SecurityScorecard provides a vendor risk management framework that lets your staff view and investigate the cybersecurity posture of a portfolio of companies. Within a portfolio, you assess a company's risk by setting the level of business impact it has on your organization and by reviewing its rating.
SecurityScorecard rates hundreds of thousands of companies, and each is available to users in their SecurityScorecard dashboard. Companies that subscribe to the platform license access to view one or more scorecards as needed. For example, an organization might license access to 50 partner companies for several staff members, including risk management executives, one or more risk managers, and one or more information security technicians.
You can also segment companies into one or more portfolios to manage groups of vendors that align with a specific project or role. For example, a vendor risk manager might keep three portfolios: one for vendors currently under contract, one for vendors in contract negotiations, and one for other vendors of interest, such as competitors or related companies.
Create a new portfolio
- To create a new portfolio, go to Companies > Portfolios and select Create portfolio.
- Enter a name and optionally, a description.
-
Select the Portfolio type. SecurityScorecard provides three types of portfolios:
- Public portfolio: visible to all users in your company.
- Private portfolio: visible only to you.
- Team portfolio: visible to members of your team
By default, each company has one top-level shared portfolio, and each user has one top-level private portfolio. You can add more shared and private portfolios depending on your company's subscription license.
- Select Save.
Add companies to a portfolio
To add a company, open your portfolio and select Add Company.
Add a single company to a portfolio
To find a company, start typing its name, then select the company when it appears in the list.
Each unique company you add to one or more portfolios consumes one SecurityScorecard vendor license.
Add companies in bulk to a portfolio
To add multiple companies at once, select Upload a .csv. Here, you can download the sample .csv file and use it as a template for the companies you want to upload.
The Bulk Upload function accepts .csv files downloaded from portfolios, as well as any .csv file that identifies companies in a column titled "url", "urls", "domain", or "domains". If the file contains none of these column headers, SecurityScorecard looks for domains in the first column.
If you select multiple portfolios, SecurityScorecard adds the uploaded companies to all of them. The upload ignores any company that already exists in a selected portfolio, so duplicates are not added.
Each unique company you add to one or more portfolios consumes one SecurityScorecard vendor license.
Note: SecurityScorecard cannot calculate provisional scores for companies added in bulk. Scorecards become available once full scoring is complete.
Portfolio table columns
When you view a portfolio, SecurityScorecard displays your companies in a table. The following table explains what each column means.
| Column | Description |
| Company | Shows the scorecard name and scorecard domain. |
| Security Score | The current overall score of the scorecard. |
| 30-Day | The change in the scorecard's overall score over the past 30 days. |
| Breach Susceptibility Indicator | A data-driven predictor that assesses the likelihood of a security breach by evaluating a company's security posture and the size of its digital footprint. BSI is calculated daily and uses a different model than the top-level score, so it may not respond immediately to remediation. For more details, see Understanding the Breach Susceptibility Indicator (BSI). |
| Ransomware Score | A score that reflects an organization's overall statistical likelihood of a ransomware attack. It is based on issue types flagged on the scorecard that were also present in other organizations that experienced ransomware events. |
| Industry | The industry the scorecard belongs to in our database. |
| Business Impact | The impact the vendor has on your business. You assign this value manually, and it ranges from "None" to "Critical". |
| Status | Reflects whether the monitored company has any active users on the SecurityScorecard platform. "Active" means at least one person from that company has a platform account; "Inactive" means the company's user(s) have not logged in for more than 90 days. |
| Contacts | Lets you add one or more users by email. These users populate automatically when you request documents from the Evidence column. |
| Date Added | The date the scorecard was added to the portfolio. |
| Products Used | Shows the products and integrations the company uses, based on Enhanced Illumination data. For more details, see Gain additional vendor insights with Enhanced Illumination. |
| Evidence | Lets you request documents from the company, such as SOC 2 Type 1, SOC 2 Type 2, NIST 800-53, SIG, or other required documents. |
| Public Tags | Tags that are publicly visible on scorecards and that you cannot change, such as listed stock exchanges or Fortune 500 companies. For more details, see Use public tags for business, industry, and other perspectives. |
| Tags | Custom tags you apply to add context to a scorecard. These are visible only to you and to others in your scorecard account. For more details, see Apply and manage tags. |
Remove a company from a portfolio
To remove one or more companies from a portfolio, go to Companies > Portfolios and open the portfolio. In the table, select the checkbox next to each company you want to remove, then select Remove in the toolbar.
Manage subdomains in your portfolio
You cannot add a subdomain or other specific asset to your portfolio on its own. Here is what to know when you want to monitor a subdomain.
- Apex domains only: SecurityScorecard creates scorecards for apex domains, not subdomains. You can add only scorecards created on an apex domain or a custom scorecard (available for paid accounts) to your portfolio.
- Global and portfolio searches: When you search for a subdomain in global search or portfolio company search, the result is the apex domain's scorecard. This is why Add Company returns the apex scorecard rather than a separate scorecard for the subdomain.
- Custom scorecards for paid subscribers: If you are a paid subscriber, you can create custom scorecards to monitor specific subdomains or assets. Use filters to create the custom scorecard, then add it to your portfolio for monitoring.