There are a lot of security ratings providers now, and choosing the right one can be overwhelming. That's why we wrote this post to make it as easy as possible to help you compare RiskRecon and UpGuard.
Regardless of whether you're a CISO, Vice President of Security or an individual contributor, it's safe to say you understand how important cybersecurity risk management is. Technology has increased the speed, scale, and impact of all aspects of commerce, while also increasing the risk of data leaks, data breaches, malware, and other cyber threats.
Poor cybersecurity can have a huge impact on your bottom line, with the global average cost of a data breach growing 12 percent in the last five years to $3.92 million. If you operate in a heavily regulated industry, such as healthcare or financial services, your average would likely be much higher. For example, healthcare had an average industry cost of $6.45 million.
Even if you don't currently operate in a regulated industry, the introduction of general data protection regulations around the world means the scope of what must be protected is ever-expanding.
Most of these regulations are extraterritorial, which means they apply to your organizations if you process any of their constituent's data. Regardless of whether you operate in their jurisdiction. Examples include the EU's GDPR, Canada's PIPEDA, Florida's FIPA, New York's SHIELD Act, California's CCPA, and Brazil's LGPD.
And most of these laws also have data breach notification requirements, increasing the reputational damage of successful cyber attacks. This is a big reason why so many organizations have invested in security ratings tools to help them instantly assess security postures to help scale their first and third-party risk management programs. Best-in-class organizations have even begun to manage their fourth-party and fifth-party risk.
One of the most common issues we see is that cyber risk management requires buy-in from all levels of the organization, which requires the translation of technical details like security postures, cybersecurity risk assessments, vendor questionnaires, and information security policies into terms that even non-technical stakeholders can easily understand.
We believe security ratings are the best way to do this without adding any operational overhead to your organization. They provide an instantaneous assessment of cyber risk, much like a credit score does for credit risk.
Gartner agrees with us, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships…these services will become a precondition for business relationships and part of the standard of due care for providers and procurers of services. Additionally, the services will have expanded their scope to assess other areas, such as cyber insurance, due diligence for M&A and even as a raw metric for internal security programs.
As does Forrester, cyber-risk rating tools show their value right away. They will scan and score your third-party risk environment and identify glaring gaps of key partners as early as your initial meeting.
We wrote the post to solve the main issue many of our prospects face: the increasing number of security ratings providers to pick from including BitSight, SecurityScorecard, RiskRecon, CyberGRX, MetricStream, Prevalent, Normshield, and Panorays.
The issue is that the methodologies employed by these threat intelligence tools vary greatly, as do their results.
For example, BitSight, SecurityScorecard, and RiskRecon focus primarily on the assessment of business partners, vendors, and service providers, if you want to see see how these services stack up read our other comparison posts:
- BitSight vs SecurityScorecard
- SecurityScorecard vs RiskRecon
- BitSight vs RiskRecon
- BitSight vs UpGuard
In contrast, UpGuard has a complete continuous monitoring risk management solution that handles behind-the-firewall risk with UpGuard Core, vendor risk management with UpGuard Vendor Risk, and data leak detection and cybersecurity performance management with UpGuard BreachSight.
In this post, we'll help you understand what to look for in a security ratings solution, so you can make an informed decision about whether to go with RiskRecon or UpGuard.
But before we dive into the specifics, it's important to understand what security risk ratings are and why they are important.
Table of contents
- What are security ratings
- RiskRecon overview
- UpGuard overview
- RiskRecon vs. UpGuard
- Scoreboard and summary
- Other security ratings platform comparisons
What are security ratings?
Security ratings are a data-driven, objective, and up-to-date measurement of an organization's external security posture. This means the collective security status of all their Internet-facing software, hardware, services, networks, information, vendors, and service providers.
Just as a FICO score aims to provide a quantitative measure of credit risk, security ratings provide a quantitative measure of cyber risk, which can be used and understood by non-technical stakeholders.
The higher the security rating, the better the organization's security posture.
Security ratings are commonly used for assessing the cybersecurity of external organizations like vendors, investment targets, insurance applicants, as well as assessing internal risk, and to improve decision-making and communication around cybersecurity performance management.
- Understanding third-party risk and fourth-party risk (vendor risk) posed by supply chain, third-party vendor, and business partner relationships.
- Cyber insurance underwriting, pricing and risk management by allowing insurers to gain visibility into the security program of those they insure to better assess and price their insurance policies.
- Investment in or acquisition of a company by providing organizations with an independent assessment of an investment or M&A target's information security controls.
- Enabling governments to better understand and manage theirs and their vendors' cybersecurity performance, a key component of FISMA compliance.
- Continual assessment of internal cybersecurity posture, providing CISOs with a simple, understandable rating that can be presented to key stakeholders including C-Suite and board members.
- Benchmarking and comparison to industry peers, competitors, sectors, and vendors. This can assist with decision-making and provide context about what security controls or mitigations your organization needs to invest in.
- Providing assurance to customers, insurers, regulators and other stakeholders that your organization cares about preventing security issues like data breaches, malware, phishing, and ransomware.
RiskRecon is headquartered in Salt Lake City, UT with a presence in Boston, MA and representatives around the world. RiskRecon makes it easy to gain deep, risk contextualized insight into the cybersecurity risk performance of all third-parties by continuously monitoring across 11 security domains and 41 security criteria.
Like UpGuard, it can be used for third-party risk management, enterprise risk management, and mergers & acquisitions.
Riskrecon UI. Source: riskrecon.com
UpGuard was founded in 2012 in Sydney, Australia by technologists from Australia's largest banks. Using their first-hand experience, they built a platform to fill an important need in the nascent DevOps market, reducing the risk of incidents through proactive documentation and configuration management.
With proprietary, patented data visualization and risk analysis algorithms, UpGuard gave Operations and Security teams the ability to discover and understand their risk exposure within the data center and cloud (e.g. Microsoft Azure, Google Cloud, and Amazon Web Services) to reduce cybersecurity risk.
We then took this expertise and applied it to the assessment of external security postures, allowing you to instantly assess an organization. UpGuard is headquartered in Mountain View, California, with offices in Sydney, Hobart, Auckland, Mexico City, Madrid, Denver, Portland, and Atlanta.
RiskRecon vs. UpGuard
Learn about how RiskRecon and UpGuard compare across ten categories including capabilities, usability, community support, release rate, API and extensibility, third-party integrations, customers, predictive capabilities, and security ratings.
RiskRecon and UpGuard provide security ratings that aggregate different risks into a single score that allows for immediate and easy comparison of different organizations, vendors, and service providers.
- RiskRecon: RiskRecon distills its assessment criteria into a simple score from 0-10.
- UpGuard: Provides a score between 0 and 950 along with the following letter grades, A: 801-950, B: 601-800, C: 401-600, D: 201-400, F: 0-200. You can request your free security rating by clicking here.
Security rating calculation methodology
The way each security ratings provider derives their score differs to some degree. Some rely on IP address reputation that aims to attribute malware traffic to an organization based on IP address, whereas others rely on scanning for misconfiguration across web applications, network security, and endpoint security. This means looking at an organization's actual Internet footprint and determining how it compares to best practices and what vulnerabilities lead to data breaches. Read our guide on why IP attribution isn't a complete solution here.
With that said, RiskRecon and UpGuard rely on misconfiguration scanning.
- RiskRecon: Assesses an organization against 11 security domains and 41 security criteria
- UpGuard: Runs hundreds of individual checks including email security and email spoofing risks (SPF, DKIM, and DMARC), website security (SSL, HSTS, header exposure), phishing and malware risk, explicit checks for 200 services across thousands of ports (mail, app, user auth, file sharing, voice, administration, database, unidentified, and open ports), domain hijacking risk (DNSSEC and domain registry issues), reputational risks (CEO rating and employee rating), credential management (exposure to known data breaches and data leaks detected by our data leak detection engine) and results of intelligent security questionnaires.
Not every solution provides the same level of coverage. If your organization employs small specialist vendors they may not be covered by a solution. As you know, any vendor that handles sensitive data is a potential risk that should be continuously monitored and accounted for.
- RiskRecon: unknown
- UpGuard: 2,000,000 organizations scanned daily
2. Usability and learning curve
The usability, design, and learning curve of a product can play a large role in deciding which solution is right for you. The faster you and your team can get up to speed, the faster you can get your money's worth. RiskRecon and UpGuard offer their services via SaaS with minimal installation or configuration needed and are easily accessible from a web-based platform that can help you find, assess, and remediate risk.
- RiskRecon: Provides risk prioritization based on your configured policy
- UpGuard: High-level summation of risk with the ability to drill down into precise technical details. Each risk is prioritized based on extensive research conducted by our in-house security team, and where possible remediation and protection suggestions are provided. Additionally, we have a library of pre-built questionnaires that can be sent and managed with the UpGuard platform including a pandemic (e.g. COVID-19), ISO 27001, PCI DSS, NIST Cybersecurity Framework, CCPA, and Modern Slavery questionnaires. Read our full guide on the top security questionnaires here.
|Usability and learning curve||4/5||5/5|
3. Community support
The more a company invests in its community, the easier it is for customers and prospects to get up to speed, reduce their operational overhead, and decide on the right product for them. RiskRecon and UpGuard both have blogs that are useful sources of information for cybersecurity awareness training.
- RiskRecon: Company and product blog.
- UpGuard: The UpGuard cybersecurity and risk management blog is updated four times a week and our breach research blog has uncovered and secured some of the largest data breaches.
4. Release rate
The faster a security ratings provider can incorporate changes and determine how to respond to threats is a big factor in choosing a solution. Additionally, they should be comfortable with updating, adjusting, and improving their service based on customer requests.
UpGuard has always adopted DevOps principles internally to develop, test, and release software, ensuring fast and consistent releases that have been tested for quality.
5. Pricing and support
Security ratings providers can be expensive, with opaque pricing policies designed to put the power in the hands of the vendor. As vendor risk solutions are typically priced on a per vendor, per year basis, the cost can price out many small to medium-sized businesses while relegating even large companies to manage only their most at-risk vendors. This isn't a great solution as any vendor who processes sensitive data needs to be continuously monitored. Additionally, RiskRecon and UpGuard provide professional services to assist with setup, training, and maintenance.
- RiskRecon: Public pricing information is not available. Pricing is reported to start at $10,000 and increases based on the number of vendors monitored.
- UpGuard: UpGuard has a transparent pricing model for UpGuard Vendor Risk and UpGuard BreachSight, which you can view here. Vendor Risk pricing starts at $179 for a one-time report on a vendor or $29 per month per vendor billed annually. UpGuard BreachSight pricing starts at $299 per month billed annually. If you have any questions, please let us know via email@example.com.
|Pricing and support||1/5||5/5|
6. API and extensibility
While RiskRecon and UpGuard offer security ratings inside their platforms, some customers also want to access the scores outside of their platform to consolidate them in another product. Both companies offer standard APIs to pull data into other enterprise applications.
|API and extensibility||4/5||4/5|
7. Third-party integrations
APIs are useful for technical staff, but not all vendor risk management teams have access to developers. This is why standard third-party integrations are an important part of decision-making.
- RiskRecon: Offers integrations with GRC platforms such as RSA Archer, Sigma Ratings, Whistic, and more.
- UpGuard: Integrates with GRC platforms, ticketing systems like ServiceNow, and more.
The best proof comes from each solution's customers. RiskRecon and UpGuard both have impressive customer lists, none more distinguished than the other.
- RiskRecon: Customers include Informatica, Tufts Health Plan, University of San Francisco, and Sentara.
- UpGuard: Customers include NASA, the New York Stock Exchange (ICE), Morningstar, Akamai, Bill.com, IAG, and ADP. Read our customer case studies here and our Gartner reviews here.
9. Predictive capabilities
At the end of the day, the entire point of using these threat intelligence tools is to stop security incidents from happening in the first place. This makes the ability of a solution to prevent data breaches and other cyber attacks the main consideration. What differentiates RiskRecon and UpGuard are how well their methodology determines actual attack vectors, as well as their ability to detect data breaches and data leaks before they end up for sale on the dark web.
- RiskRecon: RiskRecon focuses on third-party assessment across 11 security domains and 41 security criteria.
- UpGuard: As UpGuard checks for misconfigurations across your Internet footprint, many important breach vectors are covered, including phishing, ransomware susceptibility (like WannaCry), man-in-the-middle attacks, DNSSEC, vulnerabilities, email spoofing, domain hijacking, and DNS issues. For example, we were able to detect data exposed in a GitHub repository by an Amazon Web Services engineer in 30 minutes. We reported it to AWS and the repo was secured the same day. This repo contained personal identity documents and system credentials including passwords, AWS key pairs, and private keys. We're able to do this because we actively discover exposed datasets on the open and deep web, scouring open S3 buckets, public Github repos, and unsecured RSync and FTP servers. Our data leak discovery engine continuously searches for keyword lists provided by our customers and is continually refined by our team of analysts, using the expertise and techniques gleaned from years of breach research. The UpGuard methodology is continuously refined based on the actual data breaches we have discovered and reported to the world in the New York Times, Bloomberg, Washington Post, Forbes, and TechCrunch.
10. Security rating
Finally, let's take a look at how RiskRecon and UpGuard compare when assessed by UpGuard's platform on March 24, 2020. Although both platforms have a good security rating, UpGuard leads by 59 points.
- RiskRecon: 860/950 or A letter grade
- UpGuard: 919/950 or A letter grade
Scoreboard and summary
|Usability and learning curve||4/5||5/5|
|Pricing and support||1/5||5/5|
|API and extensibility||4/5||4/5|
Deciding between RiskRecon and UpGuard is a hard decision. What you choose will depend on the objectives of your organization, your risk appetite, and ultimately your budget.
The best way to decide is to get a trial of each platform so you can make an independent assessment for yourself. You can book a free tailored 7-day trial on UpGuard's platform here.
UpGuard’s cyber resilience strategy looks at each company’s internet footprint and examines all of the vectors by which data exposure and service outage occur, including misconfigurations, a leading cause of successful attacks, and one undetected by IP reputation tactics.
Additionally, our vendor questionnaire library can help you go beyond security ratings and to the assessment of internal security controls that aren't as easily determined. UpGuard is also the only company to offer an internal cyber risk management solution, UpGuard Core, allowing organizations to completely manage primary risk as well.
UpGuard's easy to use platform is a complete security ratings platform that gives you great insight into your security posture and your vendors and how your organization's security posture is perceived from the outside. Giving you and your business partners a clear understanding of how and where to improve your cybersecurity and information security to prevent cyber attacks and reduce cybersecurity threats.
Try UpGuard for free for 7 days by clicking here. Before your 7-day trial begins, we'll provide you and your team with a free, personalized 45-minute onboarding call with one of our cybersecurity experts. They’ll help you get the most out of the UpGuard platform by showing you how to:
- Continuously monitor your third-party vendors
- Detect and remediate any leaked credentials and data exposures
- Instantly assess your external security posture
Other security ratings platform comparisons
If you'd like to compare other security ratings software, see our other comparison posts:
- BitSight vs. SecurityScorecard
- SecurityScorecard vs. RiskRecon
- BitSight vs. RiskRecon
- BitSight vs. UpGuard
- CyberGRX vs. UpGuard
- BitSight vs. CyberGRX
- SecurityScorecard vs. CyberGRX
- CyberGRX vs. RiskRecon
- Whistic vs. UpGuard
- Bitsight vs. Whistic
- SecurityScorecard vs. Whistic
- CyberGRX vs. Whistic
- RiskRecon vs. Whistic
- BitSight vs. Prevalent
- SecurityScorecard vs. Prevalent
- Prevalent vs. RiskRecon
- Prevalent vs. CyberGRX
- Prevalent vs. Whistic
- Prevalent vs. UpGuard
- NormShield vs. SecurityScorecard
- RiskIQ vs. UpGuard
- RiskIQ vs. BitSight
- RiskIQ vs. SecurityScorecard
- NormShield vs. UpGuard
- NormShield vs. BitSight
- NormShield vs. RiskRecon
- SecurityScorecard vs. UpGuard
- Prevalent vs. NormShield