by Scott Jack
Content Contributor, E-N Computers
Over 10 years of experience in healthcare IT and tech support.
Microsoft Secure Score has matured as a product and deserves increased attention. Microsoft described an earlier version of it as a “gamified list of security recommendations”—that’s Microsoft’s words, not ours! It’s now a more robust security posture management tool that is worth our time to look at and plan around.
Secure Score is a representation of your security posture and your opportunities to improve it. We like to describe it as a ‘single pane of glass’ that gives you a holistic view of your organization’s security. Secure Score offers insights on the security of your Microsoft 365 tenant, and Integrations with other cloud apps are being tested to provide greater security posture insights.
With Secure Score, you get:
- Your overall score
- Historical graph of your score with a change log
- The average score of organizations of comparable size
- Recommended actions
QUICK ANSWER:
What is Microsoft Secure Score?
Microsoft Secure Score is a representation of your security posture and your opportunities to improve it. We recommend that you start with small, easy-to-implement security improvements. Over time, you can set a target score based on your licensing, risk profile, and other factors. Secure Score makes it easier to set goals, plan improvements, and track your progress over time.
How your Secure Score is calculated
Your Secure Score is a representation of what Microsoft calls your “absolute security posture”, with a higher score indicating that you have implemented more of the recommended actions. In other words, your score is not relative to the licenses or features you have; it is based on everything that is possible within Microsoft 365.
Recommended actions work on a point system. Each recommended action has a certain number of points attached. Some actions must be completed in their entirety for you to get the points. Other actions give partial points if they are completed for some devices or users.
Remember that security and usability are always in tension with each other and need to be balanced. Not every recommendation will work for your organization, and that’s OK. Reviewing your score on a regular basis will help you to remain aware of your security posture and opportunities to improve it.
Why is my Secure Score low?
When you first look at your Secure Score, you might not be too pleased. You may wonder why it’s so low or, if you are one of our clients, how we could allow it to be so low.
Our goal is to improve your score in a way that makes sense for your business. Rather than act unilaterally, we want to collaborate with you to make decisions that are right for you. Before implementing a security measure, you need to consider:
- how it will affect usability,
- whether a more expensive license is required, and
- what policies and procedures need to be adjusted and communicated beforehand.
Do I need a perfect Secure Score?
No, you do not need a perfect score. According to Microsoft, “the reality is that most organizations are never going to reach anything near a 100% score.” Instead, you can compare your score to other organizations based on size, industry, license, or region. Then you can decide whether your score is acceptable and what your target score should be.
For example, in August 2024, E-N Computers had a Secure Score of 54%, while Microsoft put similar organizations at 43%. It’s good to know that we’re doing better than other organizations our size, but we don’t want to be complacent.
Meanwhile, one of our most locked down clients has a Secure Score just above 80%. Their security posture is quite good. While they may continue to adjust, there’s no need for them to reach 100%.
How to improve your Secure Score
Security is not a one-time exercise; it requires continual effort. Remember that it takes time to plan, implement, test, and adjust each action to find the right balance for your organization. We encourage a crawl-walk-run approach to get up to speed and gradually improve your score.
Crawl
We schedule a meeting with you to introduce the concept of security posture management and the Secure Score interface. Your IT liaison should be present; we encourage other key stakeholders or decision makers to attend as well. The goal of this meeting is to help you get comfortable with the software, get your commitment to work on improving your security, and find some low-hanging fruit — low complexity, minimal impact changes that improve your score.
What are some examples of these easier-to-implement changes? For Exchange (email and calendars), you can:
- Restrict calendar sharing. Not all calendar details need to be shared outside of your organization. You can limit what can be shared externally (e.g., only availability, not full details).
- Review mailbox delegation. Check whether any mailboxes have a delegate—someone who can access the mailbox and act on its owner’s behalf—and that they only have the permissions you want them to have.
- Disable cached credentials. Cached, or stored, credentials can be used to perform malicious actions with the credentials of an authorized user.
Walk
After the easier changes have been made, it’s time to create a long-term plan. This includes setting a target Security Score, identifying high priority actions, and creating a prioritized list of actions. The feasibility of these actions must be investigated: we need to understand what pre-requisites exist, how the change will affect system usability and business processes, what steps must be taken and set a reasonable timeline for implementation.
As you can imagine, this will take several meetings. We’ll set up a regular meeting cadence and use the time to go through each recommendation and mark its status.
Some of our clients even like to go through these on their own time, in between meetings, and find actions they want to address versus risks they’re willing to accept. We love this! We’d rather you feel empowered to make technology decisions than feel like we must drag you through a gauntlet of security improvements.
Run
This isn’t a one-and-done process, though. A successful security program requires:
- Reviewing actions quarterly
- Keeping leadership informed
- Driving accountability for security throughout the organization with buy-in of leadership
The Secure Score interface
Secure Score has four main tabs: 1) Overview, 2) Recommended actions, 3) History, and 4) Metrics & trends.
Overview
Overview is a dashboard of essential information that includes:
- Your score and a miniature history graph of how your score has changed over time
- Actions to review, listed by status:
- Regressed: Actions with point regression due to configuration, user, or device changes.
- To address: You want to work on these actions in the future.
- Planned: You have definite plans to address these actions.
- Risk accepted: You have reviewed these actions and decided that the risk of not implementing them is acceptable.
- Recently added/updated: Microsoft recently added or updated these actions. Review them and update their status according to your needs.
- Comparison of your score versus organizations of a comparable size
- Top recommended actions, including their score impact, status, and category. Clicking one of these will display its full details.
Recommended Actions
The Recommended Actions tab shows a ranked list of possible actions, with the following columns:
- Rank
- Recommended action
- Score impact: how many percentage points will be added to overall score
- Points achieved: Each recommended action earns points. Some are all-or-nothing while others allow you to earn partial points.
- Status: To address, Planned, Risk accepted, Resolved through third party
- Regressed: Yes/No. If you implement an action and undo it, it will count as regressed.
- Have License: Yes/No. Whether you have the Microsoft 365 license necessary for the action.
- Category: Device, Apps
- Product: Defender for Endpoint, Defender for Office
- Last synced: Date when the product last synced with Secure Score. Score updates can take up to 24 hours.
Action details
Click on an action to view and edit details. The details screen shows information including:
- Status
- Action plan: useful for adding notes about roadblocks and planning details
- Tags
- General tab:
- Description of the action, including user impact
- Points achieved out of points possible
- History
- Category
- Product
- Implementation tab:
- Prerequisites, such as licenses needed. Each prerequisite has a green check or red X placed next to it to show whether the requirement is met.
- Next steps, including links to where configuration changes are made
- Documentation links
History and Metrics & trends
The History tab and the Metrics & trends tab provide visualizations to help you track your score history and meet goals.
History shows a line graph of your Secure Score over time. Below, an activity log details what changes were made and how each change positively or negatively affected your score. You can filter the list by date range and category.
Metrics & trends shows several graphs and charts to help you understand your score in relation to other data points. It includes trend graphs for regression, risk acceptance, and score comparison, as well as score changes over time.
One useful metric is Your Secure Score Zone. It is a meter with three zones: good, okay, and bad. After you set numerical values for these ranges, the Secure Score zone meter will show your score in relation to them and your projected score based on planned actions.
A line graph that compares your score to others over time. The comparison can be based on seat count, industry, or licensing.
Develop a security plan that’s right for you
Security is intertwined with your policies and procedures, so you must decide what level of security is right for you. When we talk with our clients about security, we find they fall into one of three groups:
Limited bandwidth: You’re undergoing a lot of change — ownership, staff departures, process changes — and you simply don’t have the capacity to launch a security initiative right now
Growing: You recognize the importance of security and are working on getting executive buy-in to make configuration changes, policy adjustments, and enforce accountability. In the meantime, you have enough latitude to implement features with low complexity and lower operational impact.
Established: Your leadership, staff, and processes are stable and you’re eager to tackle opportunities to improve security while maintaining usability. Executives want to prioritize security.
We mentioned earlier that you can set good, okay, and bad ranges to measure your Secure Score against. What does each range represent?
- Good: Your target score, based on the threats you face, the score of similar organizations, and other factors.
- Okay: This is your minimum bar, based on the highest level of risk you can accept.
- Bad: Anything below Okay.
You need a trusted partner as you work through these details, since it can take months to lay the groundwork for some changes so that they are as minimally disruptive as possible. Together, we can set goals and work out a plan that fits your needs. We can help you find actions that will be easier to implement, and then decide what to tackle next. Instead of having a fortress so impenetrable that not even your own people can get in and function, we’ll collaborate with you on finding the right balance of security and usability.
Next Steps
When you have the right people working together, you can implement systems and processes that actively help you reach your business goals. We sometimes call this IT maturity. But for many organizations, something is off when it comes to their partnerships, strategy, systems, and settings. How can you know what’s working well and where you have room for improvement? Start by taking our free IT Maturity Self-Assessment. You’ll walk away with some pointers and, if you want, a free appointment to discuss your results.
Not sure if you need managed IT services?
Take the IT Maturity Self-Assessment
In a few minutes, get actionable insights on your IT strategy, plus a free strategic consultation.
Industries
Locations
Waynesboro, VA
Corporate HQ
215 Fifth St.
Waynesboro, VA 22980
Sales: 540-217-6261
Service: 540-885-3129
Accounting: 540-217-6260
Fax: 703-935-2665
Washington D.C.
1126 11th ST. NW
Suite 603
Washington, DC 20001-4366
Sales: 202-888-2770
Service: 866-692-9082
VA DCJS # 11-6604
Locations
Harrisonburg, VA
45 Newman Ave.
Harrisonburg, VA 22801
Sales: 540-569-3465
Service: 866-692-9082
Richmond, VA
3026A W. Cary St.
Richmond, VA 23221
Sales: 804-729-8835
Service: 866-692-9082