The famous old-school computer columnist John C. Dvorak once claimed that no one in the IT industry would be able to resist reading any IT-related column whose title contained the phrase “free sex magic.” He thought that particular combination would be irresistible, but my editors here at Practical 365 weren’t convinced. Maybe the next best title would be “How to Score a Raise,” and that’s the topic for this installment.
No, seriously.
OK, maybe this technique doesn’t guarantee you a raise: but it will help you both do a better job of securing your Microsoft cloud environments and prove that you’ve done so. Both of those are valuable weapons when it comes time for your next salary discussion.
The Basics of Secure Score
Microsoft has been working on the Secure Score mechanism for quite some time (see this 2016 throwback for proof!) As they have added new components and features to Microsoft 365, and as the understanding of evolving security threats has changed, the exact components of the score have evolved as well. The basic idea has remained the same, though: Microsoft evaluates the security settings of your tenant and assigns a number of points reflecting how good or bad they think your particular security configuration is compared to their ideal recommendations. As things change, so do their recommendations, so your score will change over time even if you don’t do anything. This makes sense: even if your security posture is static, the threats you face are changing, so for most of us just doing nothing will result in lower scores over time.
There are several different, but related, Secure Score features for Defender for Cloud, Azure, and so on. I want to focus on the Microsoft 365 Secure Score feature, which is now officially part of Microsoft Defender and has been moved to the new security portal.
The basic architecture and layout remain the same as they have for some years now, and parallel those of the other Secure Score implementations in other components:
- Your score trend is tracked over time.
- Each configuration change that you make to any setting in the tenant may potentially affect your score. Many changes have no impact; some will raise your score, and some will lower it, depending on whether you’re following Microsoft’s suggestion or not.
- Microsoft provides a list of recommended actions. You can mark specific items as “risk accepted” to indicate that you won’t implement them or as “planned” to indicate that you will. The portal also tracks regressed items.
- Each recommended action has its own page explaining Microsoft’s recommendation, linking to additional documentation, and giving you a “Manage” button that takes you directly to the setting covered by the action.
In theory, this description should be all you need—you can navigate to the portal, see what Microsoft says you need to do, do it, and watch your score go up! That’s as simple as taking your doctor’s advice to eat more vegetables and fewer French fries, right?
While I truly wish it were that simple, there are two obstacles you may run into when using Secure Score. The first is simple to understand: Microsoft keeps changing score items over time. You will see a steady list of items in the M365 message center that say “Microsoft changed a secure score recommendation. Sometimes these changes are eliminating a setting that used to be recommended and other times they reflect additional settings that Microsoft has added to give you more control over security. As I mentioned earlier, if you do nothing and change nothing, your score is still going to change over time, in part because of this configuration drift imposed by Microsoft.
The Second Obstacle
The second obstacle is more difficult to work around. Not every recommendation that Microsoft makes is going to be acceptable in your organization. You may have security policies or standards that require you to deviate from what they recommend. It is also unfortunately true that some of their recommendations are based on you buying additional licenses to enable additional features. And that’s not possible for everybody. However, a big part of dealing with this obstacle is a sort of Zen state of acceptance. You are probably never going to get your security score to 100%. Even if you somehow manage to get close, your rating will change as the configuration options available to you change. The important part is to establish a positive trend where you are improving the security of your tenant over time, while at the same time ignoring settings that are not relevant or appropriate for your environment.
How do you establish that trend? By improving the security of your tenant, which you do by thoughtfully applying the recommended settings. This is the first part of what I promised in the introduction. I am not going to try to give you specific recommendations here because which recommendations you implement are going to be up to your particular needs and your organization’s skill level and maturity.
One approach is to pick out the items with the biggest scoring potential and do them first. Another is to pick out the items you can most easily and quickly accomplish, even if their individual score contributions are lower. There is no wrong way to do it. Which approach will work best for you is going to depend on how much latitude you have to make changes, how much you know about the changes you are making, and your appetite for dealing with the impact of changes as you make them.
Trend Tracking
Before you read any further, you should go to the Secure Score dashboard, take a screenshot of its current state, and file it away somewhere. This is the anchor point that you’ll use when constructing an argument about how your improved security posture is justification for a raise or a promotion. You can use the History pivot on the dashboard to see a roughly 90-day view, and the Metrics & trends pivot allows you to select a date range to show history up to about 120 days back. For longer-term trend tracking, you’ll need to do it yourself. This is a slight annoyance, but it is still worth doing because it gives you a way to track changes that you have made over an extended period. That tracking gives you quantitative proof of what changes you made, when they were made, and what Microsoft estimates the security impact to be. This data on its own will not be enough to convince your boss to give you a raise. However, it is valuable to be able to show that your actions have directly improved the security of your tenant by X percent.
Pick a Number
There’s always a strong temptation to reduce complex measurements down to a simpler set of metrics. The whole idea behind the Likert rating scale, the familiar “rate this thing on a scale of 1 to 10,” is to do exactly that. Sports, economics, finance, and many other domains try to aggregate or condense complicated multivariate measurements down to numbers. The problem is that some measurements cannot be condensed that way. When you go see your doctor, she doesn’t tell you, “Oh, good job eating more vegetables; your health score is now a 7.1” There are too many subsystems and too many measurements in the human body for a single number to be an accurate representation. So it is with the concept of scoring security in a Microsoft tenant. While your Secure Score alone does not give a complete picture of a tenant’s security, it is a pretty good proxy indicator- one that you can use to your advantage. Since it doesn’t cost anything to use the Secure Score reporting mechanism, you should take full advantage of it. Good luck with your boss!