Beyond Microsoft Secure Score: What Financial Institutions Actually Need

Microsoft Secure Score tells you 62%. Your board hears "passing grade." Your auditor hears "38% of recommended security controls are not implemented." Same number, two completely different conclusions. This disconnect is where financial institutions get into trouble.

Secure Score is a useful starting point. It is not a security strategy. It grades on a curve. It rewards easy wins over hard controls. It does not map to the regulatory frameworks that govern mortgage lenders, credit unions, and banks. And it does not tell you whether your institution is actually protected against the threats that matter.

ABT's Guardian operating model starts where Secure Score stops. Guardian uses the score as one input among many, sets a 90%+ target across all four categories, and wraps the number in operational context that turns a metric into a security program.

The Problem with Grading on a Curve

Microsoft Secure Score calculates a percentage based on how many recommended actions your tenant has implemented across four categories: Identity, Data, Devices, and Apps. It sounds straightforward. The problems are in the details.

The Score Rewards Low-Hanging Fruit

Some Secure Score actions are worth more points than others. But the weighting does not always reflect actual risk. An institution can reach 65% by implementing a dozen easy changes while leaving the hard ones (device compliance, DLP enforcement, Conditional Access for all users) untouched. The score goes up. The actual risk stays the same.

The Comparison Is Misleading

Microsoft shows how your score compares to "similar organizations." But "similar" is based on tenant size and industry, not regulatory profile. A mortgage lender holding borrower Social Security numbers has a different threat model than a marketing agency with the same number of users. The comparison creates false comfort.

The Score Does Not Map to Compliance

No regulator accepts Secure Score as compliance evidence. The FFIEC examination handbook, GLBA Safeguards Rule, NCUA ACET, and state regulators all require specific controls documented with specific evidence. Secure Score measures Microsoft's recommended actions, not your regulator's required controls. The overlap is significant but not complete.

The Score Is a Snapshot, Not a Trend

Secure Score shows today's number. It does not show last Tuesday's number, or the fact that someone created a Conditional Access exclusion on Wednesday that dropped your Identity score by 8 points. Without trend data and change tracking, a good score today can mask a deteriorating trajectory.

What Financial Institutions Actually Need

Financial institution IT teams need a security operating model that answers three questions every day:

1. What changed since yesterday? New risks, policy modifications, enrollment gaps, device compliance changes.
2. What should we fix first? Prioritized by actual risk to the institution, not by Secure Score point value.
3. Can we prove it to our regulators? Evidence that maps to GLBA, FFIEC, NCUA, FTC Safeguards Rule, and state requirements.

Secure Score partially answers question two. Guardian answers all three.

How Guardian Goes Beyond the Score

Category-Level Visibility with Operational Context

Guardian breaks Secure Score into its four components (Identity, Data, Devices, Apps) and adds operational context to each. A score of 75% in Identity means something different depending on whether the remaining 25% is legacy authentication (critical risk) or a cosmetic setting like login page branding (minimal risk).

For each category, Guardian shows:

• Current score and 30/60/90-day trend
• Specific unimplemented actions ranked by actual risk, not point value
• Estimated effort and impact for each action
• Regulatory mapping (which framework requires this control)

Your IT team sees the same data Microsoft provides, organized by what matters to a regulated financial institution instead of what matters to Microsoft's scoring algorithm.

MFA Coverage That Tells the Truth

Secure Score checks whether MFA is "enabled." Guardian checks whether MFA is completed. The distinction matters enormously.

A user who started MFA registration but never finished shows as "enabled" in the Microsoft admin portal and counts toward your Secure Score. But that user has no second factor protecting their account. They are as vulnerable as someone with no MFA at all.

Guardian identifies every user in this gap state. For the mortgage lenders ABT manages, this gap typically affects 5-15% of the user base at any given time. Those users are the ones attackers will find first.

Stale Account Detection That Connects to Cost

Secure Score does not track stale accounts. Guardian does. An account that has not been used in 90 days is a risk (credentials can be compromised without anyone noticing) and a cost (the license is still being paid for).

For a mortgage lender with 300 users, stale accounts typically represent 8-12% of the user base. At $22 per user per month for Business Premium licensing, that is $7,920 to $9,504 per year in wasted licenses attached to accounts that are security liabilities.

Guardian surfaces stale accounts in the nightly scan with the specific account names, last login dates, and assigned licenses. Your team can disable the accounts and reclaim the licenses in the same action.

Device Compliance Beyond Enrollment

Secure Score measures whether Intune is configured. Guardian measures whether devices are actually compliant. A tenant with Intune enabled but 40% of devices failing compliance checks looks good on Secure Score and terrible on the ground.

Guardian tracks device compliance rates daily. It identifies devices running outdated operating systems, missing encryption, or failing to report to Intune. For financial institutions where every device accesses borrower data, device compliance is not optional.

Compliance Evidence as a Byproduct

The FFIEC retired its Cybersecurity Assessment Tool in August 2025. The NCUA updated its ACET to align with NIST Cybersecurity Framework 2.0. State regulators like NYDFS have their own requirements. The FTC Safeguards Rule applies to every mortgage lender.

Guardian does not require a separate compliance reporting workflow. The same nightly scans that detect MFA gaps and stale accounts produce the evidence your auditor needs. MFA enforcement logs map to access control requirements. Device compliance records map to endpoint protection requirements. Conditional Access policies map to data protection requirements.

When the examiner asks "show me proof that MFA is enforced for all users accessing borrower data," you pull the report from yesterday's Guardian scan. You do not spend three days building a spreadsheet.

The 90% Target and Why It Matters

ABT targets 90% or higher Secure Score across all four categories for every managed tenant. Most financial institutions start between 35% and 55%.

The 90% target is not arbitrary. It represents a posture where:

• Legacy authentication is blocked (stops 99% of password spray attacks)
• MFA is fully enrolled for all users (not just registered)
• All devices meet compliance policies
• DLP policies protect sensitive data types
• Email authentication (SPF/DKIM/DMARC) prevents spoofing
• Conditional Access restricts access by location, device, and risk level

The remaining 10% typically consists of controls that require trade-offs: settings that would break specific workflows, controls that duplicate coverage from other tools, or Microsoft recommendations that do not apply to the institution's environment.

Cyber insurance carriers now factor Secure Score into underwriting. Demonstrating 90%+ in MFA and Data Protection can reduce premiums. Guardian gives your CFO the documentation to make that case during renewal negotiations.

From Score to Security Program

Secure Score is a number. A security program is a discipline. The difference shows up in how your institution handles the unexpected.

When a new vulnerability is disclosed, a score-focused team checks whether it affects their Secure Score. A program-focused team checks whether it affects their users, their data, and their compliance posture. Guardian provides the visibility for the second approach.

When a vendor is breached, a score-focused team has no immediate action items. A program-focused team checks their Conditional Access policies, reviews third-party application permissions, and verifies that the breach did not affect their tenant. Guardian surfaces this information without requiring your team to know where to look.

When a regulator updates their requirements, a score-focused team starts a new compliance project. A program-focused team checks their existing controls against the new requirements and finds they already meet most of them because they built the program on fundamentals, not point-chasing.

ABT's Architecture Advantage

ABT runs a pure Microsoft technology stack. No ConnectWise. No Kaseya. No SolarWinds. No third-party MSP platforms. Guardian is built on the same Microsoft tools your institution already licenses: Entra ID, Intune, Defender, Purview, and Sentinel.

This matters for going beyond Secure Score because the data sources are native. Guardian reads directly from Microsoft's APIs. There is no translation layer, no third-party data warehouse, no secondary sync that introduces lag or data loss. The findings are as current as the data in your tenant.

ABT serves 750+ financial institutions. That scale means the Guardian team has tuned its scanning, prioritization, and remediation guidance across thousands of tenants. The recommendations your team receives are not generic best practices. They are informed by patterns across the largest financial institution MSP client base in the market.

Technical Reference

Microsoft Secure Score: A percentage-based metric measuring implementation of Microsoft's recommended security actions across Identity, Data, Devices, and Apps. Useful as a benchmark but insufficient as a security strategy for regulated financial institutions.

NIST Cybersecurity Framework 2.0: The updated federal framework for managing cybersecurity risk. Now the primary reference for financial institution assessments after FFIEC retired its Cybersecurity Assessment Tool in August 2025.

FTC Safeguards Rule: Federal requirement for financial institutions (including mortgage lenders) to develop, implement, and maintain an information security program. Updated requirements include risk assessments, access controls, encryption, and continuous monitoring.

Conditional Access: Microsoft Entra ID feature that evaluates access requests against policies based on user identity, device compliance, location, and real-time risk level. The primary enforcement mechanism for zero-trust architecture in Microsoft 365.

NCUA ACET: The National Credit Union Administration's Automated Cybersecurity Evaluation Tool, updated to align with NIST CSF 2.0 after FFIEC retired its own assessment tool. Used by credit unions for self-assessment.

Your Score Is Not Your Security

A number on a dashboard tells you where you stand. An operating model tells you where you are going and how to get there. Guardian turns Secure Score from a metric into a managed security program built for regulated financial institutions.

Talk to an ABT security specialist about building a security program that goes beyond the score.