Security rating services (SRS) like BitSight, SecurityScorecard, and others have become mainstays of modern third-party risk management. They offer rapid, surface-level insights into a supplier’s cybersecurity posture — often via a simple score and traffic light system.
But in 2025, as threats evolve and accountability rises, many organisations are discovering the limits of these tools — especially when used in isolation.
In this article, we break down the main shortcomings of SRS platforms and how you can supplement them for deeper, defensible risk management.
Where Security Rating Services Help
✅ Offer fast external visibility on large vendor estates
✅ Flag basic hygiene issues (e.g. open ports, expired certs)
✅ Track reputational indicators like malware reports or blacklists
✅ Benchmark suppliers against industry averages
✅ Help prioritise risk reviews across hundreds of third parties
SRS tools are a good starting point — but not a final word on risk.
Where They Fall Short
🕳️ Shallow data
Most SRS platforms only scan public-facing assets and IPs. They can’t see access controls, internal vulnerabilities, or endpoint protection.
🕒 Slow updates
Some SRS scores lag behind real-world changes by days or weeks. That’s too slow for zero-day threats or fast-moving breaches.
📦 No understanding of context
An “average” score might apply to a supplier with no access — or to one that handles sensitive customer data.
🔍 Lack of remediation evidence
Even when vendors improve, SRS often can’t verify that fixes are implemented — just that indicators have changed.
⚖️ Compliance misalignment
SRS scores alone do not satisfy frameworks like ISO 27001, NIST, NIS2, or DORA. Regulators now expect real proof of control.
Consequences of Over-Reliance
-
Vendors with “green” scores have suffered major breaches due to overlooked backend risks
-
Auditors challenge the use of rating-only assessments in regulated industries
-
Insurers demand more detailed evidence during cyber policy underwriting
-
Boards are left exposed when simplistic scores mask critical threats
How to Overcome the Limitations
-
Use SRS scores as triage, not diagnosis
Let them guide attention, but always follow up with direct assessment for critical suppliers. -
Scan suppliers independently
Tools like Cyber Tzar offer deeper infrastructure visibility without needing intrusive access. -
Benchmark by context
Factor in what the supplier does, what data they access, and their integration points. -
Track over time
Point-in-time scores mean little without improvement logs, remediation steps, and historical baselining. -
Map to frameworks
Align your TPRM programme with NCSC CAF, ISO 27036, or NIST to add credibility and structure.
How Cyber Tzar Complements SRS Tools
Cyber Tzar helps risk leaders get beyond the rating:
✅ Provides scan-based insights on real-world vulnerabilities
✅ Tracks supplier risk trends and remediation over time
✅ Benchmarks performance across sector and size
✅ Flags deeper risk across Tier 2 & Tier 3 supply chains
✅ Supports audit, insurer, and regulatory evidence requirements
We work alongside your existing tools — or replace them when they’re no longer enough.
🔎 Want to see the risk your SRS tool is missing?
Run a supplier scan at cybertzar.com
