Cyberscoring: Intelligence on cybersecurity risks, benchmarking, and posture maturity

In a world where cyber risk is constantly increasing, companies are using cyberscoring to continually improve their cybersecurity performance by monitoring their digital footprints, identifying external risks and vulnerabilities, and enhancing their security posture.  

Accepted widely as a global standard for cybersecurity excellence, cyberscores are typically developed by cybersecurity performance and scoring vendors, or as described in a recent Forrester Wave report, cybersecurity risk ratings vendors. As the Forrester report notes, these scores are highly trusted by regulators, insurance providers, governments, and in business relationships as a valid assessment of how a company manages and improves its cybersecurity risk exposure.

The value of cyberscoring is multi-faceted

There are several reasons why companies use performance and scoring metrics, including these key ones:

• Organizations primarily use cyberscoring to detect cyber risks and vulnerabilities that are externally exposed within their own digital footprint. With intelligence and insights from their vendors, companies can proactively improve their performance by mitigating any identified risks.
• Cyberscoring also helps identify shadow IT, or unidentified devices and systems which have not been detected by a company’s asset management solutions. This is particularly helpful to global multinational organizations with large industrial operations spread across the world.  
• Companies can also get insights into the security posture of the organizations they are digitally connected with, such as third-party partners or suppliers, and then choose to work with the ones with the highest ratings.
• Similarly, companies can also share their scores publicly or privately with customers to help build trust in their cybersecurity posture and performance.
• In addition, companies can view the scores of their peers and competitors to benchmark their performance while gaining insights into the vulnerability’s others are experiencing.
• Insurance companies, governments, and regulators can also evaluate the scores of the companies they work with and act accordingly.

What is scored and how scores vary

The cybersecurity performance and scoring vendors each use similar but different proprietary methodologies to evaluate a company’s security performance. Here are the primary factors that may be evaluated through the cyberscoring process: 

• External exposures of a company’s attack surfaces
• Potential vulnerabilities and risks that arise from that exposure
• Management of internal and third-party risk

The calculation systems of each vendor vary as well. Some use numerical systems, with the higher numbers indicating better performance. Others use letter grading, with A, B, C, or F grades to reflect performance scores.

Because cyberscoring is an ongoing endeavor, scores can fluctuate up or down at any time within a given year due to factors such as new exposures, incidents, or remediations of a recent attack. Companies with mature security postures typically address any identified risks and vulnerabilities as soon as possible because they value consistently high cyberscores.

Cyberscoring as a trusted metric of continuous improvement

Schneider Electric has been using cyberscoring performance and scoring tools since 2018. By closely monitoring and assessing our security posture with the intelligence from these scoring tools, we continuously improve our posture and build greater cybersecurity maturity. Multiple cyber initiatives on exposure management and proactive risk mitigations have been designed and improvised based on the findings received from these scoring tools.

Besides giving us greater visibility into our own digital footprint and infrastructure, cyberscoring also provides us with visibility into the infrastructures of organizations that are part of our ecosystem of non-integrated companies.

To highlight the value we put on cyberscoring, we have designated cybersecurity performance as one of our 25 Schneider Sustainability Essentials (SSEs), which are the internal tools we use to measure continuous improvement. This particular SSE focuses on our commitment to be in the top 25% in external ratings of cybersecurity performance. As noted in our most recent annual report, Schneider Electric averaged an advanced score of 800 out of 820 with BitSight in 2023.

Sharing cyberscoring transparency and elevating its importance 

Perhaps more importantly, cyberscoring also provides us with an opportunity to build greater trust with our customers and other stakeholders, which is key to our organization, as noted in our Trust Charter.

To learn more about our cybersecurity efforts, you can access and review:

• Schneider Electric’s cybersecurity and data protection posture
• Cybersecurity by Schneider Electric on LinkedIn

Tags: cybersecurity, cybersecurity risk mitigation, Digital transformation, NIST, standards and regulations