SecurityScorecard vs RiskRecon Comparison

All three solutions provide security ratings, aggregated summaries of risk for immediate comparison, and their own standardized, proprietary scoring methodology.

• SecurityScorecard: A rating from A to F, like a report card.
• RiskRecon: RiskRecon distills its assessment criteria into a simple score from 0-10.
• UpGuard: Provides a score between 0 and 950 along with the following letter grades, A: 801-950, B: 601-800, C: 401-600, D: 201-400, F: 0-200. You can request your free security rating by clicking here.

Security rating calculation methodology

Each service has a different security rating calculation methodology. Many rely on IP reputation which tries to attribute malware traffic based on IP addresses, whereas others scan for misconfigurations which means looking at an organization's actual Internet footprint and using that to determine potential attack vectors and vulnerabilities that can lead to data breaches. Read our guide on why IP attribution isn't a good solution here.

• SecurityScorecard: Primarily IP reputation with some misconfiguration assessment.
• RiskRecon: Assesses an organization against 11 security domains and 41 security criteria.
• UpGuard: Runs hundreds of individual checks including email security and email spoofing risks (SPF, DKIM, and DMARC), website security (SSL, HSTS, header exposure), phishing and malware risk, explicit checks for 200 services across thousands of ports (mail, app, user auth, file sharing, voice, administration, database, unidentified, and open ports), domain hijacking risk (DNSSEC and domain registry issues), reputational risks (CEO rating and employee rating), credential management (exposure to known data breaches and data leaks detected by our data leak detection engine) and results of intelligent security questionnaires.

Scope

Each provider has a different level of scale. If your organization employs small specialist vendors they may not be covered by solutions with a narrow scope of focus. Remember, every vendor that handles sensitive data could potentially expose PII, PHI or business data that could be used for industrial espionage.  

• SecurityScorecard: 1,000,000 companies rated
• RiskRecon: unknown
• UpGuard: 2,000,000 organizations, 100 billion data points, and 1.4 billion records scanned daily

User experience, design, and functionality all play a large part in deciding what solution to use. Additionally, the easier a solution is to use the quicker you can get your money's worth. All three products offer their services via a SaaS module with minimal installation needed. Similarly, all three use web-based dashboards to help you navigate graphical representations of cyber risk.

• SecurityScorecard: Simple interface for quick grade reports and charts.
• RiskRecon: Provides risk prioritization based on your configured policy
• UpGuard: High-level summation of risk with the ability to drill down into precise technical details. Risks are automatically prioritized based on extensive research by our in-house security team and we provide remediation and protection suggestions for all risks. Additionally, we have a library of pre-built questionnaires that can be sent and managed with the UpGuard platform including a pandemic (e.g. COVID-19/coronavirus), ISO 27001, PCI DSS, NIST Cybersecurity Framework, CCPA, and Modern Slavery questionnaires. Read our full guide on the top security questionnaires here.

The more information that is made publicly accessible, the easier it is for customers and prospects to learn about cybersecurity, reduce their cyber risk, and streamline their processes. How much each company has invested in its community speaks to its mission and focus.

• SecurityScorecard: Company and product blog.
• RiskRecon: Company and product blog.
• UpGuard: The UpGuard cybersecurity and risk management blog is updated four times a week and our breach research blog has uncovered and secured some of the largest data breaches.

Cybersecurity is in constant flux. New zero-day vulnerabilities and exploits are discovered on a daily basis, so the rate at which a company can update its solution to respond to customer requests, new information, and where necessary, add new features is a good sign of their overall viability.  

UpGuard has always adopted DevOps principles internally to develop, test, and release software, ensuring fast, consistent, and safe releases.

As you know, security ratings providers can be expensive with opaque pricing designed to put the power in the hands of the provider rather than you, the customer.

Their vendor risk solutions are typically priced per vendor, per year with the exception of one-off reports generated for a set price. Due to the large starting prices, many of these solutions price out small and medium enterprises, while relegating even large companies to only their most at-risk vendors. All three provide professional services to assist with onboarding, setup, training, and maintenance.

• SecurityScorecard: Public pricing information is not available. Pricing is reported to start at $16,500 for self-assessment plus 5 vendors, additional vendors cost $1,500-$2,000 per vendor per year
• RiskRecon: Public pricing information is not available. Pricing is reported to start at $10,000 and increases based on the number of vendors monitored.
• UpGuard: UpGuard has a transparent pricing model which you can view here. UpGuard pricing starts at $5k/year and scales with your company. If you have any questions, please let us know via sales@upguard.com and we will follow up.

Here's what a few UpGuard customers had to say about their experience with UpGuard. You can read more on Gartner reviews.

• "UpGuard has given us a view of our vendor security posture. The ability to launch a questionnaire or ask for a plan of remediation for items that show as vulnerable is also a great added value and a time saver. UpGuard is also very customer focused. They respond quickly to issues and to questions and welcome any input that could improve the product. Overall it is one of the best value add tools we have."
• "The simplicity of the product is fantastic. My team and I were able to be up and running in minutes. We monitor risks on over 25 vendors in near real-time and use these statistics to report to the C suite and Board of Directors. Upguard has become part of the critical cybersecurity metrics that we monitor and report upon."
• "The ease of use and simplicity of the product is excellent. We were able to be up and running with 50 vendors within minutes not hours. The reporting is used for monthly statistics and is reported to our Senior Management. Upguard has become an integral part of our critical cybersecurity metrics that we monitor and report upon."

You might want to access the information these tools provide outside of their graphical interface and import it into the tool of your choice. All three solutions offer standard APIs that can pull data into different enterprise applications.

While an APNI is useful for building custom integrations, not every team has access to the engineering talent needed to use them. This is where standard integrations can help you out.  

• SecurityScorecard: Offers integrations with GRC platforms such as RSA Archer.
• RiskRecon: Offers integrations with GRC platforms such as RSA Archer, Sigma Ratings, Whistic, and more.
• UpGuard: Integrates with GRC platforms, ticketing systems like ServiceNow, and more.

When comparing software, one of the best places to start is with who else is using the product. In this case, all three companies have impressive customer lists.

• SecurityScorecard: Customers include Symantec, Pepsico, Two Sigma, and Stony Brook University
• RiskRecon: Customers include Informatica, Tufts Health Plan, University of San Francisco, and Sentara.
• UpGuard: Customers include NASA, the New York Stock Exchange (ICE), Morningstar, Akamai, Bill.com, IAG, and ADP. Read our customer case studies here and our Gartner reviews here.

At the end of the day, the entire point of investing in one of these tools is to stop security incidents from occurring in the first place. This makes a tool's ability to predict data breaches and cyber attacks the key consideration.

What differentiates predictive capability is how well their security rating methodology can determine attack vectors.

• SecurityScorecard: The IP reputation methodology helps catch active malware installations, but that’s only one possible way a data breach can occur.
• RiskRecon: RiskRecon focuses on third-party security assessment across 11 security domains and 41 security criteria.
• UpGuard: Because UpGuard checks for misconfigurations across the internet footprint, many important breach vectors are covered, including phishing, ransomware susceptibility (like WannaCry), man-in-the-middle attacks, DNSSEC, vulnerabilities, email spoofing, domain hijacking, and DNS issues. The UpGuard methodology continuously refined based on the actual data breaches we have discovered and reported to the world in the New York Times, Bloomberg, Washington Post, Forbes, and Techcrunch.

Finally, let's take a look at how each company compares when assessed through UpGuard platform on July 28, 2020.

Security ratings are relatively new and carry their own risks. As noted by the Chamber of Commerce’s Principles for Fair and Accurate Security Ratings, ratings rely on data from a dynamic environment with many sources.

This is why UpGuard adheres to the Principles of Fair and Accurate Security Ratings:

• Transparency: UpGuard believes in providing full and timely transparency not only to our customers but to any organization that wants to understand their security posture, which is why you can request your free security rating here and you can book a free trial of our platform here.
• Dispute, Correction, and Appeal: UpGuard is committed to working with customers, vendors and any organization that believes their score is not accurate or outdated.
• Accuracy and Validation: UpGuard's security ratings are empirical, data-driven and based on independently verifiable and accessible information.
• Model Governance: While the datasets and methodologies used to calculate our security ratings can change from time to time to better reflect our understanding of how to mitigate cybersecurity risk, we provide reasonable notice and explanation to our customers about how their security rating may be impacted.
• Independence: No commercial agreement or lack thereof, gives an organization the ability to improve its security rating without improving their security posture.
• Confidentiality: Any information disclosed to UpGuard during the course of a challenged rating or dispute is appropriately protected. Nor do we provide third-parties with sensitive or confidential information on rated organizations that could lead to system compromise.