What is a Good Cybersecurity Rating?

Cybersecurity ratings play an important role in assessing the cyber health of organizations by providing an objective measure of an organization’s cybersecurity posture, helping businesses make informed decisions about partnerships, investments, and more. However, different rating providers have distinct security rating scales and methodologies. Let’s delve into what constitutes a good rating across various platforms and some suggestions if your security rating is low or inaccurate.

A security rating scale is a standardized metric used by cybersecurity rating providers to assess and communicate an organization’s cybersecurity risk posture. The scale typically ranges from numerical values or alphabetic grades, with higher scores or grades indicating better cybersecurity practices and lower risk. The purpose of these scales is to provide a clear, objective, and consistent way to evaluate and compare the cybersecurity health of different entities. 

Read the Whitepaper

The Evolution of Cybersecurity Ratings and How They Can Boost Risk Visibility

What is a good BitSight rating?

The BitSight security rating ranges from 250-900, with a higher number indicating better security posture. BitSight evaluates an organization’s security posture by looking at 4 categories: 

  1. Evidence of compromised systems 
  2. Diligence of security practices 
  3. Risky user behavior 
  4. Public disclosures of data breaches 

What is a good SecurityScorecard rating?

SecurityScorecard offers a different measuring scale. Their ratings range from A-F across ten groups of risk factors. These factors include Network Security, DNS Health, Patching Cadence, Endpoint Security, IP Reputation, Application Security, and more. An ‘A’ rating indicates excellent cybersecurity practices, while an ‘F’ suggests significant vulnerabilities. Notably, organizations with an ‘F’ rating have a 7.7x higher likelihood of sustaining a breach compared to those with an ‘A’ rating, as described on their website

What is a good FortifyData rating?

FortifyData’s security ratings scale is from 300-900 points, with a higher score meaning better security posture. The scoring model adheres to the principles of Fair and Accurate Security Ratings set by the U.S. Chamber of Commerce and leverages the NIST Risk Management Framework (RMF) as its base. 

A score of 750-900 indicates Very Low Risk, which indicates the unlikely presence of critical cyber risks within an organization’s environment.  Conversely, score of 350-525 is Critical Risk, indicating that vast amounts of cybersecurity risks currently present within the company’s resources and/or compromised assets. Continuous monitoring of your threat landscape is always important to identify any changes that may impact your security rating. 

FortifyData’s assesses the below risk factors in the cyber security rating calculation: 

  • Critical Infrastructure Issues 
  • Dark Web Exposure 
  • External Network Issues 
  • Internal Network Risk 
  • Web Application Risk 
  • Patching Cadence 
  • Cloud Security Risks 
  • Security Controls 
  • Malware Presence 
  • Historical Data Breaches 
  • Third Party Risk 

What should you do if you have a low security rating?

If your organization receives a low security rating, it’s a call to action. Here are some steps to consider: 

  1. Understand the Factors: What is a security rating? Dive deep into the rating to understand the specific areas of vulnerability. Platforms like FortifyData provide detailed insights into various risk factors. 
  2. Prioritize Remediation: Address the vulnerabilities affecting the most business critical assets first. FortifyData automatically prioritizes risks and vulnerabilities based on the specific context of your organization. 
  3. Collaborate: Engage with your IT and cybersecurity teams to develop a comprehensive action plan. 
  4. Monitor Continuously: Cybersecurity is dynamic. Continuously monitor your organization’s cyber health and make necessary adjustments. 
  5. Seek Expertise: Consider consulting with cybersecurity experts or firms to get a detailed assessment and recommendations. 
  6. Educate & Train: Ensure that your staff is educated about best cybersecurity practices. Regular training can prevent many common cyber threats. 

What should you do if your cybersecurity rating is incorrect?

If your security rating is incorrect due to false positives or misattributions your rating may fall within an undesired range of the security rating scale, you need to flag those with your security rating provider for an appeal discussion. Solutions like FortifyData allow you to compensate for security controls, and also report any misattributions so that your security rating can be immediately updated on the next assessment, which can be requested at any time.  

Misattributions are unfortunately common among many security ratings providers, but FortifyData continuously searches and identifies new assets, and validates identified assets, ensuring a more accurate representation of an organization’s security posture. 

A good cybersecurity rating not only boosts an organization’s reputation but also ensures that it is based on accurate and comprehensive data. Understanding the security rating scales of different providers and the factors they consider can help organizations stay ahead in the cybersecurity game. 

Related Resources