Security Ratings. Why they matter?

Ankush Johar
2 min readSep 10, 2020

Cybersecurity risk scores or security ratings are either hated or loved by security professionals — with very few on the middle ground — because ratings are objective.

Business needs to know where they stand in terms of security risk, and a risk score quantifies that. What you can measure, you can manage. Security ratings give you a score on your security posture, standalone, as well as a benchmark, as a comparison to your peers.

Does it predict whether you are likely to be breached? It absolutely does!


  • Because if your patching cadence is bad, you are gagging for a breach! Hackers like automation and they are lazy by nature, clever and diligent, but lazy. Imagine you have software installed that has had security patches, and your servers are not updated, you are gagging for an attack — because hackers’ bots will find you and then rock your world!
  • You have subdomains that are your ‘unknown unknowns’, i.e you don’t know they exist, because they were made and then abandoned. OR imagine you protect your key assets like a hawk, but there is some old ‘marketing’ opensource kit left on the same network as your key servers — you are gagging for it!
  • you are not monitoring for lookalike domains being bought left right and centre, and you choose to do nothing about it. Guess what — your customers and partners will be hit with phishing attacks in your name! congratulations.

This and a whole lot more contributes to what hackers see of your attack surface — the question is — is your business monitoring all that?

Hackers see a lot of your assets… Are you watching?

Security Ratings take all this and more into account and give you a score.

Boards need to monitor this score, if nothing else. Are your security dollars ensuring that your attack surface is monitored and secured?

Security personnel sometimes get swayed by vendors into buying the cool and sexy (aka pricey) but not covering the basics, because there is nothing cool or ‘with it’ in covering basics. It doesn’t make money for vendors, because it doesn’t need vendors — so no vendors sell it!

KISS — Keep it Simple S*****d is the bottom line. Security ratings tick that box.

Don’t take my word for it. A few others happen to believe the same:

“By 2022, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships” — Gartner Analysts Sam Olyaei, Jeffrey Wheatman and Christopher Ambrose.