Attaining a high or perfect Scorecard score is challenging. So is sustaining it. There is no singular formula for maintaining an excellent score. Organizations have different needs, challenges, risks, and working dynamics.
This article captures some helpful practices, including some that have worked particularly well for one organization.
One continuing success story
A large securities investment firm started with a score hovering in the mid 70s when they first became a SecurityScorecard customer. In a year, they steadily improved to the upper 90s and have stayed there since. Learn about some of the practices their security teams follow to sustain this success.
Always know what you have
The firm has assets all over the world. They set a priority at the outset to catalog this inventory, including a significant number of assets that were deployed for specific purposes and then essentially forgotten. In some cases, the employees, or even business units, who initially owned the assets, were no longer part of the firm. This created a growing "shadow IT" problem.
Using SecurityScorecard's outside-in perspective, they were able to find many potential security liabilities, such as approximately 150 websites that had been created for events that occurred 10 to 15 years ago. Once they knew what they had, they were able to remove assets they did not want or need anymore, which contributed to their score improvement. Keeping inventory current remains a key part of their risk mitigation program.
Define and enforce internal standards
Rather than cultivate a more reactive remediation mentality, the firm focuses on finding root cause and then preventing its recurrence with policies.
For example, if a scan detects that one of their websites does not preload an HTTP Strict Transport Security (HSTS) header, the firm regards this as an internal policy violation. It does not matter if they are hosting the site on premise, or using a content delivery network (CDN). The stakeholder who owns security for that asset must then correct the policy within a certain period of time or file an exception.
Automate key parts of your workflow
Transitioning from a manual remediation approach to a heavily automated one was, and remains, key to the firm's continuing success. Their automation pulls issue findings through an API integrated with SecurityScorecard and other sources, stores and analyzes the data in Snowflake, and feeds it into an internally developed vulnerability remediation tool.
Remediation tasks are then automatically assigned to stakeholders, who also receive reminders at regular intervals to complete them. This flow ensures predicability and repeatability. The automation also makes the process more efficient. A function that maps internal applications to URLs or IP addresses implicated in findings speeds up asset identification and helps prevent duplication of findings.
Assess the full context of a finding
The firm does not consider the assigned severity weight of an issue alone in response to a finding. For example, a medium-severity finding may warrant more immediate attention because of the sensitivity of the asset or the fact that it is externally facing. The most important consideration is that the visibility of the issue in their Scorecard can potentially affect clients' perception of the firm.
Watch for new issue types
The firm keeps track of SecurityScorecard's scoring updates. Any change to the scoring algorithm can affect an overall score. Also, being aware of new issue types keeps the firm in a proactive stance.
Watch industry trends
The firm's directive is simply to be the best among its peers and competitors, and this applies to cybersecurity. Favorable comparisons against other Scorecards have helped them sign up new clients. Cybersecurity has always been a business cost, but it can now help drive monetary gains. This incentivizes the firm to achieve and maintain the highest security posture.
Best practices for using the platform
Using the SecurityScorecard platform does not guarantee that you will maintain a perfect score, but following some best practices will increase the likelihood:
- Use SecurityScorecard's Score Planner to target specific score-impacting issues for remediation to improve your score or maintain an excellent score.
- Set up alerts and rules that are triggered by score changes to speed your team's responses to these events.
- Stay engaged with resolving issues that have lower scoring impact, especially if they are discovered on sensitive assets.
- Watch for third-party signals. Although they are informational and do not impact your score, they could be indicative of bigger problems. For example, a partner signal may tell you that exposed confidential documents or credentials related to your organization have been found on the internet.
- Keep your Digital Footprint valid and up to date.
- Socialize an awareness of the SecurityScorecard platform throughout your organization, especially for anyone who makes decisions about vendor risk. Make the use of the platform instinctive.
- Encourage staff to build portfolios and embrace third-party risk management as a vector for supply chain risk.
- Encourage staff to make private portfolios for their personal interests, such as a university, bank, or retail chain. This helps them understand that any web-based interaction, whether related to company business or not, can introduce risk.
- Cultivate a collective sense of ownership and pride over your Scorecard score. Your Chief Information Security Officer should not feel solely responsible for maintaining good security hygiene.
- Expand a security mindset in your organization beyond the engineering team, so that legal, marketing, sales, human resources, and all other teams are just as vigilant.
See our scoring methodology to help you understand how your decisions may impact your score on a continuing basis.