposed to. Inversely, the higher the rating, the better their security practices and the less successful cyber attacks will be.
To keep our security ratings up-to-date, we recalculate sores whenever a website is scanned or a security questionnaire is submitted. In general, this means an organization's security rating will be updated multiple times a day, as most websites are scanned daily.
This enables continuous monitoring of vendors beyond the initial assessment process.
We base our ratings on the analysis of 70+ vectors including:
- Susceptibility to man-in-the-middle attacks
- Insecure SSL/TLS certificates
- SPF, DKIM and DMARC settings
- HTTP Strict Transport Security (HSTS)
- Email spoofing and phishing risk
- Malware susceptibility
- Network security
- Unnecessary open administration, database, app, email and file sharing ports
- Exposure to known data breaches and data leaks
- Vulnerable software
- HTTP accessibility
- Secure cookie configuration
- Results of intelligent security questionnaires
If you are a prospective customer of other security rating services, like SecurityScoreCard or BitSight Technologies, see our guide on SecurityScorecard security ratings vs BitSight security ratings here.
Uses of Security Ratings
How Can Security Ratings Help Identify, Manage and Reduce Risk?
It's difficult to identify, manage, and reduce cybersecurity risk. Like many organizations, you may not know the actual security performance of your organization and its critical third parties.
Digitization has increased the speed of commerce, the scope of customers, the understanding of consumer habits, and the efficiency of operations across the board. But it has also increased the risk surface of the business, creating new dangers, and obstacles.
This risk is compounded by the interrelations of digital businesses that handle your sensitive data and technological infrastructure, as each third-party is a potential attack vector for your organization.
A wormable vulnerability in one of your vendors, suppliers or business partners could result in a data breach in your own organization. The technical nature of this risk makes it inaccessible to those without advanced skills and knowledge, leaving organizations without visibility into an extremely valuable and critical part of their business.
This is where security ratings can help. Security ratings provide a continuous and up-to-date assessment of your potential attack surface without the need to have deep technical expertise.
They provide a daily measurement of an organization's security performance calculated by a similar approach used by credit ratings to calculate financial risk.
This allows you to monitor and benchmark your internal security performance over time, strengthen your vendor risk management program, and reduce risk.
How Can Security Ratings Be Used For Vendor Risk Management?
Assessing the security of every third-party can be immensely time-consuming and out of reach for many organizations that rely on traditional methods.
Sending out Excel-based security questionnaires to understand a vendor's security posture requires a lot of tracking and follow-up. Moreover, these questionnaires are subjective and often times rendered inaccurate over time as new security issues emerge.
Other processes like on-site visits and penetration testing are too resource-intensive and cost-prohibitive to run at scale.
Security ratings complement these traditional risk management methods by providing continuous, objective, and actionable data. UpGuard Vendor Risk enables organizations to continuously monitor and rate your vendors' security performance and automate the security questionnaire process.
This allows you to efficiently scale your third-party risk management program without scaling headcount by:
- Automating the process to gain an understanding of your vendor's security posture, it's as simple as searching for your vendor on the UpGuard platform
- Benchmarking vendors against their industry, making it easy to see which vendors are failing behind and represent a significant risk
- Requesting remediation from third-parties or by setting minimum security ratings requirements in contracts
- Automatically rating your vendors' security against 50+ criteria on a daily basis
- Using your security questionnaire library to save your team from having to create questionnaires that map to regulations and industry standards like ISO 27001, CPS 234, NIST Cybersecurity Framework, California Consumer Privacy Act, and the Modern Slavery Act.
How Can Security Ratings Be Used to Monitor Internal Security Performance?
Security ratings can help security and risk leaders to:
- Understand the impact of their investments in cybersecurity controls or technology
- Align investments and actions to those that will mitigate the most critical risks
- Efficiently and dynamically allocate your limit resources on critical areas
- Facilitate data-driven, risk-based conversations about cybersecurity with key nontechnical stakeholders such as Board members, Vice Presidents, regulators, investors, and key business partners.
- Benchmark internal security performance against industry peers
UpGuard BreachSight is like Vendor Risk but for self assessment. It all the monitoring factors of Vendor Risk and additional components for risk management, brand protection, identity breaches, typosquatting and Data Leaks - a proactive breach detection product that automates the detection of data leaks and breaches of your data on the open and dark web by scouring S3 buckets, public GitHub repos, and unsecured RSync and FTP servers.
Why are Security Ratings Important?
According to Gartner, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships…these services will become a precondition for business relationships and part of the standard of due care for providers and procurers of services. Additionally, the services will have expanded their scope to assess other areas, such as cyber insurance, due diligence for M&A and even as a raw metric for internal security programs.
The growing importance of security ratings is largely due to the introduction of general data protection laws like FIPA, CCPA, PIPEDA, the SHIELD Act, LGPD and GDPR, as well as industry-focused mandated vendor risk management programs driven by the introduction of CPS 234, 23 NYCRR 500, FISMA and GLBA.
This is why many organizations have turned to security ratings for assessing themselves and their third-parties.
Traditional methods of third-party assessment are immensely time-consuming. Sending questionnaires to every third-party to understand their security posture requires a lot of tracking and frankly, isn't always accurate.
The truth is that questionnaires, much like penetration testing, are subjective and point-in-time assessments that become inaccurate over time as new security issues emerge.
Security ratings complement these traditional risk management methods by providing a continuous, objective and up-to-date assessment of security postures, enabling you to understand what cyber threats your organization faces and how to mitigate them.
Additionally, many security leaders find security ratings invaluable for reporting cybersecurity results to their Board of Directors, C-Suite and even shareholders. Pair this with the addition of industry benchmarking and competitor ratings and organizations now have the context they need to inform assess their and their vendors' cybersecurity programs.
What is the History of Security Ratings?
Security ratings stem from credit ratings, except they are an assessment of a company's security risk not credit risk.
To understand the value of security ratings, it helps to have an understanding of where credit ratings came from, so we will start there.
Credit ratings provide investors with information about whether the issuer of a bond, debt instrument or fixed-income security will be able to meet their debt obligations.
They generally take the form of a letter grade that is issued by a credit rating agency who provides independent and objective analysis of a company or country's ability to repay debt.
Credit ratings were born in wake of the financial crisis of 1837 with the establishment of mercantile credit agencies.
These agencies rated the ability of merchants to pay their debts and consolidated these ratings into published guides. The first such agency was established by Lewis Tappan in 1841 and subsequently acquired by Robert Dun who published a ratings guide in 1859.
However, it wasn't until 1909, and the establishment of John Moody's railroad bonds guide, that credit ratings became widely accessible.
In 1913, Moody expanded into industrial firms and utilities and began using the letter grade system we know today.
In following years, the antecedents of the "Big Three" credit rating agencies were established. Namely Poor's Publishing Company in 1916, Standards Statistics Company in 1922, and Fitch Publishing Company in 1924.
These agencies, alongside John Moody's, would eventually become Standards & Poors (S&P), Moody's and Fitch Group.
The goal of these credit rating providers is to remove subjectivity and point-in-time assessment of credit risk by providing an independent, objective and quantitative assessment of credit worthiness that anyone could use.
By most accounts, credit ratings have been a success. Credit scores are the primary measurement of creditworthiness throughout the world.
Security ratings providers have the same goal, just replace credit risk with cybersecurity risk.
How Can I Decide on a Security Ratings Provider?
Not all security ratings providers are equally effective at determining cyber risk. Each has their own data, methodology, network, and service options.
To make a good decision, it's necessary to understand how security ratings work. Four important considerations to consider are data quality, community size, customer experience, and data breach detection knowledge.
As we've discussed, different security ratings providers have access to different data sets. The data points they collect must then be accurately mapped to individual organizations. Additionally, the underlying algorithm that determines the security rating will vary vendor to vendor.
UpGuard processes over 100 billion data points each day, and we're directly responsible for securing over 1.4 billion records.
And you don't have to take our word for it. There is very public evidence of our expertise in the likes of The New York Times, The Wall Street Journal, Bloomberg, The Washington Post, Forbes, Reuters, and TechCrunch.
With that said, it's not just about the amount of data processed. What is as important is the attribution of that data to unique organizations. Other providers may take in lots of data, but not have the resources, processes or knowledge required to map that data back to specific organizations accurately.
The goal of any security ratings platform is to keep your organization safe and continuously informed about your potential cyber risk. A rating being accurate or high-quality depends on its ability to reflect true cyber risk, e.g. the potential for a successful cyber attack or data breach.
Another important signal for data quality is the length of rating history. To accurately assess the relative cybersecurity performance of an organization and its third-parties, you must be able to look into the past. UpGuard's platform provides the last twelve months of data.
Security ratings benefit from network effects, they become more valuable as more users take advantage of them.
In any security ratings platform, end users can verify the results of their own organization and their vendors, as well as flag potential errors. This means the more users on the platform, the better the data becomes.
For this reason, the size of a security ratings providers' user base is an important factor in determining rating quality. UpGuard is one of the most trusted and popular security ratings providers.
Security ratings providers are able to differentiate by the usability of their software, the methods by which they deliver security ratings, and the quality of their customer service.
While security ratings are data products, they're also SaaS products. The design and user experience of the platform can affect the value your team is able to get out of it. It's important to test out the front end of various platforms before choosing security ratings provider.
UpGuard is continuously improving their platform with a dedicated product and design team whose sole goal is to gather customer feedback and improve the platform based on customer feedback.
When deciding on a provider, it's critical to keep in mind their level of knowledge and experience. UpGuard is a longstanding provider with a history of excellent service who is now able to offer much more than just tech support, including a managed service offering where we manage your vendor risk management program for you.
Data Breach and Data Leak Detection Knowledge
What makes UpGuard BreachSight different to other security ratings providers is our unparalleled ability to detect leaked credentials and exposed data before it falls into the wrong hands.
For example, we were able to detect data exposed in a GitHub repository by an AWS engineer in 30 minutes. We reported it to AWS and the repo was secured the same day.
This repo contained personal identity documents and system credentials including passwords, AWS key pairs and private keys.
We're able to do this because we actively discover exposed datasets on the open and deep web, scouring open S3 buckets, public Github repos and unsecure RSync and FTP servers. Our data leak discovery engine continuously searches for keyword lists provided by our customers and is continually refined by our team of analysts, using the expertise and techniques gleaned from years of breach research.
Other providers wait for breaches to end up for sale on the dark web before telling you about them.
The knowledge, techniques and technology used to discover these data leaks is baked into the UpGuard platform.
What Else Do I Need to Know About Security Ratings?
Security ratings are relatively new and carry their own risks. As noted by the Chamber of Commerce’s Principles for Fair and Accurate Security Ratings, ratings rely on data from a dynamic environment with many sources.
This is why UpGuard adheres to the Principles of Fair and Accurate Security Ratings:
- Transparency: UpGuard believes in providing full and timely transparency not only to our customers but to any organization who wants to understand their security posture, which is why you can request your free security rating here and you can book a free trial of our platform here.
- Dispute, Correction and Appeal: UpGuard is committed to working with customers, vendors and any organization who believes their score is not accurate or outdated.
- Accuracy and Validation: UpGuard's security ratings are empirical, data-driven and based on independently verifiable and accessible information.
- Model Governance: While the datasets and methodologies used to calculate our security ratings can change from time to time to better reflect our understanding of how to mitigate cybersecurity risk, we provide reasonable notice and explanation to our customers about how their security rating may be impacted.
- Independence: No commercial agreement or lack thereof, gives an organization the ability to improve their security rating without improving their security posture.
- Confidentiality: Any information disclosed to UpGuard during the course of a challenged rating or dispute is appropriately protected. Nor do we provide third-parties with sensitive or confidential information on rated organizations that could lead to system compromise.
The UpGuard Security Ratings Platform
UpGuard’s proprietary security rating feature adhers to the Principles for Fair and Accurate Security Ratings to offer an accurate quantitative measure of vendor cyber risks, allowing you to secure your vendor onboarding processes.
By also projecting security rating improvements for specific remediation tasks, UpGuard extends vendor risk management efficiency beyond the onboarding phase and throughout the entire vendor relationship lifecycle.