Why a single number matters

A board doesn't want a 200-row findings export. They want to know: are we getting safer or not? A posture score compresses dozens of signals into one trendable number that drives conversation and budget.

What a good score measures

A defensible score blends weighted domains, not a single dimension:

  • Identity — MFA coverage, dormant accounts, privileged access hygiene.
  • Vulnerabilities — open count weighted by exploitability and SLA-breach rate.
  • Configuration — drift from a hardened baseline (CIS benchmarks).
  • Data protection — encryption coverage, exposure of sensitive stores.
  • Detection — log coverage and alert response times.

Make it actionable, not vanity

A score is only useful if every point maps to a fixable thing. "You're at 72 because 14% of accounts lack MFA and three internet-facing hosts breach SLA" drives action. "You're at 72" alone is theater.

Watch the trend, not the absolute

The absolute number is somewhat arbitrary — different vendors weight differently. What matters is the slope. A score climbing from 60 to 80 over a quarter tells a clear story; a flat 75 with churning underlying findings is a warning.

Avoid gaming

If a score is tied to a bonus, people will optimize the metric instead of security — closing easy lows to bump the number while ignoring hard criticals. Weight by risk so the math can't be cheated.

A posture score is a conversation starter, not a finish line.