New CompTIA ISAO Benefit Gives Cybersecurity Grades—and How to Improve

In early October, the CompTIA ISAO announced a new platform partnership with SecurityScorecard to create the CompTIA ISAO Cyber Risk Rating and made it a member benefit for all  CompTIA ISAO members.

The CompTIA ISAO Cyber Risk Rating, powered by SecurityScorecard, presents an outside-in view of an organization’s cybersecurity posture, aggregating data from 10 risk factors to calculate an A to F letter grade and corresponding score from 1 to 100. Even more, the rating includes detailed analysis of where you can take corrective or preventative actions to improve your score.

The grade is based on SecurityScorecard’s trusted, transparent ratings methodology backed by data collected on millions of global organizations, and includes data on:

• Network Security: checks for high risk or insecure open ports within your network
• DNS Health: measures your registered domains and checks that no malicious events have occurred in your DNS history
• Patching Cadence: monitors how promptly patches are applied to your network
• Endpoint Security: tracks metadata related to operating systems, web browsers and active plug-ins
• IP Reputation: measures malware exposure based on OSINT and third-party threat feeds
• Application Security: monitors known exploitable conditions based on threat intelligence, CVE and Blackhat databases
• Cubit Score: checks a variety of security issues that may be present based on threat intelligence, flagged IP addresses and more
• Hacker Chatter: analyzes underground hacker chatter activity
• Information Leak: looks for compromised credentials being circulated on the dark web and other nefarious channels and finally
• Social Engineering: determines your potential for falling victim to a social engineering attack.

Most importantly, the service provides deep analysis of any discovered vulnerabilities. Following a similar methodology used by cyber analysts in the CompTIA ISAO, the Cyber Risk Rating offers a clear understanding of a risk and what mitigations are available to resolve it. Actionable steps can help improve your organization’s score. You can even devise a customized plan to reach the score you want for your organization.

Are You on the Cybersecurity Honor Roll?

When the CompTIA ISAO Cyber Risk Rating was launched in October, the average score of all organizations initially tracked by the CompTIA ISAO was 81 or a B. Only 19% had an A. Two months later, we are monitoring approximately 150 more organizations, and the average across them has increased to an 82. Even better, 31% of all companies have now earned an A grade. Clearly there is room for even more improvement, but we are seeing steady improvements in members’ scores over time.

Additionally, the CompTIA ISAO is tracking MSP vendors and publishing the MSP Supply Chain Cyber Risk Rating. This rating classifies vendors by technology, i.e., backup vendors, RMM vendors, etc., and shows the average rating for the technology category. This allows CompTIA ISAO members to ask their vendor partners for their Cyber Risk Rating score, compared to the average. While we are not calling out individual vendors, we believe this method of tracking the MSP supply chain will help MSPs have more transparency and confidence in how their vendor partners are addressing their own cybersecurity posture.

Other benefits of the Cyber Risk Rating for CompTIA ISAO members include direct access to the SecurityScorecard customer success team, access to summary and detailed reporting to share with customers, prospects and business partners, and the ability to monitor up to 24 of their own customers—all included in CompTIA ISAO membership. We are really excited about this new partnership and the tools this provides to help members improve, measure and report on their cybersecurity posture, not to mention monitor the health of their supply chain. A true win-win for everyone.

MJ Shoer is Senior Vice President at CompTIA and Executive Director of the CompTIA ISAO.