You receive a security rating of 62 out of 100 for a critical vendor. Is that acceptable? Do you deepen assessment, reduce access, or invest in compensating controls?
The number alone does not answer those questions. That gap is the problem.
Scores scale communication. They do not, by themselves, scale judgement about what to do in your environment, with your controls, and against your real options.
Why scoring became standard, and where it breaks
A decade ago, manual review could not cover vendor volume. Platforms promised comparability and repeatable models. Abstraction was the price: to place a payment processor and a facilities contractor on one scale, models strip what differs, data access, business touchpoints, alternatives, and contractual leverage.
Those removed details often determine whether a gap is urgent or tolerable. The same vulnerability class can be existential in one integration and irrelevant in another.
What scores tend to measure, and what they omit
- Often measures: visible posture signals such as disclosures, configuration hints, patch posture, and certifications.
- Often omits: whether findings are material to your use case, reachable attack paths in your architecture, incident behaviour and transparency, your ability to switch or mitigate, and business impact if the vendor fails.
Why context beats a single number
Good decisions are built on what a vendor looks like in your environment: your controls, your business model, your regulatory position, and your options if they degrade.
Start with dependency, layer in controls and contracts you already have, then set thresholds that are yours, not universal. The acceptable bar for a sole-source identity provider should differ from a replaceable utility tool.
A practical alternative: decisions, not endpoints
- Tier by dependency and replaceability, not alphabetically or by score alone.
- Assess against your threat model: exfiltration, disruption, supply-chain integrity, compliance, as relevant to what the vendor does for you.
- Require specific findings, not only summaries: which issues, what evidence, what vendor response.
- Include contractual levers in the picture: notification, audit rights, SLAs, and remediation expectations.
- Monitor at a cadence that matches tier: deeper for tier one, lighter where impact is low.
Our position
The job of assessment is to produce decisions that reduce real exposure, not to maximise counted assessments. Visibility without prioritised action can increase busywork without reducing harm.
Treat scores as a screen and a trend input, not the destination. Build the next steps that answer what you should do Monday morning.
Monday-morning starting points
- Inventory the decisions you actually need: approve, restrict, monitor, phase out, renegotiate. List the evidence each decision requires.
- Re-tier the top 15–20 vendors by access and criticality; concentrate assessment effort there.
- Map contract terms against tolerance: notification, audit, inspection, and incident SLAs.
- Triage findings against your use case and paths, not a universal scale.
- Document one repeatable decision process and measure mitigations, not only scores completed.
Pair this with vendor risk management: from scores to decisions and what generic assessments miss. Discover your third-party ecosystem now.