SecurityScorecard vs RiskRecon Comparison

Last updated by Abi Tyas Tunggal on May 7, 2020

scroll down

Chances are you understand the impact of poor risk management, particularly third-party risk management and vendor risk management, on your organization's reputation. 

Technology has increased the speed and scale of commerce and communication, and in turn, has increased your organization's exposure to cybersecurity risk, particularly cyber threats that lead to data breaches and cyber attacks

Whether you're the CISO, Vice President of Security or just an individual contributor, you are likely looking to understand the reasons why many organizations are investing in security ratings tools to help them manage, scale, and automate their vendor risk assessment processes

Part of the reason is the increasing average cost of data breaches globally, which reacted $3.92 million in 2019 according to research done by the Ponemon Institute. In the United States, this number balloons to $8.19 million and health care organizations globally have the highest industry cost at just shy of $6.5 million likely due to the large amounts of personally identifiable information (PII) and protected health information (PHI) they process. 

It's safe to say that an investment in a security ratings tool can help your organization save money, protected customer data, and save your reputation. The best of these tools have very robust evidence of their abilities to prevent data breaches and data leaks.  

In addition to the reputational and financial impact, there is increasing global regulation that demands the protection of personal information and the public disclosure of security breaches. Examples include GDPR, PIPEDA, FIPA, the SHIELD Act, CCPA, and LGPD. Many of these regulations are extraterritorial and apply to your organization regardless of whether you operate in their jurisdiction.

This means there is no excuse for the mismanagement of your first and third-party risk. For many industries, due to increased on-sourcing, you will be expected to assess the security performance of vendors who are deeper in your supply chain, i.e. your fourth-party risk and fifth-party risk. 

The issue is risk management often requires the translation of technical details like security postures, cybersecurity risk assessments, vendor questionnaires, and information security policies into terms non-technical stakeholders can comprehend. 

Security ratings (or cybersecurity ratings) are an increasingly popular way to do this, as they provide an instantaneous assessment of cyber risk, much like a credit score does for assessing credit risk. 

The issue for those assessing which security ratings tool to pick is there are a lot (BitSight, SecurityScoreCard, RiskRecon, CyberGRX, Panorays, etc), and the methodologies they employ vary greatly, as do their results. 

For example, BitSight, SecurityScorecard, and RiskRecon focus primarily on the assessment of business partners, vendors, and service providers. Read our guides on BitSight Technologies vs SecurityScorecard or RiskRecon vs BitSight to learn more about how these services compare.  

In contrast, UpGuard has a complete continuous monitoring risk management solution that handles behind-the-firewall risk with UpGuard Core, vendor risk management with UpGuard Vendor Risk, and data leak detection and cybersecurity performance management with UpGuard BreachSight

In this post, we'll help you understand what to look for in a security ratings solution, so you can make an informed decision about whether to go with SecurityScorecard, RiskRecon or UpGuard. 

But before we dive into the specifics, it's important to understand what security risk ratings are and why they are important.

Table of contents

What are security ratings?

Security ratings or cybersecurity ratings are a data-driven, objective, and dynamic measurement of an organization's security posture. They are created by a trusted, independent security rating platform making them valuable as an objective indicator of an organization's cybersecurity performance.

Just as credit ratings and FICO scores aim to provide a quantitative measure of credit risk, security ratings aim to provide a quantitative measure of cyber risk.  

The higher the security rating, the better the organization's security posture.  

Security ratings are used to assess the cybersecurity rating of external organizations like vendors, investment targets, or insurance applications, as well as assessing internal risk and improving communication about cybersecurity performance. 

According to Gartner, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships…these services will become a precondition for business relationships and part of the standard of due care for providers and procurers of services. Additionally, the services will have expanded their scope to assess other areas, such as cyber insurance, due diligence for M&A and even as a raw metric for internal security programs.

Read our complete guide on security ratings here.  

SecurityScorecard overview

SecurityScorecard is a New York-based company that uses data gleaned from traffic to/from an organization, as well as other publicly accessible data to build security ratings for evaluating vendors, pricing cyber insurance policies, among other use cases. 

The platform also monitors "hacker chatter", social networks, and public data breach feeds for indicators of compromise

SecurityScorecard's last funding round was a Series D from Nokia Growth Partners, Moody's, AXA Strategic Ventures, Intel, Google Ventures, Boldstart Ventures, Two Sigma Ventures, and Evolution Equity Partners.

SecurityScorecard UI

The SecurityScorecard UI. Source: securityscorecard.com.

RiskRecon overview

RiskRecon is headquartered in Salt Lake City, UT with a presence in Boston, MA and representatives around the world. RiskRecon was founded in 2015 by Kelly White to make it easy to gain deep, risk contextualized insight into the cybersecurity risk performance of all third-parties by continuously monitoring across 11 security domains and 41 security criteria. 

Like SecurityScorecard, it can be used for third-party risk management, enterprise risk management, and mergers & acquisitions. RiskRecon is now owned by MasterCard and prior to its acquisition received investment from included Accel, Dell Technologies Capital, General Catalyst and F-Prime Capital.

Riskrecon UI

Riskrecon UI. Source: riskrecon.com

UpGuard overview

UpGuard was founded in 2012 in Sydney, Australia by technologists from Australia's largest banks. Using their first-hand experience, they built a platform to fill an important need in the nascent DevOps market, reducing the risk of incidents through proactive documentation and configuration management.  

With proprietary, patented data visualization and risk analysis algorithms, UpGuard gave Operations and Security teams the ability to discover and understand their risk exposure within the data center and cloud to reduce cybersecurity risk. 

We then took this expertise and applied it to the assessment of external security postures, allowing you to instantly assess an organization's external security posture instantly. UpGuard is headquartered in Mountain View, California, with offices in Sydney, Hobart, Auckland, Mexico City, Madrid, Denver, Portland, and Atlanta. 

Our data breach and security research have been featured in the New York Times, Bloomberg, Washington Post, Forbes, and Techcrunch.

UpGuard UI

SecurityScorecard vs. RiskRecon vs. UpGuard

Learn about how SecurityScorecard, RiskRecon, and UpGuard stack up with our unbiased assessment of capabilities, usability, community support, release rate, API and extensibility, third-party integrations, customers, predictive capabilities, and security ratings. 

​1. Capabilities

All three solutions provide security ratings, aggregated summaries of risk for immediate comparison, and their own standardized, proprietary scoring methodology.

  • SecurityScorecard: A rating from A to F, like a report card.
  • RiskRecon: RiskRecon distills its assessment criteria into a simple score from 0-10.
  • UpGuardProvides a score between 0 and 950 along with the following letter grades, A: 801-950, B: 601-800, C: 401-600, D: 201-400, F: 0-200. You can request your free security rating by clicking here

Security rating calculation methodology

Each service has a different secruity rating calculation methodology. Many rely on IP reputation which tries to attribute malware traffic based on IP addresses, whereas others scan for misconfigurations which means looking at an organization's actual Internet footprint and using that to determine potential attack vectors and vulnerabilities that can lead to data breaches. Read our guide on why IP attribution isn't a good solution here

  • SecurityScorecard: Primarily IP reputation with some misconfiguration assessment.
  • RiskRecon: Assesses an organization against 11 security domains and 41 security criteria.
  • UpGuard: Runs hundreds of individual checks including email security and email spoofing risks (SPF, DKIM, and DMARC), website security (SSL, HSTS, header exposure), phishing and malware risk, explicit checks for 200 services across thousands of ports (mail, app, user auth, file sharing, voice, administration, database, unidentified, and open ports), domain hijacking risk (DNSSEC and domain registry issues), reputational risks (CEO rating and employee rating), credential management (exposure to known data breaches and data leaks detected by our data leak detection engine) and results of intelligent security questionnaires

Scope

Each provider has a different level of scale. If your organization employs small specialist vendors they may not be covered by solutions with a narrow scope of focus. Remember, every vendor that handles sensitive data could potentially expose PII, PHI or business data that could be used for industrial espionage.  

  • SecurityScorecard: 1,000,000 companies rated
  • RiskRecon: unknown
  • UpGuard: 2,000,000 organizations, 100 billion data points, and 1.4 billion records scanned daily
  SecurityScorecard RiskRecon UpGuard
Capabilities 4 / 5 4 / 5 5 / 5

2. Usability and learning curve

User experience, design, and functionality all play a large part in deciding what solution to use. Additionally, the easier a solution is to use the quicker you can get your money's worth. All three products offer their services via a SaaS module with minimal installation needed. Similarly, all three use web-based dashboards to help you navigate graphical representations of cyber risk. 

  • SecurityScorecard: Simple interface for quick grade reports and charts.
  • RiskRecon: Provides risk prioritization based on your configured policy
  • UpGuard: High-level summation of risk with the ability to drill down into precise technical details. Risks are automatically prioritized based on extensive research by our in-house security team and we provide remediation and protection suggestions for all risks. Additionally, we have a library of pre-built questionnaires that can be sent and managed with the UpGuard platform including a pandemic (e.g. COVID-19/coronavirus), ISO 27001, PCI DSS, NIST Cybersecurity Framework, CCPA, and Modern Slavery questionnaires. Read our full guide on the top security questionnaires here.
  SecurityScorecard RiskRecon UpGuard
Usability and learning curve 4 / 5 4 / 5 5 / 5

3. Community support

The more information that is made publicly accessible, the easier it is for customers and prospects to learn about cybersecurity, reduce their cyber risk, and streamline their processes. How much each company has invested in its community speaks to its mission and focus. 

  SecurityScorecard RiskRecon UpGuard
Community support 3 / 5 3 / 5 5 / 5

4. Release rate

Cybersecurity is in constant flux. New zero-day vulnerabilities and exploits are discovered on a daily basis, so the rate at which a company can update its solution to respond to customer requests, new information, and where necessary, add new features is a good sign of their overall viability.  

UpGuard has always adopted DevOps principles internally to develop, test, and release software, ensuring fast, consistent, and safe releases.

  SecurityScorecard RiskRecon UpGuard
Release rate 3 / 5 3 / 5 4 / 5

5. Pricing and support

As you know, security ratings providers can be expensive with opaque pricing designed to put the power in the hands of the provider rather than you, the customer. 

Their vendor risk solutions are typically priced per vendor, per year with the exception of one-off reports generated for a set price. Due to the large starting prices, many of these solutions price out small and medium enterprises, while relegating even large companies to only their most at-risk vendors. All three provide professional services to assist with onboarding, setup, training, and maintenance. 

  • SecurityScorecard: Public pricing information is not available. Pricing is reported to start at $16,500 for self-assessment plus 5 vendors, additional vendors cost $1,500-$2,000 per vendor per year
  • RiskRecon: Public pricing information is not available. Pricing is reported to start at $10,000 and increases based on the number of vendors monitored.
  • UpGuard: UpGuard has a transparent pricing model for UpGuard Vendor Risk and UpGuard BreachSight, which you can view here. We believe it's fairly priced and accessible even for SMEs. Vendor Risk pricing starts at $179 for a one-time report on a vendor or $29 per month per vendor billed annually. UpGuard BreachSight pricing starts at $299 per month billed annually. 

Here's what a few UpGuard customers had to say about their experience with UpGuard. You can read more on Gartner reviews.

  • "UpGuard has given us a view of our vendor security posture. The ability to launch a questionnaire or ask for a plan of remediation for items that show as vulnerable is also a great added value and a time saver. UpGuard is also very customer focused. They respond quickly to issues and to questions and welcome any input that could improve the product. Overall it is one of the best value add tools we have."
  • "The simplicity of the product is fantastic. My team and I were able to be up and running in minutes. We monitor risks on over 25 vendors in near real-time and use these statistics to report to the C suite and Board of Directors. Upguard has become part of the critical cybersecurity metrics that we monitor and report upon."
  • "The ease of use and simplicity of the product is excellent. We were able to be up and running with 50 vendors within minutes not hours. The reporting is used for monthly statistics and is reported to our Senior Management. Upguard has become an integral part of our critical cybersecurity metrics that we monitor and report upon."
  SecurityScorecard RiskRecon UpGuard
Pricing and support 1 / 5 1 / 5 5 / 5

6. API and extensibility

You might want to access the information these tools provide outside of their graphical interface and import it into the tool of your choice. All three solutions offer standard APIs that can pull data into different enterprise applications. 

  SecurityScorecard RiskRecon UpGuard
API and extensibility 4 / 5 4 / 5 4 / 5

7. Third-party integrations

While an APNI is useful for building custom integrations, not every team has access to the engineering talent needed to use them. This is where standard integrations can help you out.  

  • SecurityScorecard: Offers integrations with GRC platforms such as RSA Archer.
  • RiskRecon: Offers integrations with GRC platforms such as RSA Archer, Sigma Ratings, Whistic, and more.
  • UpGuard: Integrates with GRC platforms, ticketing systems like ServiceNow, and more.
  SecurityScorecard RiskRecon UpGuard
Third-party integrations 4 / 5 4 / 5 4 / 5

8. Customers

When comparing software, one of the best places to start is with who else is using the product. In this case, all three companies have impressive customer lists.

  • SecurityScorecard: Customers include Symantec, Pepsico, Two Sigma, and Stony Brook University
  • RiskRecon: Customers include Informatica, Tufts Health Plan, University of San Francisco, and Sentara.
  • UpGuard: Customers include NASA, the New York Stock Exchange (ICE), Morningstar, Akamai, Bill.com, IAG, and ADP. Read our customer case studies here and our Gartner reviews here
  SecurityScorecard RiskRecon UpGuard
Customers 5 / 5 5 / 5 5 / 5

9. Predictive capabilities

At the end of the day, the entire point of investing in one of these tools is to stop security incidents from occurring in the first place. This makes a tool's ability to predict data breaches and cyber attacks the key consideration. 

What differentiates predictive capability is how well their security rating methodology can determine attack vectors.

  SecurityScorecard RiskRecon UpGuard
Predictive capabilities 3 / 5 4 / 5 5 / 5

10. Security rating

Finally, let's take a look at how each company compares when assessed through UpGuard platform on March 19, 2020. 

Although each platform has a good security rating, UpGuard leads the pack by over 25 points.

  • SecurityScorecard: 894/950 or A letter grade
  • RiskRecon857/950 or A letter grade
  • UpGuard: 919/950 or A letter grade
  SecurityScorecard RiskRecon UpGuard
Security rating
  4.5 / 5 4 / 5 5 / 5

Security ratings are relatively new and carry their own risks. As noted by the Chamber of Commerce’s Principles for Fair and Accurate Security Ratings, ratings rely on data from a dynamic environment with many sources.

This is why UpGuard adheres to the Principles of Fair and Accurate Security Ratings:

  • Transparency: UpGuard believes in providing full and timely transparency not only to our customers but to any organization that wants to understand their security posture, which is why you can request your free security rating here and you can book a free trial of our platform here.
  • Dispute, Correction, and Appeal: UpGuard is committed to working with customers, vendors and any organization that believes their score is not accurate or outdated.
  • Accuracy and Validation: UpGuard's security ratings are empirical, data-driven and based on independently verifiable and accessible information.
  • Model Governance: While the datasets and methodologies used to calculate our security ratings can change from time to time to better reflect our understanding of how to mitigate cybersecurity risk, we provide reasonable notice and explanation to our customers about how their security rating may be impacted.
  • Independence: No commercial agreement or lack thereof, gives an organization the ability to improve its security rating without improving their security posture.
  • Confidentiality: Any information disclosed to UpGuard during the course of a challenged rating or dispute is appropriately protected. Nor do we provide third-parties with sensitive or confidential information on rated organizations that could lead to system compromise.

Scoreboard and Summary

  SecurityScorecard RiskRecon UpGuard
Capabilities 4 / 5 4 / 5 5 / 5
Usability and learning curve 4 / 5 4 / 5 5 / 5
Community support 3 / 5 3 / 5 5 / 5
Release rate 3 / 5 3 / 5 4 / 5
Pricing and support 1 / 5 1 / 5 5 / 5
API and extensibility 4 / 5 4 / 5 4 / 5
Third-party integrations 4 / 5 4 / 5 4 / 5
Customers 5 / 5 5 / 5 5 / 5
Predictive capabilities 3 / 5 4 / 5 5 / 5
Security rating 4.5 / 5 4 / 5 5 / 5
Total  3.55  3.6  4.7

Conclusion

Deciding which solution best suits your needs will depend on the objectives of your organization, your regulatory requirements, and ultimately your risk appetite. 

We recommend asking for a free trial of each platform that you want to assess, so you can use each platform before deciding. You can book a free tailored 7-day trial on UpGuard's platform here

While IP reputation can sometimes detect malware signals that are attributed to the IP address space owned by a company, UpGuard’s cyber resilience strategy looks at each company’s internet footprint and examines all of the vectors by which data exposure and service outage occur, including misconfigurations, a leading cause of successful attacks, and one undetected by IP reputation tactics. 

Additionally, our vendor questionnaire library can help you go beyond security ratings and to the assessment of internal security controls that aren't as easily determined. UpGuard is also the only company to offer an internal cyber risk management solution, Core, allowing organizations to completely manage primary risk as well.

UpGuard's easy to use platform is a complete cyber security ratings platform that gives you great insight into your security posture and your vendors and how your organization's security posture is perceived from the outside. Giving you and your business partners a clear understanding of how and where to improve your cybersecurity and information security to prevent cyber attacks and reduce cybersecurity threats.

Try UpGuard for free for 7 days by clicking here. Before your 7-day trial begins, we'll provide you and your team with a free, personalized 45-minute onboarding call with one of our cybersecurity experts. They’ll help you get the most out of the UpGuard platform by showing you how to:

  • Continuously monitor your third-party vendors
  • Detect and remediate any leaked credentials and data exposures
  • Instantly assess your external security posture

Other third-party risk management software comparisons

If you'd like to compare other third-party risk management software, see our other comparison posts:


Related posts

Learn more about the latest issues in cybersecurity