Why a single number matters
A board doesn't want a 200-row findings export. They want to know: are we getting safer or not? A posture score compresses dozens of signals into one trendable number that drives conversation and budget.
What a good score measures
A defensible score blends weighted domains, not a single dimension:
- Identity — MFA coverage, dormant accounts, privileged access hygiene.
- Vulnerabilities — open count weighted by exploitability and SLA-breach rate.
- Configuration — drift from a hardened baseline (CIS benchmarks).
- Data protection — encryption coverage, exposure of sensitive stores.
- Detection — log coverage and alert response times.
Make it actionable, not vanity
A score is only useful if every point maps to a fixable thing. "You're at 72 because 14% of accounts lack MFA and three internet-facing hosts breach SLA" drives action. "You're at 72" alone is theater.
Watch the trend, not the absolute
The absolute number is somewhat arbitrary — different vendors weight differently. What matters is the slope. A score climbing from 60 to 80 over a quarter tells a clear story; a flat 75 with churning underlying findings is a warning.
Avoid gaming
If a score is tied to a bonus, people will optimize the metric instead of security — closing easy lows to bump the number while ignoring hard criticals. Weight by risk so the math can't be cheated.
A posture score is a conversation starter, not a finish line.