Microsoft Secure Score. “That again?” you say. Yes, that. We have written about Secure Score before. I recently worked with a customer to review their Secure Score and recommended actions, as part of an information security review we conducted. The experience reminded me that if you work with your Secure Score, you can improve your information security.

What is Secure Score?

If you use Microsoft 365 or its sibling, Office 365, you have Secure Score. I referenced our early explainer above. Here is another article I wrote on how to work with your Secure Score.

On your Microsoft 365 Admin page, in the Security Center, you will find Secure Score. You will see a score (don’t panic), a trend line, and a list of actions you can take to improve your score. Microsoft calculates your Secure Score based on the security actions you have taken (or not taken), measured against the actions they recommend.

If your Secure Score looks low, that is because you have not taken the time to work with it before now. If you take comfort in seeing that your peers are also scoring low, remember what I say about cyber attacks being like shark attacks. Namely, “I do not have to swim faster than the shark. I just have to swim faster than you.”

For some people, Secure Score is about as popular as a… I will let you complete that sentence. Suffice to say that not everyone loves Secure Score. Why is that?

Secure Score Pros and Cons

Allow me to start with some of the objections I hear when I recommend working with your Secure Score.

• Many IT people react negatively when they first see their organization’s Secure Score. Who wants to spend time with a tool that says they are doing a bad job managing security? “With friends like that…” as the saying goes.
• Other folks do not respond well to the “gamification” of information security. They prefer to get their dopamine hit somewhere else.
• Customers complain that the recommended actions do not make sense in their environment.
• Others note that they have implemented a recommendation in some non-Microsoft way. Why am I being penalized for not using a Microsoft solution?

I will speak about these objections soon. Let me first point out some reasons why you might want to work with your Secure Score.

• Your Secure Score reflects your Microsoft 365 environment. It is not a generic score. It reflects the actions you have taken, or not, to work with your Secure Score.
• Secure Score gives you the context and information to make an informed decision about adopting a recommendation or not. You will learn why this recommendation will improve your security. In addition, you will be given information on how to implement the recommendation (which helps to gauge the implementation difficulty) and how much your Secure Score will improve.
• You are getting expert security advice. It pains me to say this, since I would prefer that you pay me for expert security advice. Still, the Secure Score recommendations come from Microsoft’s experience across thousands of Microsoft 365 customers. You know how I feel about large sample sizes!

How to Work with Your Secure Score

OK, I have convinced you to at least try to work with your Secure Score. Where do you get started?

Start with the Overview section. You will see your organization’s Secure Score. Click on the drop-down in the upper right corner of the box. You can choose selections that will show you what Secure Score you could achieve with the licenses/subscriptions you have today. After you have created some actions, you can come back here to see how much your Secure Score will improve.

Now, look at the Recommended Actions. Expand the table to full-screen and you can begin to filter the recommended actions.

• Start by noting which actions provide the biggest Secure Score increase. These are your highest-value actions.
• Set the Filter to show you only actions that apply to licenses you already have. Work with your Secure Score to see what improvements you can make using the licenses you have already purchased.
• Next, remove the Filter and see what actions you can take, and what security impact they can have, if you implement some Microsoft subscriptions you don’t own yet. Yes, this is Microsoft trying to sell you something. However, the pitch lets you know what you will get if you implement the actions. Seems like a fair deal.

Credit Where Credit is Due

Plenty of customers are not 100% “Microsoft shops.” This is especially true in the cybersecurity arena. Customers use Cisco DUO for MFA. They use Box instead of SharePoint. Customers have Macs as well as Windows PCs.

If this sounds like you, do not give up on Secure Score. You can work with your Secure Score even when you implement non-Microsoft security. Do this by reviewing each Secure Score recommendation and noting if you have implemented the recommendation via alternative (to Microsoft) means. You did the work, so get the credit!

Similarly, make note when a recommendation does not apply to your organization, or when you can accept the risk of not implementing a recommendation. You do not need to be “dinged” for failing to implement Data Loss Protection if you have made the decision not to implement it.

Work with your Secure Score by ensuring that it accurately reflects what steps you have taken, as well as what steps you have elected not to take. Secure Score can be a valuable tool for improving your cybersecurity. Take the time to work with your Secure Score.