In this white paper, we explore why security ratings do not predict breaches, do not help people make valuable business decisions, and do not make anyone safer. This piece explores the limitations of risk scores, including:
- High rate of false positives/misattribution: Such as when an IP range or domain name is assigned to an entity but has not been used by them in years.
- Incomplete data: Poor visibility into cloud environments, where dynamic hosting makes assets difficult to find, and multi-tenancy makes assets hard to attribute.
- Low data refresh rates: By the time you read them, security ratings are already out of date.
And looks at potential paths forward other than risk scores to help organizations improve their cybersecurity posture and drive meaningful operational outcomes.