Microsoft365 Secure Score
Posted by Ok_Employment_5340@reddit | sysadmin | View on Reddit | 31 comments
Is it worth investing the time to improve the Secure Score? Will we earn bragging rights, just a pat on the back?
TechMonkey605@reddit
I have a bitter sweet, we have noticed it is tied directly to spend accounts. We were 89% then increased defender and sentinel, but dropped to about 70ish, and the only thing was adding. If it were truly a baseline, it would be regardless of spend.
Glass_Call982@reddit
It's just some BS number insurance companies can use against you as well as something for clueless management to look at.
Not saying improving security isn't good but a lot of people just try and aim for the max to show off, and then break a lot of shit by just flipping switches. There are A LOT of click ops m365 admins.
GremlinNZ@reddit
Don't focus on it, but if you don't know where to start security wise, it's going to help you get started.
Bear in mind that Microsoft definitely uses it as an upsell, almost anything you see risk related will need P2 licencing if you don't have it (BP and E3 don't have it by default).
Your score will also move up and down by itself as things are added or removed. Eg, I've been deploying Defender, Intune and Autopilot in a new job, just enrolling a device dings my score if there isn't Secure Boot or Bitlocker etc.
Preset security policies for inbound antispam etc can jump you up if you haven't implemented those sorts of controls, but implementing a Windows baseline policy as default will completely lock you out of the ability to login.
On top of that, with the delays in compliance and sync/refresh reporting, this is a marathon, not a sprint. Depends how far along you are.
Eg, in January before my time, org was low 40s, now it's around 63-64. Still plenty of work to do in amongst everything else - users actually having their devices on would sure help...
REO_Jerkwagon@reddit
I used it as a personal corporate goal one year. I had reviewed it enough to know that I could safely say "raise secure score by 30 points" and be an easy target.
Did it make my organization more secure? Maybe a little, but all the "holy shit you gotta fix this" things were taken care of long before the thing was released.
CPAtech@reddit
To get much above about 70 you need to purchase additional licensing above and beyond what I would call standard.
Unable-Entrance3110@reddit
I chased it for a while. The suggestions are a good starting point for review, but at the end of the day it's a sales tool for Microsoft just as much as it is an indicator of sub-par configurations.
It's worth looking at, but the score is just a number that doesn't necessarily reflect reality.
bjc1960@reddit
It is important to us. Every company we buy has a 20, despite being managed by an MSP. Ours is 87 to 88, and we are happy with this.
We present it to our Board of Directors in the quarterly meetings. We give to cyber insurance underwriting and use this to help sell budget requests.
Kuipyr@reddit
I’m amazed by the organizations like yours comparison chart and how low the average score is.
Pub1ius@reddit
Right? It shows 46 for orgs my size. That's gotta be just creating the tenant and leaving nearly everything as is.
ValeoAnt@reddit
It's surely there to make us all feel better about ourselves
Null0Naru@reddit
You should review it, but don't just blindly focus on making number go up.
It can highlight some important security gaps, including in controls you think you have in place, but have holes in them.
It can be a good KPI/Metric to report, but like with everything, you should prioritise and work based on risk. If you have loads of EoL systems and unpatched servers, you're probably going to want to focus on that rather than chasing numbers for the sake of it.
JoeK1337@reddit
Cyber insurance applications (including renewals) ask for the score now.
user1390027478@reddit
This.
Our cyber insurance policy requires it reported every year.
It’s also one of the pieces of evidence we use for our annual third party audit.
teriaavibes@reddit
Ah sometimes I wonder what other stupid requirements can cyberinsurance companies ask for, never boring.
Ok_Employment_5340@reddit (OP)
Interesting to know!
FriscoJones@reddit
Microsoft does generally have a better idea as to how how to secure their product than bloggers, or redditors. If you're not already familiar with how to surpass that baseline then yeah, it's something valuable to work towards.
KavyaJune@reddit
Yes, but don’t aim for a perfect 100. The key is finding the right balance between security and productivity.
Elensea@reddit
I’ve never heard of it being used for anything except for msps to show clients.
Psiuyo@reddit
Every bit helps. Security is cumulative and layered. There are plenty of best practices in there and if your org has been around a while defaults may have changed and you may have legacy settings still in place.
In the end it's just a number on e-paper. Don't focus on it but use it where it makes sense.
As for political usefulness, no one notices us if everything works, only when shit breaks. If you can position yourself above the mean then it can be a nice feel-good line item for management meetings or reviews.
Ok_Employment_5340@reddit (OP)
True that
do_not_free_gaza@reddit
If you improve it by 50% you can put "Microsoft Security Engineer" in your title!!!
ncc74656m@reddit
*updates resume and offers start rolling in* Thanks redditman!!! *overenthusiastic grin and thumbs up*
Ok_Employment_5340@reddit (OP)
lol
12inch3installments@reddit
So I just need to convert my 10% to 15%? I can do that!
PDQ_Brockstar@reddit
Definitely worth enforcing good policy, but not for the sake of the score. Though I heard that if you get your score high enough, M$ will name a conference room after you, then promptly rename it.
Ok_Employment_5340@reddit (OP)
lol
JoeK1337@reddit
Cyber insurance applications and renewals ask for the score now. If it's low enough you know they'll use it to deny a claim later
disclosure5@reddit
Noone is going to pat you on the back outside of your Microsoft licensing salesman. Noone outside that circle give two shits about this marketing tool.
ranhalt@reddit
Good action items, even if you mark them as solved through third party. But know that your score can change over time just because they add (maybe remove) items.
ncc74656m@reddit
It's nothing but a baseline. It will improve your security stance, but focusing on the highest yield fruits like getting to phish resistant MFA, MFA enforcement for all accts including admins, and disabling insecure authentications will get you the most bang for buck.
Ok_Employment_5340@reddit (OP)
Thank you for your insight.