Current-State Risk Scorecard

You cannot manage risk you have not measured

Most organizations have a general sense that their IT security could be better. The specifics — which domains are strong, which are dangerously weak, and what the financial exposure looks like in each area — tend to live in the heads of one or two technical people who describe them differently every time someone asks.

The Current-State Risk Scorecard replaces that ambiguity with a structured evaluation across eight security domains. Each domain scores on a 1-5 maturity scale with clear definitions at each level and explicit financial implications. The result is a baseline you can use for budget decisions, insurance conversations, compliance audits, and leadership updates.

Who this is for

• CFOs and COOs who need a clear picture of IT risk exposure without learning to read vulnerability scans
• IT directors and managers who need a structured way to communicate posture to non-technical leadership
• Business owners who suspect their IT environment has gaps but cannot articulate where or how serious they are
• Organizations preparing for compliance audits (HIPAA, SOC 2, CMMC, PCI DSS) who need to understand their starting point

The eight domains

The scorecard evaluates the eight areas that collectively determine how exposed your organization is to the most common threats facing SMBs. These are not theoretical — they are the domains that cyber insurers, compliance auditors, and incident response teams look at first.

1. Endpoint security

Every laptop, desktop, phone, and tablet connected to your network is an entry point. This domain evaluates:

• Whether endpoints have managed detection and response (MDR/EDR) or only traditional antivirus
• Patch management discipline — how quickly critical patches are applied
• Device encryption and remote wipe capability
• Whether personal devices access corporate resources and under what controls

At maturity level 1, the organization relies on built-in Windows Defender with no central management. Patches are applied manually on an ad-hoc basis. Personal devices connect to the network freely. Financial implication: a single compromised endpoint can provide lateral movement access to the entire environment.

At maturity level 5, every endpoint runs a centrally managed EDR solution with 24/7 SOC monitoring. Patches are deployed within 48 hours of release for critical vulnerabilities. Personal devices are segmented onto a separate network or managed through a mobile device management (MDM) platform.

2. Access management

Who has access to what, and how do you know? This domain covers:

• Multi-factor authentication (MFA) deployment across all critical systems
• Privileged access management — how admin accounts are controlled and audited
• Onboarding and offboarding processes — how quickly access is provisioned and revoked
• Password policies and whether the organization has moved beyond passwords to phishing-resistant authentication

The Verizon DBIR consistently identifies stolen credentials as the most common attack vector. Organizations scoring below level 3 on access management are statistically likely to experience a credential-based incident within 24 months.

3. Backup and recovery

Backups are the difference between a ransomware event being a bad week and an existential crisis. This domain evaluates:

• Backup frequency, retention, and offsite/air-gapped storage
• Whether backups are tested regularly with documented recovery procedures
• Recovery time objectives (RTO) and recovery point objectives (RPO)
• Whether backup credentials are isolated from the production environment

Many organizations discover during an incident that their backups were not actually working, were encrypted by the same ransomware, or had not been tested in years. A maturity level 3 or below in this domain represents the single highest-severity finding on most scorecards.

4. Network security

How your network is architected determines how far an attacker can move once inside. This domain covers:

• Network segmentation — whether critical systems are isolated from general user traffic
• Firewall management and rule hygiene
• DNS filtering and web content controls
• Wireless security and guest network isolation
• Remote access controls (VPN, zero-trust, or direct exposure)

5. Email security

Email remains the primary attack vector for business email compromise (BEC), phishing, and malware delivery. This domain evaluates:

• Email filtering and anti-phishing controls beyond the default Microsoft or Google protections
• DMARC, DKIM, and SPF configuration to prevent domain spoofing
• Security awareness training frequency and phishing simulation results
• Policies for handling external links, attachments, and wire transfer requests

6. Vendor risk

Your security posture is only as strong as your weakest vendor. This domain covers:

• Whether vendors with access to your systems or data have been assessed
• Contract requirements for security standards, breach notification, and insurance
• Monitoring for vendor-side breaches or security incidents
• Whether your organization maintains a vendor inventory with access levels documented

7. Compliance posture

Compliance is not security, but non-compliance is a financial risk. This domain evaluates:

• Which regulatory frameworks apply to your organization (HIPAA, SOC 2, PCI DSS, CMMC, Texas HB 4)
• Current compliance status and known gaps
• Whether compliance evidence is documented and audit-ready
• Whether compliance controls overlap with or diverge from actual security controls

For a deeper dive into compliance readiness, see the Compliance Readiness Scorecard, which breaks down each framework into individual control assessments.

8. Incident response

When — not if — something goes wrong, how prepared is your organization? This domain evaluates:

• Whether a documented incident response plan exists
• Whether the plan has been tested with a tabletop exercise in the past 12 months
• Whether roles and responsibilities are assigned and understood
• Whether external incident response resources (legal, forensics, communications) are retained in advance

For a complete incident response framework, see the Incident Response Playbook for SMBs.

How scoring works

Each domain receives a maturity score from 1 to 5:

Most SMBs with 50-250 employees score between 1.5 and 3.0 on their first assessment. That is normal. The scorecard is not designed to make you feel bad — it is designed to show you exactly where to invest first for the highest risk reduction per dollar.

Turning scores into action

The scorecard is a diagnostic tool, not an action plan. Once you have your scores:

1. Identify the domains scoring 1 or 2 — these represent your highest-severity exposures and typically offer the greatest return on investment for remediation
2. Feed the scores into the IT Risk Quantification Model — translate each domain’s weakness into a financial exposure estimate
3. Map remediation costs using the IT Spend Efficiency Worksheet — understand what you are already spending in each domain and where budget reallocation can close gaps without increasing total spend
4. Present findings using the Board and Leadership Risk Report Template — convert the scorecard into a format leadership can act on

Related resources

This scorecard is one component of the CFO Playbook for IT Risk Analysis. Related tools:

• IT Risk Quantification Model — convert your scorecard findings into dollar-denominated risk
• Cybersecurity Risk Assessment Template — a complementary framework that catalogs specific threats and vulnerabilities within each domain
• 90-Day Cybersecurity Roadmap — a prioritized action plan for addressing the gaps your scorecard reveals