Microsoft Secure Score tells you 62%. Your board hears "passing grade." Your auditor hears "38% of recommended security controls are not implemented." Same number, two completely different conclusions. This disconnect is where financial institutions get into trouble.
Secure Score is a useful starting point. It is not a security strategy. It grades on a curve. It rewards easy wins over hard controls. It does not map to the regulatory frameworks that govern mortgage lenders, credit unions, and banks. And it does not tell you whether your institution is actually protected against the threats that matter.
ABT's Guardian operating model starts where Secure Score stops. Guardian uses the score as one input among many, sets a 90%+ target across all four categories, and wraps the number in operational context that turns a metric into a security program.
Microsoft Secure Score calculates a percentage based on how many recommended actions your tenant has implemented across four categories: Identity, Data, Devices, and Apps. It sounds straightforward. The problems are in the details.
Some Secure Score actions are worth more points than others. But the weighting does not always reflect actual risk. An institution can reach 65% by implementing a dozen easy changes while leaving the hard ones (device compliance, DLP enforcement, Conditional Access for all users) untouched. The score goes up. The actual risk stays the same.
Microsoft shows how your score compares to "similar organizations." But "similar" is based on tenant size and industry, not regulatory profile. A mortgage lender holding borrower Social Security numbers has a different threat model than a marketing agency with the same number of users. The comparison creates false comfort.
No regulator accepts Secure Score as compliance evidence. The FFIEC examination handbook, GLBA Safeguards Rule, NCUA ACET, and state regulators all require specific controls documented with specific evidence. Secure Score measures Microsoft's recommended actions, not your regulator's required controls. The overlap is significant but not complete.
Secure Score shows today's number. It does not show last Tuesday's number, or the fact that someone created a Conditional Access exclusion on Wednesday that dropped your Identity score by 8 points. Without trend data and change tracking, a good score today can mask a deteriorating trajectory.
Financial institution IT teams need a security operating model that answers three questions every day:
Secure Score partially answers question two. Guardian answers all three.
Guardian breaks Secure Score into its four components (Identity, Data, Devices, Apps) and adds operational context to each. A score of 75% in Identity means something different depending on whether the remaining 25% is legacy authentication (critical risk) or a cosmetic setting like login page branding (minimal risk).
For each category, Guardian shows:
Your IT team sees the same data Microsoft provides, organized by what matters to a regulated financial institution instead of what matters to Microsoft's scoring algorithm.
Secure Score checks whether MFA is "enabled." Guardian checks whether MFA is completed. The distinction matters enormously.
A user who started MFA registration but never finished shows as "enabled" in the Microsoft admin portal and counts toward your Secure Score. But that user has no second factor protecting their account. They are as vulnerable as someone with no MFA at all.
Guardian identifies every user in this gap state. For the mortgage lenders ABT manages, this gap typically affects 5-15% of the user base at any given time. Those users are the ones attackers will find first.
Secure Score does not track stale accounts. Guardian does. An account that has not been used in 90 days is a risk (credentials can be compromised without anyone noticing) and a cost (the license is still being paid for).
For a mortgage lender with 300 users, stale accounts typically represent 8-12% of the user base. At $22 per user per month for Business Premium licensing, that is $7,920 to $9,504 per year in wasted licenses attached to accounts that are security liabilities.
Guardian surfaces stale accounts in the nightly scan with the specific account names, last login dates, and assigned licenses. Your team can disable the accounts and reclaim the licenses in the same action.
Secure Score measures whether Intune is configured. Guardian measures whether devices are actually compliant. A tenant with Intune enabled but 40% of devices failing compliance checks looks good on Secure Score and terrible on the ground.
Guardian tracks device compliance rates daily. It identifies devices running outdated operating systems, missing encryption, or failing to report to Intune. For financial institutions where every device accesses borrower data, device compliance is not optional.
The FFIEC retired its Cybersecurity Assessment Tool in August 2025. The NCUA updated its ACET to align with NIST Cybersecurity Framework 2.0. State regulators like NYDFS have their own requirements. The FTC Safeguards Rule applies to every mortgage lender.
Guardian does not require a separate compliance reporting workflow. The same nightly scans that detect MFA gaps and stale accounts produce the evidence your auditor needs. MFA enforcement logs map to access control requirements. Device compliance records map to endpoint protection requirements. Conditional Access policies map to data protection requirements.
When the examiner asks "show me proof that MFA is enforced for all users accessing borrower data," you pull the report from yesterday's Guardian scan. You do not spend three days building a spreadsheet.
ABT targets 90% or higher Secure Score across all four categories for every managed tenant. Most financial institutions start between 35% and 55%.
The 90% target is not arbitrary. It represents a posture where:
The remaining 10% typically consists of controls that require trade-offs: settings that would break specific workflows, controls that duplicate coverage from other tools, or Microsoft recommendations that do not apply to the institution's environment.
Cyber insurance carriers now factor Secure Score into underwriting. Demonstrating 90%+ in MFA and Data Protection can reduce premiums. Guardian gives your CFO the documentation to make that case during renewal negotiations.
Secure Score is a number. A security program is a discipline. The difference shows up in how your institution handles the unexpected.
When a new vulnerability is disclosed, a score-focused team checks whether it affects their Secure Score. A program-focused team checks whether it affects their users, their data, and their compliance posture. Guardian provides the visibility for the second approach.
When a vendor is breached, a score-focused team has no immediate action items. A program-focused team checks their Conditional Access policies, reviews third-party application permissions, and verifies that the breach did not affect their tenant. Guardian surfaces this information without requiring your team to know where to look.
When a regulator updates their requirements, a score-focused team starts a new compliance project. A program-focused team checks their existing controls against the new requirements and finds they already meet most of them because they built the program on fundamentals, not point-chasing.
ABT runs a pure Microsoft technology stack. No ConnectWise. No Kaseya. No SolarWinds. No third-party MSP platforms. Guardian is built on the same Microsoft tools your institution already licenses: Entra ID, Intune, Defender, Purview, and Sentinel.
This matters for going beyond Secure Score because the data sources are native. Guardian reads directly from Microsoft's APIs. There is no translation layer, no third-party data warehouse, no secondary sync that introduces lag or data loss. The findings are as current as the data in your tenant.
ABT serves 750+ financial institutions. That scale means the Guardian team has tuned its scanning, prioritization, and remediation guidance across thousands of tenants. The recommendations your team receives are not generic best practices. They are informed by patterns across the largest financial institution MSP client base in the market.
Microsoft Secure Score: A percentage-based metric measuring implementation of Microsoft's recommended security actions across Identity, Data, Devices, and Apps. Useful as a benchmark but insufficient as a security strategy for regulated financial institutions.
NIST Cybersecurity Framework 2.0: The updated federal framework for managing cybersecurity risk. Now the primary reference for financial institution assessments after FFIEC retired its Cybersecurity Assessment Tool in August 2025.
FTC Safeguards Rule: Federal requirement for financial institutions (including mortgage lenders) to develop, implement, and maintain an information security program. Updated requirements include risk assessments, access controls, encryption, and continuous monitoring.
Conditional Access: Microsoft Entra ID feature that evaluates access requests against policies based on user identity, device compliance, location, and real-time risk level. The primary enforcement mechanism for zero-trust architecture in Microsoft 365.
NCUA ACET: The National Credit Union Administration's Automated Cybersecurity Evaluation Tool, updated to align with NIST CSF 2.0 after FFIEC retired its own assessment tool. Used by credit unions for self-assessment.
Secure Score measures implementation of Microsoft's recommended actions, not regulatory requirements. No regulator accepts Secure Score as compliance evidence. GLBA, FFIEC, NCUA, and state regulators require specific controls with documented evidence. Guardian maps nightly scan results to these regulatory frameworks, turning security monitoring data into audit-ready compliance documentation.
ABT targets 90% or higher across all four Secure Score categories for every managed tenant. Most mortgage lenders start between 35% and 55%. The 90% target represents full legacy auth blocking, complete MFA enrollment, device compliance enforcement, active DLP policies, and Conditional Access enforcement. Cyber insurance carriers factor Secure Score into underwriting decisions.
Secure Score counts users as MFA-enabled once registration begins. Guardian distinguishes between MFA-registered and MFA-enrolled. Users who started setup but never completed the second factor appear compliant in Microsoft dashboards while remaining unprotected. Guardian identifies this gap in nightly scans, typically affecting 5-15% of users in financial institution tenants.
The FFIEC retired its Cybersecurity Assessment Tool in August 2025 and directed institutions to NIST Cybersecurity Framework 2.0. The NCUA released an updated ACET aligned with the same framework for credit unions. Financial institutions must now assess against NIST CSF 2.0 standards. Guardian produces evidence mapped to this framework from its nightly monitoring operations.
Yes. In 2025, cyber insurance carriers began using Secure Score data during underwriting. Demonstrating high scores in MFA enforcement and Data Protection categories can reduce premiums. Guardian tracks Secure Score trends with 30/60/90-day history and produces documentation that CFOs can present during insurance renewal negotiations to demonstrate security posture improvements.
A number on a dashboard tells you where you stand. An operating model tells you where you are going and how to get there. Guardian turns Secure Score from a metric into a managed security program built for regulated financial institutions.
Talk to an ABT security specialist about building a security program that goes beyond the score.